Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Initial teething problems with PSPNG

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Initial teething problems with PSPNG


Chronological Thread 
  • From: Jeffrey Williams <>
  • To: Mark Cairney <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Initial teething problems with PSPNG
  • Date: Wed, 6 Dec 2017 09:11:29 -0500
  • Ironport-phdr: 9a23:O6Rb+RKUUgky0oy+admcpTZWNBhigK39O0sv0rFitYgfKvrxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJDUcZfVyJPDICyYZYRAeUdJutXtZXxqkEUoBeiGQWhBuXiwSJIiH/s2q061vwsHwXY0wwuEdIOqmrbrdXoP6gSUOC1yK3IzTTZYPNTwjf29Y/FchIvofCCXLJwdc7RyUg1GA7ek1WQr5DqPzyP2usTrmeb8vNtWOSygGAprAFxpyKgxsYqioTRiYIV0FfE9ThhwIkrP920UlR0Yca8EJdItSGaMJB5Qtk/Q2FuoyY6yqMJuZq/fCQQ0pQn2hjfZ+SIc4iS5RLjSf6RLS1+hH1/fbKwmRC/+lWjxO3kTsS4zldHojZHn9TJuHAA1Afc5tSCR/Zy4kutxSqA2gXP5e1YIU05kK/WJ4Avz7IukJcYrF7NETXsmErsia+bbkUk9fas6+Tgerjmo4WTN45wig3nLKQumdCzDf03MwQQUWWX5/6w1LLk/U3+T7VKiuM5nrPFv5DdIMQXvq+5AwlL3YY/8xuzETar3MgakHQCIlJIewmIg5TsNlzBPPz0EeuwjlGwnzt3x/3LO7jsDovDI3TdiLvheKxy609YyAo919Bf4JdUB6kDIPL9VE7xtdjYDhs4MwOu2OvnFdN92Z8RWW6VHKCWLb7SvUeS5u0zO+mMeJMVuDHlJvgq/f7uimI5mUcDcqmzxJcXdWu4Eep8I0WCenfshtYBEXwWvgolUuDmklyCUThPZ3msRaI84C80CJ64AYvZWI+inaGBj2+HGchzb3pFQnuFEG3uepTMD9IFciHUCcZgiDoJRJCsR8ko3lezt1mp5aBgK7/29yMWr5/ynOd04+nSnBQpvWh2Aduc12WMRklpmGgHATI6wfYs8gRG1l6f3P0g0LRjHttJ6qYMC19iOA==

I'm currently cutting my teeth on PSPNG as well, so you're not alone!

This particular line is of interest to me:
errorMessage='object class 'groupOfNames' requires attribute
'member'', diagnosticMessage='object class 'groupOfNames' requires
attribute 'member'')

From my limited observation, it seems that PSPNG is more a breadth-first sort of provider, where it'll provision empty groups first then come back and add members as an update(someone call me out on this if I'm wrong).  If your groupOfNames requires member values up front, that may pose a problem.  If you set your member attribute to me optional in groupOfNames and rerun PSPNG, does the issue re-occur?





On Wed, Dec 6, 2017 at 6:55 AM, Mark Cairney <> wrote:
Hi,

After my rather hasty email yesterday I've made a little bit of progress
and now have PSPNG connecting to LDAP. It's currently failign to
add/modify groups due to lack of members:

2017-12-06 11:34:00,182: [DefaultQuartzScheduler_Worker-3] ERROR
GrouperLoaderJob.runJob(485) -  - Error on job:
CHANGE_LOG_consumer_pspng_cauth
java.lang.RuntimeException: Error in loader job: null, check logs:
Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
failed: LDAP problem creating object: LDAPException(resultCode=65
(object class violation), errorMessage='object class 'groupOfNames'
requires attribute 'member'', diagnosticMessage='object class
'groupOfNames' requires attribute 'member'')
        at
edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1020)
        at
edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
        at
edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
        at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:720)
        at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
        at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
        at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
problem creating object: LDAPException(resultCode=65 (object class
violation), errorMessage='object class 'groupOfNames' requires attribute
'member'', diagnosticMessage='object class 'groupOfNames' requires
attribute 'member'')
        at
edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:254)
        at
edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:226)
        at
edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:54)
        at
edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:581)
        at
edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:356)
        at
edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1015)
        ... 7 more



And on the LDAP side the error is:

dn="cn=adhoc:MCTest:Mark 1,cn=Mark
1,ou=MCTest,ou=adhoc,ou=grouper2,dc=authorise-dev,dc=ed,dc=ac,dc=uk"
Dec  6 11:45:00 bonsai slapd[34260]: Entry (cn=adhoc:MCTest:Mark
1,cn=Mark
1,ou=MCTest,ou=adhoc,ou=grouper2,dc=authorise-dev,dc=ed,dc=ac,dc=uk):
object class 'groupOfNames' requires attribute 'member'


1. As provisioned by PSP the DN of the group is:
cn=Mark
1,ou=MCTest,ou=adhoc,ou=grouper2,dc=authorise-dev,dc=ed,dc=ac,dc=uk" so
this should actually be a modify rather than an add.

My PSPNG currently contains the line:
dn: cn=${group.name},${utils.bushyDn(group.name, "cn", "ou")}||cn:
${group.name}||objectclass: posixGroup||objectclass:
groupOfNames||gidNumber: ${group.idIndex}

How should this be modified to replicate the previous behaviour for the DN?

2. I've got the following in my grouper-loader.properties:
changeLog.consumer.pspng_cauth.memberAttributeName = member
changeLog.consumer.pspng_cauth.memberAttributeValueFormat =
${ldapUser.getDn()}

However I don't see any attempts at looking up users in LDAP, only the
group. Also is there a way to define a "placeholder" member for empty
groups? How does PSPNG resolve grouper members with LDAP/AD users?

Sorry for all the questions- I'm sure there  will be more though once I
get over this particular speed-bump!


--
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:
PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



--
Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)



Archive powered by MHonArc 2.6.19.

Top of Page