Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters


Chronological Thread 
  • From: David Langenberg <>
  • To: Mark Cairney <>
  • Cc: Gouper Users <>
  • Subject: Re: [grouper-users] Possible bug with bulksync'ing groups with members with escaped characters
  • Date: Wed, 14 Jan 2015 08:51:55 -0700

Hi Mark,

Sorry for taking so long to get back to you on this.  Yes, it definitely looks like a bug (the + escaping), and I've filed GRP-1098 for it.  At this point (and I hate giving this advice) my suggestion would be to avoid those kinds of symbols in your names.

Dave

On Tue, Jan 6, 2015 at 9:42 AM, Mark Cairney <> wrote:
Hi,

I've been investigating why when attempting a bulksync some particular
groups were throwing errors like:

Jan  6 10:31:02 elm slapd[29204]: conn=2845205 op=0 BIND
dn="uid=grouper,ou=peop
le,ou=central,dc=authorise-test,dc=ed,dc=ac,dc=uk" method=128
Jan  6 10:31:02 elm slapd[29204]: conn=2845205 op=0 BIND
dn="uid=grouper,ou=peop
le,ou=central,dc=authorise-test,dc=ed,dc=ac,dc=uk" mech=SIMPLE ssf=0
Jan  6 10:31:02 elm slapd[29204]: conn=2845205 op=0 RESULT tag=97 err=0
text=
Jan  6 10:31:02 elm slapd[29204]: conn=2845205 op=1 MOD
dn="cn=S2F,ou=S2F,ou=HSS3,ou=HSS,ou=UOE,ou=org,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk"
Jan  6 10:31:02 elm slapd[29204]: conn=2845205 op=1 MOD attr=member member
Jan  6 10:31:02 elm slapd[29204]: slap_queue_csn: queueing
0x7f6ce7ab7160 20150106103102.091564Z#000000#008#000000
Jan  6 10:31:02 elm slapd[29204]: conn=2845205 op=1 RESULT tag=103
err=20 text=modify/add: member: value #0 already exists

On the Grouper side I see:

2015-01-06 10:31:01,992: [main] INFO  BaseSpmlProvider.execute(351) -  -
Target
'ldap' - Modify
ModifyRequest[psoID=PSOIdentifier[id='cn=S2F,ou=S2F,ou=HSS3,ou=H
SS,ou=UOE,ou=org,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk',targetID=ldap,
containerID=<null>],typeOfReference=member,typeOfReference=member,returnData=eve
rything,requestID=2015/01/06-10:31:01.977]
2015-01-06 10:31:01,994: [main] INFO  BaseSpmlProvider.execute(355) -  -
Target
'ldap' - Modify XML:
<modifyRequest xmlns='urn:oasis:names:tc:SPML:2:0' entityName='group'
requestID=
'2015/01/06-10:31:01.977' returnData='everything'>
  <psoID
ID='cn=S2F,ou=S2F,ou=HSS3,ou=HSS,ou=UOE,ou=org,ou=grouper2,dc=authorise
-test,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
  <modification modificationMode='add'>
    <capabilityData mustUnderstand='true'
capabilityURI='urn:oasis:names:tc:SPML
:2:0:reference'>
      <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
        <spmlref:toPsoID
ID='cn=NUST11058_SS1_2009/0_SB5\+,ou=2009/2010,ou=cours
es,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
      </spmlref:reference>
    </capabilityData>
  </modification>
  <modification modificationMode='delete'>
    <capabilityData mustUnderstand='true'
capabilityURI='urn:oasis:names:tc:SPML
:2:0:reference'>
      <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
        <spmlref:toPsoID
ID='cn=NUST11058_SS1_2009/0_SB5\2B,ou=2009/2010,ou=cour
ses,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
      </spmlref:reference>
      <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
        <spmlref:toPsoID
ID='uid=s0459972,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
      </spmlref:reference>
      <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
        <spmlref:toPsoID
ID='uid=s0570825,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
      </spmlref:reference>
      <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
        <spmlref:toPsoID
ID='uid=s0678327,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
      </spmlref:reference>
      <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
xmlns:spmlref='urn:
oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
        <spmlref:toPsoID
ID='uid=s0679838,ou=people,ou=central,dc=authorise-test
,dc=ed,dc=ac,dc=uk' targetID='ldap'/>
      </spmlref:reference>


<---- SNIP ------>


2015-01-06 10:31:02,095: [main] ERROR BaseSpmlProvider.execute(386) -  -
Target
'ldap' - Modify
ModifyResponse[pso=<null>,status=failure,error=customError,error
Messages={[LDAP: error code 20 - modify/add: member: value #0 already
exists]},r
equestID=2015/01/06-10:31:01.977]
2015-01-06 10:31:02,096: [main] ERROR BaseSpmlProvider.execute(388) -  -
Target
'ldap' - Modify XML:
<modifyResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure'
requestID='
2015/01/06-10:31:01.977' error='customError'>
  <errorMessage>[LDAP: error code 20 - modify/add: member: value #0
already exis
ts]</errorMessage>
</modifyResponse>


Looking at this it looks like the problematic entry is the first group:
"cn=NUST11058_SS1_2009/0_SB5\+,ou=2009/2010,ou=courses,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk"

However this group is already a member of the "S2F" group:

bash-4.1$ testauthzsearch -b
"cn=S2F,ou=S2F,ou=HSS3,ou=HSS,ou=UOE,ou=org,ou=grouper2,dc=authorise-test,dc=ed,dc=ac,dc=uk"
member |grep 'NUST11058'
Enter LDAP Password:
member:
cn=NUST11058_SS1_2009/0_SB5\2B,ou=2009/2010,ou=courses,ou=grouper2,dc=

The group exists in the Grouper structure and does itself have members.

I think the cause must be that the "+" symbol is treated as a special
character in LDAP so the DN has "\2B" rather than "+" and this is
throwing Grouper as I don't see this behaviour with groups that don't
have a "+" in their cn/dn. (see
http://www.openldap.org/lists/openldap-software/200307/msg00624.html)

The group in question as deployed using Grouper is:
dn:
cn=NUST11058_SS1_2009/0_SB5\2B,ou=2009/2010,ou=courses,ou=grouper2,dc=auth
 orise-test,dc=ed,dc=ac,dc=uk
gidNumber: 4187827680
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
description: Dissertation (MSc Advancing Nursing Practice) (SS1 SB5+)
member: <snip>
cn: NUST11058_SS1_2009/0_SB5+

Finally deleting that member and re-running a "sync" was successful,
including adding the group in question.

We're using Grouper V2.2.0 but I couldn't see anything that looked
related to this issue in the changelog for 2.2.1.

--
/****************************

Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:
PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.




--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page