Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Initial teething problems with PSPNG

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Initial teething problems with PSPNG


Chronological Thread 
  • From: Mark Cairney <>
  • To: "Bee-Lindgren, Bert" <>, Jeffrey Williams <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Initial teething problems with PSPNG
  • Date: Wed, 6 Dec 2017 15:23:13 +0000
  • Ironport-phdr: 9a23:SYb+XhHPvL3Ye7NDHtvZS51GYnF86YWxBRYc798ds5kLTJ7yos+wAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95MWSJfDIOyb4gBAeQPMulXrYbyu1QAoACiBQSvHu7j1iNEi3H20KA8zu8vERvG3AslH98Wt3rbts/1NKQPWu2r1qbIzC/Db/VI1jb99YPFdRcvruuWXbJza8bc11MgFwLfjlWWt4PkPyiY2foQvGSB9eVvSfiji3MkqwxopDWk28kiio7Mho0Py1DE8z10wIkvJd2/VU57ecCrEIFKuy6AL4t2WtsuQ2NvuCkh0L0GpJi7fDMKyJs5wx7fb+aLc5KV4hLlTOqRLi14hHV4eLKnnRqy91KvyujiWcSyzV1ErTJFn8HRunwT0xHf8NaLRuZ980u7xDqC1hrf5vxYLUwsiKbXNZoszqQumpYOsUnPBDH6lUr4gaOMdEgo5O6l4Pn9bLr8vJ+TLYp0hxn+Mqswnsy/Bvw1MgwJX2ia4+Szyqfv/UziQLlQkPI5j7PVv4rGKsgBu665ABdZ0ocl6xmhEzeryMkUkWcDIV5fZh6LkojkN0vTLP35F/uznkignC9ux//cP73hBpvNLmLEkLfkZbtz7FRTyBAwzdxF+Z9bELABIOj1WkDvtN3VFQE2PBGuz+n9FNpxzJ4eWWGXDq+DLKzSqUOI5v4oI+SUa48VojH9K+U95/Hwl381gEIdfbK30psNc3C1BfBmI0SCYXrwmdcND30Gvgs4TOz2llKCSzhTaGiuX64i/D00Fp+pDZqQDryq1far0Sr+OpxQam9cB1bIWV3lbZnOE6MGZTiOZMVsn3kAVL6tRJUs0zmptRO8xLN7I+HUvCAUqMSnnPp46ePJmAB6yj1wC8WU1nrFG2N6gWIMQz4/9L15qkM7x1ueh/tWmftdQPla/fABeQ47L5jR3qQuLtnoWUTqd9aTTlu3atiqRzg6CM8ylYxdK31hEsmv20iQlxGhBKUYwvnSXMQ5
Thanks, that sounds like a decent explanation.

I've also had a tip-off about the needsTargetSystemUsers setting too so
I've added this and kicked it off again. Fingers crossed!

Kind regards,

Mark


On 06/12/17 14:39, Bee-Lindgren, Bert wrote:
> Hello,
>
>
>> it seems that PSPNG is more a breadth-first sort of provider, where 
>
>> it'll provision empty groups first then come back and add members 
>
>
> Yes, by default, PSPNG does create groups and then fills them with their
> members later. Setting a "...supportsEmptyGroups=false" property will
> force PSPNG to not violate member-requiring schemas by not pre-creating
> groups and by deleting them when they would become empty again.
>
>
>
> --Bert
>
>
>
>
> ------------------------------------------------------------------------
> *From:*
>
> <>
> on behalf of Jeffrey Williams
> <>
> *Sent:* Wednesday, December 6, 2017 9:11 AM
> *To:* Mark Cairney
> *Cc:*
>
> *Subject:* Re: [grouper-users] Initial teething problems with PSPNG
>  
> I'm currently cutting my teeth on PSPNG as well, so you're not alone!
>
> This particular line is of interest to me:
> errorMessage='object class 'groupOfNames' requires attribute
> 'member'', diagnosticMessage=*'object class 'groupOfNames' requires**
> **attribute 'member'*')
>
> From my limited observation, it seems that PSPNG is more a breadth-first
> sort of provider, where it'll provision empty groups first then come
> back and add members as an update(someone call me out on this if I'm
> wrong).  If your groupOfNames requires member values up front, that may
> pose a problem.  If you set your member attribute to me optional in
> groupOfNames and rerun PSPNG, does the issue re-occur?
>
>
>
>
>
> On Wed, Dec 6, 2017 at 6:55 AM, Mark Cairney
> <
> <mailto:>>
> wrote:
>
> Hi,
>
> After my rather hasty email yesterday I've made a little bit of progress
> and now have PSPNG connecting to LDAP. It's currently failign to
> add/modify groups due to lack of members:
>
> 2017-12-06 11:34:00,182: [DefaultQuartzScheduler_Worker-3] ERROR
> GrouperLoaderJob.runJob(485) -  - Error on job:
> CHANGE_LOG_consumer_pspng_cauth
> java.lang.RuntimeException: Error in loader job: null, check logs:
> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
> failed: LDAP problem creating object: LDAPException(resultCode=65
> (object class violation), errorMessage='object class 'groupOfNames'
> requires attribute 'member'', diagnosticMessage='object class
> 'groupOfNames' requires attribute 'member'')
>         at
>
> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1020)
>         at
>
> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
>         at
>
> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>         at
>
> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:720)
>         at
>
> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>         at
>
> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>         at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>         at
>
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
> problem creating object: LDAPException(resultCode=65 (object class
> violation), errorMessage='object class 'groupOfNames' requires attribute
> 'member'', diagnosticMessage='object class 'groupOfNames' requires
> attribute 'member'')
>         at
>
> edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:254)
>         at
>
> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:226)
>         at
>
> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:54)
>         at
>
> edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:581)
>         at
>
> edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:356)
>         at
>
> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1015)
>         ... 7 more
>
>
>
> And on the LDAP side the error is:
>
> dn="cn=adhoc:MCTest:Mark 1,cn=Mark
> 1,ou=MCTest,ou=adhoc,ou=grouper2,dc=authorise-dev,dc=ed,dc=ac,dc=uk"
> Dec  6 11:45:00 bonsai slapd[34260]: Entry (cn=adhoc:MCTest:Mark
> 1,cn=Mark
> 1,ou=MCTest,ou=adhoc,ou=grouper2,dc=authorise-dev,dc=ed,dc=ac,dc=uk):
> object class 'groupOfNames' requires attribute 'member'
>
>
> 1. As provisioned by PSP the DN of the group is:
> cn=Mark
> 1,ou=MCTest,ou=adhoc,ou=grouper2,dc=authorise-dev,dc=ed,dc=ac,dc=uk" so
> this should actually be a modify rather than an add.
>
> My PSPNG currently contains the line:
> dn: cn=${group.name <http://group.name>},${utils.bushyDn(group.name
> <http://group.name>, "cn", "ou")}||cn:
> ${group.name <http://group.name>}||objectclass: posixGroup||objectclass:
> groupOfNames||gidNumber: ${group.idIndex}
>
> How should this be modified to replicate the previous behaviour for
> the DN?
>
> 2. I've got the following in my grouper-loader.properties:
> changeLog.consumer.pspng_cauth.memberAttributeName = member
> changeLog.consumer.pspng_cauth.memberAttributeValueFormat =
> ${ldapUser.getDn()}
>
> However I don't see any attempts at looking up users in LDAP, only the
> group. Also is there a way to define a "placeholder" member for empty
> groups? How does PSPNG resolve grouper members with LDAP/AD users?
>
> Sorry for all the questions- I'm sure there  will be more though once I
> get over this particular speed-bump!
>
>
> --
> /****************************
>
> Mark Cairney
> ITI Enterprise Services
> Information Services
> University of Edinburgh
>
> Tel: 0131 650 6565
> Email:
>
>
> <mailto:>
> PGP: 0x435A9621
>
> *******************************/
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
>
>
>
> --
> Jeffrey Williams, Identity Management Specialist
> Identity Architecture, ITS
> University of North Carolina at Greensboro
> 256-TECH (256-8324)

--
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:

PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Archive powered by MHonArc 2.6.19.

Top of Page