Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSPNG full sync 'Did not get all the way through the batch'

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSPNG full sync 'Did not get all the way through the batch'


Chronological Thread 
  • From: Scott Koranda <>
  • To: "Bee-Lindgren, Bert" <>
  • Cc: grouper-users <>
  • Subject: Re: [grouper-users] PSPNG full sync 'Did not get all the way through the batch'
  • Date: Wed, 5 Sep 2018 05:18:25 -0500
  • Ironport-phdr: 9a23:lGDoJhTJO3SkTkiaguImxwoxL9psv+yvbD5Q0YIujvd0So/mwa6zZh2N2/xhgRfzUJnB7Loc0qyK6/+mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRPDI28cYUBEukPPehXoIbhulQBrxWxCBKwBO/z0DJEmmP60Lck3+knDArI3BYgH9ULsHnMsdv6KKASUfypzKLVyDvDaOlW1i376IfVaB8qvPaBXalzccrW00kgDQXFgUiKpoH+MDOV0/4Cs2mf7+Z6Se2vjGsnphh3rzOyyMksjYzJiZgUylDC7Sh5z5w1JdqlSE5jf9GkCoFcuDuCN4tuWs8iQWZotz0gyr0bv567ZygKx4ojxx7bcfCHaZWI4hTlWe2MIjl4nGpodKyliBqu7UStz/DwW8a03VpWqydIndrBu3EC2hHW9MSLVv5w80Kh1DqRyw/f8uJJLEAumabGJJMsw6Q8moQcvEnMBCP7mln6gamLfUs+4Oeo8f7oYrD+q5+cKYB0jgb+P7wrmsOlAOQ4NhECUHaG9uihzbHi8k30TKtWgfEsnanZt5faJcsfpqGnGQNazoEj6xOnAzen1tQXg2UHIUpbdB2dk4TlJ1TDLO33APq/n1ihlThmyvPHM7DuB5jBMGTPnbLkcLt99UJT1BI/zdVF6JJVDrEBLujzWkj0tNHAFR85MAu0w/z9B9V7y4wRQ3mCAqCcMKzIsF+I4vgjLPWLZI8QoDr9MeQq5+byjX8lnl8QZaap3YEQaHClBvRpPV+ZbWPxgtcaD2gKpBE+QffuiF2DSj5Te22yU7wm6jE6DoKmEZnMRpqrgLOfwCe3AIdaaX5bBVCRQj/UcNDOcfoBLQaTJMNuiDECEfCLRpU9n1n6vgLg1/xtI+eR/iweuZ352d5d4OzP0x476TF/D4KQ33zbHE9umWZdfDQxwLw3gktnw1GP2OAsmP9fD9VV6/phXQIzNJqaxOt/XYOhEjndd8uEHQ71Cu6tBis8G5dom4cD
Hi,

> otherJob.pspng_attributes_full.class =
> edu.internet2.middleware.grouper.pspng.FullSyncStarter
> otherJob.pspng_attributes_full._full.quartzCron = 0 * * * * ?

Ah. Thanks.

I read "otherJob" in the wiki page as a template, not literally.

I now have a working configuration (see below) that does exactly what I
want--it provisions groupOfNames and manages the isMemberOf attribute on
a person record.

I did notice, however, that even though I have

changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false

when all users are deleted from a group I see in the log file

2018-09-05 09:52:20,160: [DefaultQuartzScheduler_Worker-4] ERROR
LdapSystem.performLdapModify(418) - - ldapMasterPool: Ldap modification
failed
[org.ldaptive.LdapException@1485179000::resultCode=OBJECT_CLASS_VIOLATION,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.directory.SchemaViolationException: [LDAP: error code 65
- object class 'groupOfNames' requires attribute 'member']; remaining name
'cn=myorg_co:co_members_all,ou=groups,o=gn4phase1,dc=myorg,dc=org',
providerException=javax.naming.directory.SchemaViolationException: [LDAP:
error code 65 - object class 'groupOfNames' requires attribute 'member'];
remaining name
'cn=myorg_co:co_members_all,ou=groups,o=gn4phase1,dc=myorg,dc=org']
at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
at
org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)
at
org.ldaptive.provider.jndi.JndiConnection.modify(JndiConnection.java:425)
at
edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:384)
at
edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:366)
at
edu.internet2.middleware.grouper.pspng.LdapProvisioner.makeIndividualLdapChanges(LdapProvisioner.java:552)
at
edu.internet2.middleware.grouper.pspng.LdapProvisioner.finishProvisioningBatch(LdapProvisioner.java:294)
at
edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1670)
at
edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
at
edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

I do see that the group is de-provisioned correctly, presumably by the
"background"
full-sync provisioning "engine running which is automatically used when
incremental provisioning finds conflicting changes or otherwise is unable to
handle the changelog events."

So the ERROR message, though strictly accurate, is not helpful since it does
not represent the overall status of PSPNG.

Is this a known issue?

Thanks,

Scott K

P.S. Here is my full configuration:

ldap.ldapMasterPool.ldapUrl = ldap://ldap-master:389
ldap.ldapMasterPool.bindDn = uid=grouper,ou=system,dc=myorg,dc=org
ldap.ldapMasterPool.bindCredential = password

changeLog.consumer.pspng_groupOfNames.class =
edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_groupOfNames.type =
edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
changeLog.consumer.pspng_groupOfNames.ldapPoolName = ldapMasterPool
changeLog.consumer.pspng_groupOfNames.quartzCron = 0/10 * * * * ?
changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat =
${ldapUser.getDn()}
changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn =
ou=groups,o=myorg,dc=myorg,dc=org
changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter =
objectclass=groupOfNames
changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter =
(&(objectclass=groupOfNames)(cn=${group.name}))
changeLog.consumer.pspng_groupOfNames.groupSearchAttributes=cn,objectclass
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn:
cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.userSearchBaseDn =
ou=people,o=myorg,dc=myorg,dc=org
changeLog.consumer.pspng_groupOfNames.userSearchFilter =
employeeNumber=${subject.id}
changeLog.consumer.pspng_groupOfNames.userSearchAttributes =
dn,cn,uid,mail,eduPersonPrincipalName,objectclass,employeeNumber,isMemberOf

changeLog.consumer.pspng_attributes.class =
edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_attributes.type =
edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
changeLog.consumer.pspng_attributes.quartzCron = 0/10 * * * * ?
changeLog.consumer.pspng_attributes.retryOnError = true
changeLog.consumer.pspng_attributes.ldapPoolName = ldapMasterPool
changeLog.consumer.pspng_attributes.provisionedAttributeName = isMemberOf
changeLog.consumer.pspng_attributes.provisionedAttributeValueFormat =
${group.name}
changeLog.consumer.pspng_attributes.userSearchBaseDn =
ou=people,o=myorg,dc=myorg,dc=org
changeLog.consumer.pspng_attributes.userSearchFilter =
employeeNumber=${subject.id}
changeLog.consumer.pspng_attributes.userSearchAttributes =
dn,cn,uid,mail,eduPersonPrincipalName,objectclass,employeeNumber,isMemberOf
changeLog.consumer.pspng_attributes.allProvisionedValuesPrefix = *
changeLog.consumer.pspng_attributes.grouperIsAuthoritative = true

otherJob.pspng_groupOfNames_full.class =
edu.internet2.middleware.grouper.pspng.FullSyncStarter
#otherJob.pspng_groupOfNames_full.quartzCron = 0 0 0 * * ? #Every midnight
otherJob.pspng_groupOfNames_full.quartzCron = 0 * * * * ? #Every minute
for testing

otherJob.pspng_attributes_full.class =
edu.internet2.middleware.grouper.pspng.FullSyncStarter
#changeLog.consumer.pspng_attributes.quartzCron = 0 0 0 * * ? #Every
midnight
otherJob.pspng_attributes_full.quartzCron = 0 * * * * ? #Every minute
for testing

Archive powered by MHonArc 2.6.19.

Top of Page