grouper-users - Re: [grouper-users] LDAPPCNG and different LDAP for people and groups
Subject: Grouper Users - Open Discussion List
List archive
- From: Tom Zeller <>
- To: Arnaud Deman <>
- Cc:
- Subject: Re: [grouper-users] LDAPPCNG and different LDAP for people and groups
- Date: Tue, 6 Sep 2011 16:39:15 -0500
Hi Arnaud,
I have more time now to work on such things. I will work out the
details and reply.
https://bugs.internet2.edu/jira/browse/GRP-640
TomZ
On Tue, Sep 6, 2011 at 3:18 AM, Arnaud Deman
<>
wrote:
> Hello Tom,
>
> Thanks for your answer and sorry for being so long to respond.
> I tested and I still have an error. I think it tries to export the groups
> also into the read only ldap :
>
> 2011-09-06 10:05:45,269: [main] INFO
> edu.internet2.middleware.ldappc.spml.provider.LdapTargetProvider
> .execute(499) - -
> ModifyRequest[psoID=PSOIdentifier[id='cn=amu:admin:grouper:wheel,ou=groups,dc=univ-amu,dc=fr',targetID=ldap,containerID=<null>],typeOfReference=member,typeOfReference=member,returnData=everything,requestID=2011/09/06-10:05:45.267_Q2IVRJV7]
> 2011-09-06 10:05:45,272: [main] ERROR
> edu.internet2.middleware.ldappc.spml.provider.LdapTargetProvider
> .execute(567) - -
> ModifyResponse[pso=<null>,status=failure,error=customError,errorMessages={[LDAP:
> error code 53 - shadow context; no update
> referral]},requestID=2011/09/06-10:05:45.267_Q2IVRJV7]
> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - shadow
> context; no update referral]; remaining name
> 'cn=amu:admin:grouper:wheel,ou=groups,dc=univ-amu,dc=fr'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3114)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1455)
>
> I tried to specify the target id but I had the same error :
> bin/gsh.sh -ldappcng -targetID ldap -sync amu:admin:grouper:wheel
>
> Best regards,
> Arnaud.
>
>
> Le vendredi 22 juillet 2011 à 09:54:18, Tom Zeller a écrit :
>> The second ldap provider needs to be added to ldappcng.xml, I believe,
>> I am unable to test right now.
>>
>> Add
>>
>> <target id="ldap-replicat" provider="ldap-provider-replicat" />
>>
>> to ldappcng.xml :
>>
>> <targets id="LDAP">
>>
>> <target id="ldap" provider="ldap-provider" />
>> <target id="ldap-replicat" provider="ldap-provider-replicat" />
>>
>> and please let me know.
>>
>> [config files were posted privately]
>>
>> On Fri, Jul 22, 2011 at 9:18 AM, Tom Zeller
>> <>
>> wrote:
>> > Sounds right. Could you post your sanitized config files, please,
>> > either on-list or privately ?
>> >
>> > On Fri, Jul 22, 2011 at 7:25 AM, Arnaud Deman
>> > <>
>> > wrote:
>> >> Hello,
>> >>
>> >> I am trying to use LDAPPCNG to provision the groups branch of an LDAP
>> >> while the people branch is in another LDAP. The people branch is read
>> >> only (I don't publish isMemberOf).
>> >>
>> >> Is it possible to use LDAPPCNG in this context, and if so what would be
>> >> the
>> >> good way to configure it ?
>> >>
>> >> My first idea was to define a second ldap provider for the people
>> >> branch, with its own configuration
>> >> file in ldappc-services.xml :
>> >>
>> >> <Service id="ldap-provider-replicat" xsi:type="ldappc:LdapPoolProvider"
>> >> ldapPoolId="ldapPool-replicat">
>> >> <ConfigurationResource file="/ldappc-ldap-replicat.xml"
>> >> xsi:type="resource:ClasspathResource">
>> >> <ResourceFilter xsi:type="grouper:ClasspathPropertyReplacement"
>> >> xmlns="urn:mace:shibboleth:2.0:resource"
>> >> propertyFile="/ldappc.properties" />
>> >> </ConfigurationResource>
>> >>
>> >>
>> >> And then to use this provider for the SpmlDataConnector in
>> >> ldappc-resolver.xml :
>> >>
>> >> <resolver:DataConnector id="SpmlDataConnector"
>> >> provider="ldap-provider-replicat" xsi:type="ldappc:SPMLDataConnector"
>> >> scope="subTree" base="${peopleOU}" returnData="identifier">
>> >> <resolver:Dependency ref="MemberDataConnector" />
>> >>
>> >> <ldappc:FilterTemplate>(supannAliasLogin=${id.get(0)})</ldappc:FilterTemplate>
>> >> </resolver:DataConnector>
>> >>
>> >>
>> >> But the LDAP Pool doesn' seem to be initialized correctly and I have
>> >> this exception :
>> >>
>> >> 2011-07-22 12:13:57,930: [main] WARN BlockingLdapPool .checkIn(309) -
>> >> - attempt to return unknown ldap object: null
>> >> 2011-07-22 12:13:57,932: [main] ERROR BaseSpmlProvider .execute(95) -
>> >> -
>> >> Response[status=failure,error=unsupportedOperation,errorMessages={},requestID=2011/07/22-12:13:57.929_Q0O928HW]
>> >>
>> >> Thanks for your help,
>> >> Best regards,
>> >> A. Deman.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Arnaud Deman
>> >> 04 91 28 85 25
>> >> DSI - Université Paul Cézanne Aix-Marseille III
>> >> Avenue Escadrille Normandie-Niemen
>> >> 13397 MARSEILLE CEDEX 20
>> >>
>> >>
>> >
>
> --
> Arnaud Deman
> 04 91 28 85 25
> DSI - Université Paul Cézanne Aix-Marseille III
> Avenue Escadrille Normandie-Niemen
> 13397 MARSEILLE CEDEX 20
>
>
>
- Re: [grouper-users] LDAPPCNG and different LDAP for people and groups, Arnaud Deman, 09/06/2011
- Re: [grouper-users] LDAPPCNG and different LDAP for people and groups, Tom Zeller, 09/06/2011
Archive powered by MHonArc 2.6.16.