Grouper Users - Open Discussion List

[Tom Zeller <>]

Bug. A pretty serious bug too when provisioning Active Directory.

Before 2.1.1, a bulkSync consumed a bulkDiff response. With 2.1.1, to
conserve memory, a bulkSync executes the same logic as a bulkDiff. The
bug is during bulkSync reconciliation : current target identifiers are
retrieved _after_ the bulkSync has executed each sync request, which
exposes the case sensitivity issue.

There are a couple of ways to fix this, probably the best is to
introduce a case sensitivity option on provisioned service object
identifiers.

The reason this bug was not caught during the release process is that
my Active Directory tests are a pain to setup and failed silently. I
will fix that too. Hopefully, tonight.

TomZ

On Wed, Jul 11, 2012 at 1:58 PM, Tom Zeller 
<>
 wrote:
> Could you run a bulkCalc and post the output somewhere, please ? It
> will help me understand your scenario.
>
>  bin/gsh.sh -psp -bulkCalc
>
> On Tue, Jul 10, 2012 at 8:49 AM, Holger Dippel 
> <>
>  wrote:
>> I have a small test scenario in Grouper 2.1.1:
>>
>> Group ID paths:
>> test:psp_test1
>> test:psp_test2
>> test:psp_test3
>> with each a few members so the log output is manageable.
>>
>> Running
>>
>> $GROUPER_HOME/bin/gsh.sh -psp -sync test:psp_test1
>> $GROUPER_HOME/bin/gsh.sh -psp -sync test:psp_test2
>> $GROUPER_HOME/bin/gsh.sh -psp -sync test:psp_test3
>>
>> everything provisions correctly.
>>
>> As soon as I run a bulkSync
>>
>> $GROUPER_HOME/bin/gsh.sh -psp -bulkSync
>>
>> it adds SPML delete requests for the groups at the very end of the
>> provisioning sequence. For example:
>>
>>   <psp:syncResponse status='success' requestID='2012/07/10-08:22:03.266'>
>>     <deleteResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success'
>> requestID='2012/07/10-08:22:03.266'/>
>>     <psp:id ID='CN=psp_test1,ou=Grouper_Groups,dc=examen,dc=edu'/>
>>   </psp:syncResponse>
>>
>> Our PSP configuration for this is:
>>
>> Subject source: Active Directory on global catalog port 3268 in sources.xml
>> (Grouper Loader, Grouper UI)
>> Target: same Active Directory on local domain port 389 configured via 
>> spring
>> bean using vt-ldap similar to the old ldappc; bushy structure; group OU:
>> OU=Grouper_Groups,DC=examen,DC=edu; person OU: DC=examen,DC=edu (because
>> currently persons are in multiple OUs).
>> Provisioning stem: test
>>
>> I am thinking that this could be related to case-sensitivity in Grouper:
>>
>> https://bugs.internet2.edu/jira/browse/GRP-736
>>
>> In some places I see
>> ID='cn=psp_test1,ou=Grouper_Groups,dc=examen,dc=edu'
>> and in other places
>> ID='CN=psp_test1,ou=Grouper_Groups,dc=examen,dc=edu'
>>
>> In psp.xml (two instances related to member and membership):
>>     <references
>>       name="member"
>>       caseSensitive="false">
>>
>> Also in psp.xml:
>>     <!-- The ldap group "cn" attribute. -->
>>     <attribute name="cn" />
>>
>> Should caseSensitive="false" be set or be able to set in relation to group
>> IDs? Where?
>>
>> Thank you,
>>
>>
>> Holger
>>
>>
>> Holger Dippel
>> Director of IT Development and Integration
>> University of Massachusetts Dartmouth
>> 285 Old Westport Road • North Dartmouth, MA 02747
>>
>> 508-999-9181 • 
>> 
>>
>> http://www.umassd.edu/
>> ________________________________
>>
>> CITS will never ask you for your password or other confidential information
>> via email. Beware of phishing scams where email and/or malicious web sites
>> try to trick users into entering their username and password.
>> For more information about password security please visit:
>> http://www.umassd.edu/cits/security/
>>
>>