Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSP configuration- multiple named stems

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSP configuration- multiple named stems


Chronological Thread 
  • From: David Langenberg <>
  • To: Mark Cairney <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] PSP configuration- multiple named stems
  • Date: Fri, 5 Sep 2014 14:52:36 -0600

Ok, first I'd set

edu.internet2.middleware.psp.baseStem to something (even if it's just your root stem)

Second, since you're using posixGroup you'll need to modify the psp.xml's "group" PSO to set gidNumber on the group.  Next you'll also have to setup the psp-resolver.xml to generate/assign the GID and place that back into the group PSO so the object gets created properly.  While researching this, I found out that the PSP doesn't have a way to get at the new internal integer support for the GID use-case.  I've filed a bug:


for it and will work to get this fixed for 2.2.1.

Dave




On Fri, Sep 5, 2014 at 8:49 AM, Mark Cairney <> wrote:
OK here it is, minus the password:

I've attached my psp-vt-ldap.xml too in case it's useful.

Mentioning the ldap.properties one thing has just occured to me. We're
using the "posixGroup" objectClass which requires a UNIX GID field
(gidNumber). I'm not sure if that's currently being exposed from Grouper
and I remember having to do something in LDAPPC to push that field out.
Does that sound like a possible cause?



On 05/09/14 15:17, David Langenberg wrote:
> The first error is fairly safe to ignore.  It generally can be described as
> "this change doesn't match our criteria for pushing to LDAP".  The second
> error though makes me think you are missing something perhaps in your
> ldap.properties.  It would be helpful to see a sanitized version of that
> file.
>
> Dave
>
>
> On Fri, Sep 5, 2014 at 3:53 AM, Mark Cairney <> wrote:
>
>> OK I'm trying to proceed with the simplest case i.e. no baseStem set.
>> The process is still on-going but I'm seeing a lot of errors being
>> generated which seem to fall into 2 types. So far it's been running for
>> about 13 hours with no changes yet being made to the LDAP server.
>>
>> 1.
>> 2014-09-05 00:00:00,025: [main] ERROR Psp.execute(1187) -  - Psp 'psp' -
>> Diff
>>
>> DiffResponse[id=1C5998B7-EB74-4D38-8DB8-94E251A07174,status=failure,error=noSuchIdentifier,errorMessages={Unable
>> to calculate provisioned object.},requestID=2014/09/04-23:59:59.742]
>> 2014-09-05 00:00:00,025: [main] ERROR Psp.execute(1189) -  - Psp 'psp' -
>> Diff XML:
>> <psp:diffResponse xmlns:psp='http://grouper.internet2.edu/psp'
>> status='failure' requestID='2014/09/04-23:59:59.742'
>> error='noSuchIdentifier'>
>>   <errorMessage>Unable to calculate provisioned object.</errorMessage>
>>   <psp:id ID='1C5998B7-EB74-4D38-8DB8-94E251A07174'/>
>> </psp:diffResponse>
>>
>> (this looks like it's just complaining about not being able to find a
>> match for that ID. Given the Dev LDAP server is simply a clone of one of
>> our Test ones this doesn't worry/surprise me too much as we haven't done
>> a full sync of the user accounts on both).
>>
>>
>> 2.
>>
>> 2014-09-05 00:58:00,539: [main] ERROR Psp.doesIdentifierExist(445) -  -
>> The lookup response is not a success
>>
>> 'LookupResponse[pso=<null>,status=failure,error=customError,errorMessages={Unable
>> to determine schema entity for
>>
>> uid=******,ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk},requestID=2014/09/05-00:58:00.533]'
>>
>>
>> Should I be worrying about these errors? I'm also wondering if I've
>> choosed the wrong example set for my config as I run an OpenLDAP server
>> but looking at the config there's a whole bunch of attributes we don't
>> currently have like "isMemberOf, hasMember, seeAlso" etc. I've just
>> spotted an "eduMember.schema" file so I've added that to the server and
>> re-started the bulkSync. In the meantime my config files are attached in
>> case there's anywhere obvious I'm going wrong.
>>
>>
>>
>> On 03/09/14 09:25, Mark Cairney wrote:
>>> OK that sounds equally as complicated- I'm even having trouble picturing
>>> what the config looks like in my head. Ultimately what I'd like to have
>>> is Grouper exporting only specified stems (e.g.
>>> affiliations,courses,org) to an individual target LDAP server.
>>>
>>> I've been pointed in the direction of some docs + powerpoints by Bryan,
>>> looking through this it looks like this could be do-able using Group
>>> Filters in the GroupDataConnector in psp-resolver.xml. This is likely to
>>> result in the group OU's changing but we may have to live with that as
>>> they are themselves a result of us provisioning each stem individually
>>> on Grouper 1.5 which was a workaround to do this.
>>>
>>> I'm probably trying to run before I can walk anyway so I'll proceed with
>>> a base config to provision all stems on Dev and once that's working look
>>> at this side of things.
>>>
>>> Kind regards,
>>>
>>> Mark
>>>
>>> On 02/09/14 16:10, David Langenberg wrote:
>>>> Hi Mark,
>>>>
>>>> Even in the multiple case, you'll still have one ldap.properties, but
>>>> you'll now also have the individual ldap connector configs.  I don't
>> think
>>>> there's going to be a sane way to break up the configs unfortunately.
>>>>
>>>> Dave
>>>>
>>>>
>>>> On Tue, Sep 2, 2014 at 3:47 AM, Mark Cairney <>
>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We're looking to upgrade from our existing 1.5 install to 2.2 and this
>>>>> means moving from LDAPPC to PSP.
>>>>>
>>>>> In our current setup which I'd like to replicate we a subset of stems
>>>>> provisioned, each of which has it's own separate ldappc.xml file.
>>>>>
>>>>> Looking at the examples there is a multiple openLDAP example so my
>>>>> current thinking is to have multiple "ldap.properties" files for each
>>>>> stem. Is this possible/ sensible?
>>>>>
>>>>> We use the "memberOf" overlay so we would only be looking to export the
>>>>> groups and their members.
>>>>>
>>>>> I'll admit that having not looked much at Grouper since we initially
>> got
>>>>> it working the new approach seems to have a baffling amount of
>>>>> configuration options and files so a helping hand would be appreciated
>> :-)
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Mark
>>>>>
>>>>> --
>>>>> /****************************
>>>>>
>>>>> Mark Cairney
>>>>> ITI UNIX Section
>>>>> Information Services
>>>>> University of Edinburgh
>>>>>
>>>>> Tel: 0131 650 6565
>>>>> Email:
>>>>> PGP: 0x435A9621
>>>>>
>>>>> *******************************/
>>>>>
>>>>> The University of Edinburgh is a charitable body, registered in
>>>>> Scotland, with registration number SC005336.
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>> --
>> /****************************
>>
>> Mark Cairney
>> ITI UNIX Section
>> Information Services
>> University of Edinburgh
>>
>> Tel: 0131 650 6565
>> Email:
>> PGP: 0x435A9621
>>
>> *******************************/
>>
>> The University of Edinburgh is a charitable body, registered in
>> Scotland, with registration number SC005336.
>>
>
>
>

--
/****************************

Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:
PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page