grouper-users - RE: [grouper-users] Source attribute 'memberDn' does not exist
Subject: Grouper Users - Open Discussion List
List archive
- From: "Bryan E. Wooten" <>
- To: Tim Darby <>
- Cc: "" <>
- Subject: RE: [grouper-users] Source attribute 'memberDn' does not exist
- Date: Tue, 8 Oct 2013 20:19:11 +0000
- Accept-language: en-US
Thanks Tim, I’ll give that a try. I was able to fix the problem a different way. I changed the attribute def of “memberDn” to this in psp-resolver.xml: <resolver:AttributeDefinition id="memberDn" xsi:type="psp:PSOIdentifier" sourceAttributeID="entryDN"> <resolver:Dependency ref="LDAPMemberPersonLookup1" /> </resolver:AttributeDefinition> And added this: <resolver:DataConnector id="LDAPMemberPersonLookup1" xsi:type="dc:LDAPDirectory" ldapURL="ldap://idm-6.acs.utah.edu:389" baseDN="ou=people,o=utah.edu" principal="cn=Directory Manager" principalCredential="secret" maxResultSize="1"> <dc:FilterTemplate> <![CDATA[ (&(unid=${requestContext.principalName})(objectclass=person)) ]]> </dc:FilterTemplate> </resolver:DataConnector> Frankly I don’t like it because I don’t really understand what I did or why it works. Your change I think I understand. Cheers, Bryan From: [mailto:]
On Behalf Of Tim Darby I ran into this too and I'm trying to recall the issue. Here's what I think is going on: The way you've defined <pso id="member"> in psp.xml, it will only allow searches, not group updates. You have
to expand its definition to actually cause groups memberships to be provisioned in LDAP. Here's what mine looks like, for example: <pso id="member" allSourceIdentifiersRef="memberSubjectIds"> <!-- The ldap member DN. --> <identifier ref="memberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.peopleBaseDn}" /> <!-- Identifies member objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="person" /> <!-- The ldap member "objectClass" attribute. No existing values will be deleted since retainAll is true. --> <attribute name="objectClass" ref="memberObjectclass" retainAll="true" /> <!-- The ldap member "isMemberOf" attribute consisting of the names of the groups that this member is a member of. --> <attribute name="isMemberOf" ref="memberIsMemberOf" /> </pso> ====================== Note the two attribute nodes in mine. I think that's the key to it and you'll obviously have to tailor it to your LDAP.
Tim Darby On Tue, Oct 8, 2013 at 8:58 AM, Bryan E. Wooten <> wrote: I am running ./gsh –psp –bulkSync and keep getting this error when trying to add members to a group. My target is an OpenDJ ldap server. 2013-10-08 08:56:18,687: [main] DEBUG Psp.execute(1069) - - PSP 'psp' - Calc CalcRequest[id=u0110359,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]]
Resolving attributes '[memberDn]'. 2013-10-08 08:56:18,687: [main] DEBUG SimpleAttributeAuthority.getAttributes(86) - - get attributes 'u0110359' aa 'psp.AttributeAuthority' 2013-10-08 08:56:18,690: [main] DEBUG AbstractLdap.search(193) - - Search with the following parameters: 2013-10-08 08:56:18,691: [main] DEBUG AbstractLdap.search(194) - - dn = ou=people,o=utah.edu 2013-10-08 08:56:18,691: [main] DEBUG AbstractLdap.search(195) - - filter = (& (unid=u0110359)(objectClass=person)) 2013-10-08 08:56:18,692: [main] DEBUG AbstractLdap.search(196) - - filterArgs = [] 2013-10-08 08:56:18,692: [main] DEBUG AbstractLdap.search(197) - - searchControls =
2013-10-08 08:56:18,693: [main] DEBUG AbstractLdap.search(198) - - handler = [edu.internet2.middleware.psp.ldap.QuotedDnResultHandler@3c10b841,
] 2013-10-08 08:56:18,726: [main] DEBUG PsoIdentifierAttributeDefinition.doResolve(50) - - PSOIdentifier attribute definition 'memberDn' - Resolve principal 'u0110359' 2013-10-08 08:56:18,727: [main] DEBUG Psp.execute(1072) - - PSP 'psp' - Calc CalcRequest[id=u0110359,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]]
Resolved attributes '[]'. 2013-10-08 08:56:18,728: [main] DEBUG Pso.getPSO(222) - - Pso 'member' - Get pso for 'u0110359' 2013-10-08 08:56:18,728: [main] DEBUG PsoIdentifier.getPSOIdentifier(86) - - PSO Identifier Definition 'memberDn' - Source attribute 'memberDn' does not exist And yet I this in my psp-resolver.xml: <!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". --> <resolver:AttributeDefinition id="memberDn" xsi:type="psp:PSOIdentifier" sourceAttributeID="dn"> <resolver:Dependency ref="MemberDataConnector" /> </resolver:AttributeDefinition> And in my psp.xml I have this: <pso id="member"> <!-- The ldap member DN. --> <identifier ref="memberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.peopleBaseDn}" /> <!-- Identifies member objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="person" /> </pso> I suspect it is because in OpenDJ a group member is of class uniqueMember and not just member. But for the life of me I can’t find where to define this. I can see searches in my
ldap log file that are successful, but I don’t see any attempts to add members to a group. Any help appreciated. Cheers, Bryan |
- [grouper-users] Source attribute 'memberDn' does not exist, Bryan E. Wooten, 10/08/2013
- Message not available
- RE: [grouper-users] Source attribute 'memberDn' does not exist, Bryan E. Wooten, 10/08/2013
- Re: [grouper-users] Source attribute 'memberDn' does not exist, Rahul Doshi, 10/09/2013
- RE: [grouper-users] Source attribute 'memberDn' does not exist, Bryan E. Wooten, 10/08/2013
- Re: [grouper-users] Source attribute 'memberDn' does not exist, David Langenberg, 10/11/2013
- Message not available
Archive powered by MHonArc 2.6.16.