Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: PSP Configuration - JDBC subject source

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: PSP Configuration - JDBC subject source

Chronological Thread 
  • From: Richard James <>
  • To: "" <>
  • Subject: [grouper-users] RE: PSP Configuration - JDBC subject source
  • Date: Tue, 17 Dec 2013 15:54:31 +0000
  • Accept-language: en-GB, en-US

It seems just sending this email was enough for me to get this to work :)

The issue was that it was just retrieving the cn for the member and not the full dn.  

The following change

sourceAttributeID="distinguishedName" in the memberDn attribute definition.

Got this to work and got rid of the error message and now provisions members into the AD group. (I had previously set the source attribute to "dn", but in order for it to work it requires "distinguishedName")

I'm still interested to know if anyone else has this set-up and whether it differs from this approach.

I will document this set-up on the Newcastle University contributions page.

Many thanks

From: [] on behalf of Richard James
Sent: 17 December 2013 15:24
Subject: [grouper-users] PSP Configuration - JDBC subject source


I am in the process of setting up PSP version 2.1.5 for our Grouper install. As a proof of concept I have successfully set this up so that it provisions groups to our active directory using the active directory as our subject source in a development environment.  

Our production grouper uses JDBC as the subject source and therefore I need to configure PSP to use the jdbc source for retrieving members from groups and provisioning the memberships into the AD. Unfortunately I haven't managed to get this working successfully so far. 

I was not entirely sure how to achieve this and therefore have tried a few changes to the configuration. Up until now, we have been getting a memberDn source attribute could not be resolved.

 I presumed that this was due to it not being able to retrieve a dn/cn for the member. I therefore added the following in (based upon the configuration for openldap-multiple);

    <resolver:Dependency ref="LDAPMemberPersonLookup2" />


By adding this into the psp-resolver.xml file it is now able to resolve the source attribute for jdbc members. However when I come to run ./ -psp -bulkSync the following error is displayed,

<psp:syncResponse status='failure' requestID='2013/12/17-14:57:55.416' error='customError'>
    <addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure' requestID='2013/12/17-14:57:57.746' error='customError'>
      <errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
    <errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
    <psp:id ID='Applications:test:ISS_Auto_Dev_Baton_Rouge'/>

Has anyone else set up PSP with JDBC as a source? Is this the correct way of going about it? If so, are we missing any further configuration.

Any help would be gratefully received. I've attached the psp.xml, psp-resolver.xml, sources.xml and the grouper_error.log for this Sync attempt.  

Many thanks,

Richard James
Infrastructure Systems Administrator
ISS Systems Architecture
Newcastle University
0191 2228638

Archive powered by MHonArc 2.6.16.

Top of Page