Grouper Users - Open Discussion List

[Julian Williams <>]

Hi,

 

I’ve been looking at the PSP over the last few days and trying to get something working for our test/dev environment. We’re now using Grouper 2.2 (and PSP 2.2). We have a subject source LDAP (our Live OpenLDAP directory) that is different from the one that we’re provisioning Grouper groups to (an instance of OpenLDAP local to Grouper). However the latter does also have people entries copied from the former. Our LDAP schema is non-standard, in particular the person entries have objectclass’ of ‘eduPerson’, and a locally defined ‘oakPerson’ (but no eduMember).

 

I’ve encountered the following problems when trying to provision groups (so far without a memberof overlay running on OpenLDAP):

 

1. When adding or deleting a member from a group and getting the PSP to detect the change via the changelog

i.e. running the following using gsh:

gsh % loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog")

gsh % loaderRunOneJob("CHANGE_LOG_consumer_psp")

 

I get:

 

loader ran successfully: Error: PSP Consumer 'psp' - An error occurred processing sequence number 2835278, sequenceNumber: 2835278, edu.internet2.middleware.psp.PspException: SearchResponse[psos=0,status=failure,error=customError,errorMessages={Unable to determine schema entity for oakPrimaryPersonID=91677,ou=people,dc=oak,dc=ox,dc=ac,dc=uk},requestID=2014/10/07-12:58:59.671]

     at edu.internet2.middleware.psp.Psp.hasAttribute(Psp.java:2046)

...

 

In this case the ‘oakPrimaryPersonID=91677,ou=people,dc=oak,dc=ox,dc=ac,dc=uk’ is the DN of the person I have deleted from the group.

I was wondering whether it was complaining about the schema because we use a non-standard ‘oakPerson’ objectclass on the person entries, and if so how do I tell PSP about it so it doesn’t complain?

 

However I don’t see the error if I add a member that has not been touched by the PSP yet (i.e. doesn’t have the ‘eduMember’ objectClass). But I do get the error if I try and add any member (to any group) that already has the ‘eduMember’ objectClass.

 

2. Interestingly if I run a full sync on the group by doing something like  ‘gsh -psp -sync oucs0175-01:testgroup3’ it completes without error and appears to update the group correctly. However it doesn’t attempt to update the ‘memberOf’ or ‘isMemberOf’ on the person entry which I was expecting it to. Is this something that only happens when the PSP is monitoring for changes via the changelog or have I got something missing from my psp config perhaps? Or perhaps running PSP in this way doesn’t have the ability to update the person entries?

 

I suspect that I have made a mistake in the config whilst taking the examples and adapting for our environment (I initially took the examples from the ‘Grouper to OpenLDAP Multiple’ example). I haven’t attached my psp config files but let me know if that would be useful and I will send in a follow-up.

 

I will be grateful for any help you can give.

 

Cheers,

 

Julian

 

 

--

Julian Williams (Identity and Access Management Developer)

Systems Development and Support, IT Services, University of Oxford