grouper-users - Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters
Chronological Thread
- From: David Langenberg <>
- To: Mark Cairney <>
- Cc: Gouper Users <>
- Subject: Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters
- Date: Wed, 14 Jan 2015 08:51:55 -0700
Hi Mark,
Sorry for taking so long to get back to you on this. Yes, it definitely looks like a bug (the + escaping), and I've filed GRP-1098 for it. At this point (and I hate giving this advice) my suggestion would be to avoid those kinds of symbols in your names.
Dave
On Tue, Jan 6, 2015 at 9:42 AM, Mark Cairney <> wrote:
Hi,
I've been investigating why when attempting a bulksync some particular
groups were throwing errors like:
Jan 6 10:31:02 elm slapd[29204]: conn=2845205 op=0 BIND
dn="uid=grouper,ou=peop
le,ou=central,dc=authorise-test,dc=ed,dc=ac,dc=uk" method=128
Jan 6 10:31:02 elm slapd[29204]: conn=2845205 op=0 BIND
dn="uid=grouper,ou=peop
le,ou=central,dc=authorise-test,dc=ed,dc=ac,dc=uk" mech=SIMPLE ssf=0
Jan 6 10:31:02 elm slapd[29204]: conn=2845205 op=0 RESULT tag=97 err=0
text=
Jan 6 10:31:02 elm slapd[29204]: conn=2845205 op=1 MOD
dn="cn=S2F,ou=S2F,ou=HSS3,ou=HSS,ou=UOE,ou=org,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk"
Jan 6 10:31:02 elm slapd[29204]: conn=2845205 op=1 MOD attr=member member
Jan 6 10:31:02 elm slapd[29204]: slap_queue_csn: queueing
0x7f6ce7ab7160 20150106103102.091564Z#000000#008#000000
Jan 6 10:31:02 elm slapd[29204]: conn=2845205 op=1 RESULT tag=103
err=20 text=modify/add: member: value #0 already exists
On the Grouper side I see:
2015-01-06 10:31:01,992: [main] INFO BaseSpmlProvider.execute(351) - -
Target
'ldap' - Modify
ModifyRequest[psoID=PSOIdentifier[id='cn=S2F,ou=S2F,ou=HSS3,ou=H
SS,ou=UOE,ou=org,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk',targetID=ldap,
containerID=<null>],typeOfReference=member,typeOfReference=member,returnData=eve
rything,requestID=2015/01/06-10:31:01.977]
2015-01-06 10:31:01,994: [main] INFO BaseSpmlProvider.execute(355) - -
Target
'ldap' - Modify XML:
<modifyRequest xmlns='urn:oasis:names:tc:SPML:2:0' entityName='group'
requestID=
'2015/01/06-10:31:01.977' returnData='everything'>
<psoID
ID='cn=S2F,ou=S2F,ou=HSS3,ou=HSS,ou=UOE,ou=org,ou=grouper2,dc=authorise
-test,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
<modification modificationMode='add'>
<capabilityData mustUnderstand='true'
capabilityURI='urn:oasis:names:tc:SPML
:2:0:reference'>
<spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
<spmlref:toPsoID
ID='cn=NUST11058_SS1_2009/0_SB5\+,ou=2009/2010,ou=cours
es,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
</spmlref:reference>
</capabilityData>
</modification>
<modification modificationMode='delete'>
<capabilityData mustUnderstand='true'
capabilityURI='urn:oasis:names:tc:SPML
:2:0:reference'>
<spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
<spmlref:toPsoID
ID='cn=NUST11058_SS1_2009/0_SB5\2B,ou=2009/2010,ou=cour
ses,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
</spmlref:reference>
<spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
<spmlref:toPsoID
ID='uid=s0459972,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
</spmlref:reference>
<spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
<spmlref:toPsoID
ID='uid=s0570825,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
</spmlref:reference>
<spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
<spmlref:toPsoID
ID='uid=s0678327,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
</spmlref:reference>
<spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
<spmlref:toPsoID
ID='uid=s0679838,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
</spmlref:reference>
<---- SNIP ------>
2015-01-06 10:31:02,095: [main] ERROR BaseSpmlProvider.execute(386) - -
Target
'ldap' - Modify
ModifyResponse[pso=<null>,status=failure,error=customError,error
Messages={[LDAP: error code 20 - modify/add: member: value #0 already
exists]},r
equestID=2015/01/06-10:31:01.977]
2015-01-06 10:31:02,096: [main] ERROR BaseSpmlProvider.execute(388) - -
Target
'ldap' - Modify XML:
<modifyResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure'
requestID='
2015/01/06-10:31:01.977' error='customError'>
<errorMessage>[LDAP: error code 20 - modify/add: member: value #0
already exis
ts]</errorMessage>
</modifyResponse>
Looking at this it looks like the problematic entry is the first group:
"cn=NUST11058_SS1_2009/0_SB5\+,ou=2009/2010,ou=courses,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk"
However this group is already a member of the "S2F" group:
bash-4.1$ testauthzsearch -b
"cn=S2F,ou=S2F,ou=HSS3,ou=HSS,ou=UOE,ou=org,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk"
member |grep 'NUST11058'
Enter LDAP Password:
member:
cn=NUST11058_SS1_2009/0_SB5\2B,ou=2009/2010,ou=courses,ou=grouper2,dc=
The group exists in the Grouper structure and does itself have members.
I think the cause must be that the "+" symbol is treated as a special
character in LDAP so the DN has "\2B" rather than "+" and this is
throwing Grouper as I don't see this behaviour with groups that don't
have a "+" in their cn/dn. (see
http://www.openldap.org/lists/openldap-software/200307/msg00624.html)
The group in question as deployed using Grouper is:
dn:
cn=NUST11058_SS1_2009/0_SB5\2B,ou=2009/2010,ou=courses,ou=grouper2,dc=auth
orise-test,dc=ed,dc=ac,dc=uk
gidNumber: 4187827680
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
description: Dissertation (MSc Advancing Nursing Practice) (SS1 SB5+)
member: <snip>
cn: NUST11058_SS1_2009/0_SB5+
Finally deleting that member and re-running a "sync" was successful,
including adding the group in question.
We're using Grouper V2.2.0 but I couldn't see anything that looked
related to this issue in the changelog for 2.2.1.
--
/****************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email:
PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
David Langenberg
Identity & Access Management
The University of Chicago
- [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters, Mark Cairney, 01/06/2015
- Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters, Mark Cairney, 01/12/2015
- Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters, David Langenberg, 01/14/2015
- Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters, David Langenberg, 01/14/2015
- Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters, Mark Cairney, 01/12/2015
Archive powered by MHonArc 2.6.16.