Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAPPCNG - Members not being provisioned

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAPPCNG - Members not being provisioned


Chronological Thread 
  • From: Tom Zeller <>
  • To: Richard James <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] LDAPPCNG - Members not being provisioned
  • Date: Wed, 22 Sep 2010 11:06:34 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=wZSEMp2H7+DMerDVCYGQVatFG/7dIOcx10YG5z+7oMJC85lZJTn9tDx3+kQk0V1fDf KMmeeQvwTj5VTe8CYTjR+FcaL6qAvtukYjsIQHgo4gXKW+XGstWrQX1mp/cRJtgJWZx2 jCDHX+jLrGTsb2gd9W4lDcp0f0wBNNxJSRpZ4=
More precisely, do you see ldap searches for cn=test at the $peopleOU
base _in the ldappcng logs_ ?

On Wed, Sep 22, 2010 at 10:45 AM, Richard James
<>
wrote:
> Hi Tom,
>
> Thanks for sending the below through, from looking at our config files they
> all seem to be set correctly. A search on the Active Directory at the
> $peopleOU base returns the user as expected.
> We are also using the same people base within our current LDAPPC
> provisioning, which works without any problems. I also tried specifying the
> full base dn for users (OU=Staff Users,OU=Campus
> Users,DC=testcampus,DC=ncl,DC=ac,DC=uk) but this brought about the same
> results.
>
> I have spent sometime today trying to reconfigure the files in the hope of
> spotting any clues but to no avail at the moment. I have asked the guys who
> look after our Active Directory if there are any useful logs for us to look
> at and see if it logs any of the transaction attempts when we try and
> provision the memberships.
>
> Cheers
>
> Richie
>
>>-----Original Message-----
>>From:
>>
>>
>>[mailto:]
>> On Behalf Of Tom
>>Zeller
>>Sent: 21 September 2010 21:24
>>To: Richard James
>>Cc:
>>
>>Subject: Re: [grouper-users] LDAPPCNG - Members not being provisioned
>>
>>Do you see ldap searches for cn=test at the $peopleOU base ?
>>
>>As explanation, the error message below means that the identifier for
>>"test" from source "members-jdbc" cannot be resolved (determined) :
>>
>>>>> 2010-09-20 15:06:48,140: [main] WARN
>>>>> PSOReferenceDefinition.getReferences(126) -  - get references for
>>>>> 'test:test' ref 'members-jdbc' unable to resolve identifier 'test'
>>
>>SPML references are defined in ldappcng.xml :
>>
>>   <object id="group" authoritative="true">
>>      <references name="member">
>>        <reference ref="members-jdbc" toObject="member" />
>>        ...
>>
>>The member identifier is defined in ldappcng.xml :
>>
>>    <object id="member">
>>      <identifier ref="member-dn" baseId="${peopleOU}">
>>      ...
>>
>>which resolves the "member-dn" attribute definition from ldappcng-
>>resolver.xml :
>>
>>  <resolver:AttributeDefinition id="member-dn" xsi:type="ad:Simple"
>>sourceAttributeID="psoID">
>>    <resolver:Dependency ref="SpmlDataConnector" />
>>  </resolver:AttributeDefinition>
>>
>>which in turn resolves the SpmlDataConnector, which should search ldap :
>>
>>  <resolver:DataConnector id="SpmlDataConnector"
>>provider="ldap-provider" xsi:type="ldappc:SPMLDataConnector"
>>    scope="subTree" base="${peopleOU}" returnData="identifier">
>>    <resolver:Dependency ref="MemberDataConnector" />
>>    <ldappc:FilterTemplate>(cn=${id.get(0)})</ldappc:FilterTemplate>
>>  </resolver:DataConnector>
>>
>>at your base :
>>
>># Base DN for members
>>peopleOU=OU=Campus Users,DC=testcampus,DC=ncl,DC=ac,DC=uk
>

Archive powered by MHonArc 2.6.16.

Top of Page