Grouper Users - Open Discussion List

["Bryan E. Wooten" <>]

Thanks Tim,

 

I’ll give that a try. I was able to fix the problem a different way.

 

I changed the attribute def of  “memberDn” to this in psp-resolver.xml:

<resolver:AttributeDefinition

     id="memberDn"

     xsi:type="psp:PSOIdentifier"

     sourceAttributeID="entryDN">

     <resolver:Dependency ref="LDAPMemberPersonLookup1" />

   </resolver:AttributeDefinition>

 

And added this:

 

<resolver:DataConnector

     id="LDAPMemberPersonLookup1"

     xsi:type="dc:LDAPDirectory"

     ldapURL="ldap://idm-6.acs.utah.edu:389"

     baseDN="ou=people,o=utah.edu"

     principal="cn=Directory Manager"

     principalCredential="secret"

     maxResultSize="1">

     <dc:FilterTemplate>

         <![CDATA[

             (&(unid=${requestContext.principalName})(objectclass=person))

         ]]>

     </dc:FilterTemplate>

   </resolver:DataConnector>

 

Frankly I don’t like it because I don’t really understand what I did or why it works. Your change I think I understand.

 

Cheers,

 

Bryan

 

From: [mailto:] On Behalf Of Tim Darby
Sent: Tuesday, October 08, 2013 11:56 AM
To: Bryan E. Wooten
Subject: Re: [grouper-users] Source attribute 'memberDn' does not exist

 

I ran into this too and I'm trying to recall the issue.  Here's what I think is going on:

 

The way you've defined <pso id="member"> in psp.xml, it will only allow searches, not group updates.  You have to expand its definition to actually cause groups memberships to be provisioned in LDAP.  Here's what mine looks like, for example:

 

  <pso

    id="member"

    allSourceIdentifiersRef="memberSubjectIds">

 

    <!-- The ldap member DN. -->

    <identifier

      ref="memberDn"

      targetId="ldap"

      containerId="${edu.internet2.middleware.psp.peopleBaseDn}" />

 

    <!-- Identifies member objects which exist on the target by objectclass attribute value. -->

    <identifyingAttribute

      name="objectclass"

      value="person" />

 

    <!-- The ldap member "objectClass" attribute. No existing values will be deleted since retainAll is true. -->

    <attribute

      name="objectClass"

      ref="memberObjectclass"

      retainAll="true" />

 

    <!-- The ldap member "isMemberOf" attribute consisting of the names of the groups that this member is a member of. -->

    <attribute

      name="isMemberOf"

      ref="memberIsMemberOf" />

 

  </pso>

======================

 

Note the two attribute nodes in mine.  I think that's the key to it and you'll obviously have to tailor it to your LDAP.

Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture

UITS, Rm 335, 520-626-3799

 

On Tue, Oct 8, 2013 at 8:58 AM, Bryan E. Wooten <> wrote:

I am running ./gsh –psp –bulkSync and keep getting this error when trying to add members to a group. My target is an OpenDJ ldap server.

 

2013-10-08 08:56:18,687: [main] DEBUG Psp.execute(1069) -  - PSP 'psp' - Calc CalcRequest[id=u0110359,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]] Resolving attributes '[memberDn]'.

2013-10-08 08:56:18,687: [main] DEBUG SimpleAttributeAuthority.getAttributes(86) -  - get attributes 'u0110359' aa 'psp.AttributeAuthority'

2013-10-08 08:56:18,690: [main] DEBUG AbstractLdap.search(193) -  - Search with the following parameters:

2013-10-08 08:56:18,691: [main] DEBUG AbstractLdap.search(194) -  -   dn = ou=people,o=utah.edu

2013-10-08 08:56:18,691: [main] DEBUG AbstractLdap.search(195) -  -   filter = (& (unid=u0110359)(objectClass=person))

2013-10-08 08:56:18,692: [main] DEBUG AbstractLdap.search(196) -  -   filterArgs = []

2013-10-08 08:56:18,692: [main] DEBUG AbstractLdap.search(197) -  -   searchControls =

2013-10-08 08:56:18,693: [main] DEBUG AbstractLdap.search(198) -  -   handler = [edu.internet2.middleware.psp.ldap.QuotedDnResultHandler@3c10b841, ]

2013-10-08 08:56:18,726: [main] DEBUG PsoIdentifierAttributeDefinition.doResolve(50) -  - PSOIdentifier attribute definition 'memberDn' - Resolve principal 'u0110359'

2013-10-08 08:56:18,727: [main] DEBUG Psp.execute(1072) -  - PSP 'psp' - Calc CalcRequest[id=u0110359,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]] Resolved attributes '[]'.

2013-10-08 08:56:18,728: [main] DEBUG Pso.getPSO(222) -  - Pso 'member' - Get pso for 'u0110359'

2013-10-08 08:56:18,728: [main] DEBUG PsoIdentifier.getPSOIdentifier(86) -  - PSO Identifier Definition 'memberDn' - Source attribute 'memberDn' does not exist

 

And yet I this in my psp-resolver.xml:

 

<!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". -->

  <resolver:AttributeDefinition

    id="memberDn"

    xsi:type="psp:PSOIdentifier"

    sourceAttributeID="dn">

    <resolver:Dependency ref="MemberDataConnector" />

  </resolver:AttributeDefinition>

 

And in my psp.xml I have this:

 

<pso id="member">

 

    <!-- The ldap member DN. -->

    <identifier

      ref="memberDn"

      targetId="ldap"

      containerId="${edu.internet2.middleware.psp.peopleBaseDn}" />

 

    <!-- Identifies member objects which exist on the target by objectclass attribute value. -->

    <identifyingAttribute

      name="objectclass"

      value="person" />

 

  </pso>

 

I suspect it is because in OpenDJ a group member is of class uniqueMember and not just member. But for the life of me I can’t find where to define this. I can see searches in my ldap log file that are successful, but I don’t see any attempts to add members to a group.

 

Any help appreciated.

 

Cheers,

 

Bryan