Grouper Users - Open Discussion List

[Chris Hyzer <>]

Can you send the full stack trace (the more the better)?

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Paul Engle
Sent: Tuesday, January 07, 2014 2:24 PM
To: Michael R. Gettes
Cc: 

Subject: Re: [grouper-users] Provisioning a group attribute value onto a 
member's LDAP object


No, the problem is clearly on the Grouper side, not LDAP. The error in
the stack trace is "can't find attribute: etc:attribute:vpn:name". If I
reconfigure the attribute resolver to pull the attribute value from a
member instead of the group, it goes into LDAP with no problem, and if I
do something silly like tell it to use the group "displayName" attribute
instead of the framework attribute, the LDAP attribute will get
populated (with bogus data, of course).

  -paul


On 1/7/2014 12:20 PM, Michael R. Gettes wrote:
> Paul, you might have an ldap schema problem not being allowed to add the
> attribute to the object.  Probably not a grouper problem.
> 
> /mrg
> 
> 
> -------- Original message --------
> From: David Langenberg 
> <>
> Date: 01/07/2014 11:25 (GMT-06:00)
> To: Paul Engle 
> <>
> Cc: 
> 
> Subject: Re: [grouper-users] Provisioning a group attribute value onto a
> member's LDAP object
> 
> 
> Hi Paul,
> 
> I don't think scripting the attribute would help much in this case.  The
> Membership does seem to be the better place for the attribute.  Have you
> considered using Grouper Rules
> (https://spaces.internet2.edu/display/Grouper/Grouper+rules) to automate
> the application of the attribute on the membership?
> 
> Dave
> 
> 
> On Tue, Jan 7, 2014 at 9:18 AM, Paul Engle 
> <
> <mailto:>>
>  wrote:
> 
> 
>     Hi all,
>       I'm very close to moving forward and upgrading our 1.6.3
>     infrastructure to 2.1.5. I have the psp configuration mostly where I
>     need it to be (and it is sooooo much faster). But there is one thing
>     that I'm trying to do that is failing.
> 
>     Basically, I've defined an attribute with the new framework, and
>     assigned that attribute to a group. I'd like the provisioner to be able
>     to take that attribute value and assign it to a group member's LDAP
>     object as a custom LDAP attribute. Similar to the way the
>     memberIsMemberOf attribute is done in the psp-resolver.xml for the
>     psp-example-grouper-to-openldap example.
> 
>     The problem I'm running into is that, since this attribute doesn't exist
>     on all groups (unlike the 'name' attribute for the memberIsMemberOf
>     example), I get an 'operation not permitted' error when I try to define
>     the attribute thusly:
> 
> 
>     <resolver:AttributeDefinition
>       id="profileName"
>       xsi:type="grouper:Group"
>       sourceAttributeID="groups">
>       <resolver:Dependency ref="MemberDataConnector" />
>       <grouper:Attribute id="etc:attribute:vpn:name" />
>     </resolver:AttributeDefinition>
> 
> 
>     Would defining the attribute as a script be the way to go?
>     Alternatively, should I be thinking about this some other way? I have
>     successfully gotten the LDAP attribute provisioned by putting the
>     etc:attribute:vpn:name on the Membership, rather than the group itself,
>     but that entails many more steps for the end user. (Add person to group,
>     add attribute to user as a group member, and then assign the value,
>     using the same value for every group member). Or maybe I'm not
>     understanding the new attribute framework very well.
> 
>       -paul
> 
> 
>     --
>     Paul D. Engle              |  Rice University
>     Sr. Systems Administrator  |  Information Technology - MS119
>     (713)348-4702 <tel:%28713%29348-4702>              |  PO Box 1892
>     
> 
>  
> <mailto:>
>             |  Houston, TX
>     77252-1892
> 
> 
> 
> 
> -- 
> David Langenberg
> Identity & Access Management
> The University of Chicago


-- 
Paul D. Engle              |  Rice University
Sr. Systems Administrator  |  Information Technology - MS119
(713)348-4702              |  PO Box 1892

            |  Houston, TX 77252-1892