Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Provisioning a group attribute value onto a member's LDAP object

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Provisioning a group attribute value onto a member's LDAP object


Chronological Thread 
  • From: Paul Engle <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Provisioning a group attribute value onto a member's LDAP object
  • Date: Tue, 07 Jan 2014 14:20:56 -0600


Sure. Here's what I get from just trying to do a gsh.sh -psp -calc of a
single user who is in the group:

2014-01-07 14:12:27,654: [main] INFO PspCLI.run(126) - Starting psp
2014-01-07 14:12:27,658: [main] INFO Psp.execute(980) - Psp 'psp' -
Calc CalcRequest[id=dhi1,requestID=<null>,returnData=everything]
2014-01-07 14:12:27,661: [main] INFO Psp.execute(984) - Psp 'psp' -
Calc XML:
<psp:calcRequest xmlns:psp='http://grouper.internet2.edu/psp'
returnData='everything'>
<psp:id ID='dhi1'/>
</psp:calcRequest>

2014-01-07 14:12:27,771: [main] ERROR BaseSpmlProvider.execute(139) -
Response[status=failure,error=unsupportedOperation,errorMessages={},requestID=2014/01/07-14:12:27.654]
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
edu.internet2.middleware.psp.spml.provider.BaseSpmlProvider.execute(BaseSpmlProvider.java:123)
at edu.internet2.middleware.psp.PspCLI.run(PspCLI.java:138)
at edu.internet2.middleware.psp.PspCLI.main(PspCLI.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(GrouperShell.java:204)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:144)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)
Caused by:
edu.internet2.middleware.grouper.exception.AttributeNotFoundException:
Cant find attribute: etc:attribute:vpn:name
at
edu.internet2.middleware.grouper.Group.getAttributeValue(Group.java:2294)
at
edu.internet2.middleware.grouper.Group.getAttributeOrFieldValue(Group.java:2266)
at
edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttributeDefinition.buildAttribute(GroupAttributeDefinition.java:99)
at
edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttributeDefinition.doResolve(GroupAttributeDefinition.java:72)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.BaseAttributeDefinition.resolve(BaseAttributeDefinition.java:108)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.BaseAttributeDefinition.resolve(BaseAttributeDefinition.java:39)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ContextualAttributeDefinition.resolve(ContextualAttributeDefinition.java:93)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ContextualAttributeDefinition.resolve(ContextualAttributeDefinition.java:33)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttribute(ShibbolethAttributeResolver.java:335)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver.java:284)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver.java:131)
at
edu.internet2.middleware.psp.shibboleth.SimpleAttributeAuthority.getAttributes(SimpleAttributeAuthority.java:96)
at
edu.internet2.middleware.psp.shibboleth.SimpleAttributeAuthority.getAttributes(SimpleAttributeAuthority.java:39)
at edu.internet2.middleware.psp.Psp.execute(Psp.java:1071)
at edu.internet2.middleware.psp.Psp.execute(Psp.java:1004)
at edu.internet2.middleware.psp.Psp.execute(Psp.java:964)
... 14 more
2014-01-07 14:12:27,775: [main] INFO PspCLI.run(146) - End of psp
execution : 121 ms


-paul

In addition to the attribute resolver definition below, I have, in the
psp.xml under the member pso object:

<attribute name=riceVpnGroup" ref="profileName" />



-paul




On 1/7/2014 2:04 PM, Chris Hyzer wrote:
> Can you send the full stack trace (the more the better)?
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Paul Engle
> Sent: Tuesday, January 07, 2014 2:24 PM
> To: Michael R. Gettes
> Cc:
>
> Subject: Re: [grouper-users] Provisioning a group attribute value onto a
> member's LDAP object
>
>
> No, the problem is clearly on the Grouper side, not LDAP. The error in
> the stack trace is "can't find attribute: etc:attribute:vpn:name". If I
> reconfigure the attribute resolver to pull the attribute value from a
> member instead of the group, it goes into LDAP with no problem, and if I
> do something silly like tell it to use the group "displayName" attribute
> instead of the framework attribute, the LDAP attribute will get
> populated (with bogus data, of course).
>
> -paul
>
>
> On 1/7/2014 12:20 PM, Michael R. Gettes wrote:
>> Paul, you might have an ldap schema problem not being allowed to add the
>> attribute to the object. Probably not a grouper problem.
>>
>> /mrg
>>
>>
>> -------- Original message --------
>> From: David Langenberg
>> <>
>> Date: 01/07/2014 11:25 (GMT-06:00)
>> To: Paul Engle
>> <>
>> Cc:
>>
>> Subject: Re: [grouper-users] Provisioning a group attribute value onto a
>> member's LDAP object
>>
>>
>> Hi Paul,
>>
>> I don't think scripting the attribute would help much in this case. The
>> Membership does seem to be the better place for the attribute. Have you
>> considered using Grouper Rules
>> (https://spaces.internet2.edu/display/Grouper/Grouper+rules) to automate
>> the application of the attribute on the membership?
>>
>> Dave
>>
>>
>> On Tue, Jan 7, 2014 at 9:18 AM, Paul Engle
>> <
>> <mailto:>>
>> wrote:
>>
>>
>> Hi all,
>> I'm very close to moving forward and upgrading our 1.6.3
>> infrastructure to 2.1.5. I have the psp configuration mostly where I
>> need it to be (and it is sooooo much faster). But there is one thing
>> that I'm trying to do that is failing.
>>
>> Basically, I've defined an attribute with the new framework, and
>> assigned that attribute to a group. I'd like the provisioner to be able
>> to take that attribute value and assign it to a group member's LDAP
>> object as a custom LDAP attribute. Similar to the way the
>> memberIsMemberOf attribute is done in the psp-resolver.xml for the
>> psp-example-grouper-to-openldap example.
>>
>> The problem I'm running into is that, since this attribute doesn't
>> exist
>> on all groups (unlike the 'name' attribute for the memberIsMemberOf
>> example), I get an 'operation not permitted' error when I try to define
>> the attribute thusly:
>>
>>
>> <resolver:AttributeDefinition
>> id="profileName"
>> xsi:type="grouper:Group"
>> sourceAttributeID="groups">
>> <resolver:Dependency ref="MemberDataConnector" />
>> <grouper:Attribute id="etc:attribute:vpn:name" />
>> </resolver:AttributeDefinition>
>>
>>
>> Would defining the attribute as a script be the way to go?
>> Alternatively, should I be thinking about this some other way? I have
>> successfully gotten the LDAP attribute provisioned by putting the
>> etc:attribute:vpn:name on the Membership, rather than the group itself,
>> but that entails many more steps for the end user. (Add person to
>> group,
>> add attribute to user as a group member, and then assign the value,
>> using the same value for every group member). Or maybe I'm not
>> understanding the new attribute framework very well.
>>
>> -paul
>>
>>
>> --
>> Paul D. Engle | Rice University
>> Sr. Systems Administrator | Information Technology - MS119
>> (713)348-4702 <tel:%28713%29348-4702> | PO Box 1892
>>
>>
>>
>> <mailto:>
>> | Houston, TX
>> 77252-1892
>>
>>
>>
>>
>> --
>> David Langenberg
>> Identity & Access Management
>> The University of Chicago
>
>


--
Paul D. Engle | Rice University
Sr. Systems Administrator | Information Technology - MS119
(713)348-4702 | PO Box 1892

| Houston, TX 77252-1892



Archive powered by MHonArc 2.6.16.

Top of Page