Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1886

supportsEmptyGroups = false, group is removed, but ERROR recorded in log file

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • 2.3.0
    • provisioning
    • None

    Description

      I am running PSPNG with patches up to and including 20. 
      Specifically I am running the TIER Docker image 

      tier/grouper:2.3.0-a109-u47-w12-p20

      I now have a working configuration (see below) that does exactly what I
      want--it provisions groupOfNames and manages the isMemberOf attribute on
      a person record.

      I did notice, however, that even though I have

      changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false

      when all users are deleted from a group I see in the log file

      2018-09-05 09:52:20,160: [DefaultQuartzScheduler_Worker-4] ERROR LdapSystem.performLdapModify(418) -  - ldapMasterPool: Ldap modification failed
      [org.ldaptive.LdapException@1485179000::resultCode=OBJECT_CLASS_VIOLATION, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - object class 'groupOfNames' requires attribute 'member']; remaining name 'cn=myorg_co:co_members_all,ou=groups,o=gn4phase1,dc=myorg,dc=org', providerException=javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - object class 'groupOfNames' requires attribute 'member']; remaining name 'cn=myorg_co:co_members_all,ou=groups,o=gn4phase1,dc=myorg,dc=org']
          at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
          at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)
          at org.ldaptive.provider.jndi.JndiConnection.modify(JndiConnection.java:425)
          at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:384)
          at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:366)
          at edu.internet2.middleware.grouper.pspng.LdapProvisioner.makeIndividualLdapChanges(LdapProvisioner.java:552)
          at edu.internet2.middleware.grouper.pspng.LdapProvisioner.finishProvisioningBatch(LdapProvisioner.java:294)
          at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1670)
          at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
          at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
          at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
          at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
          at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
          at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
          at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

      I do see that the group is de-provisioned correctly, presumably by the "background"
      full-sync provisioning "engine running which is automatically used when
      incremental provisioning finds conflicting changes or otherwise is unable to
      handle the changelog events."

      So the ERROR message, though strictly accurate, is not helpful since it does
      not represent the overall status of PSPNG.

      Here is my full configuration:

      ldap.ldapMasterPool.ldapUrl = ldap://ldap-master:389
      ldap.ldapMasterPool.bindDn = uid=grouper,ou=system,dc=myorg,dc=org
      ldap.ldapMasterPool.bindCredential = password

      changeLog.consumer.pspng_groupOfNames.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
      changeLog.consumer.pspng_groupOfNames.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
      changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
      changeLog.consumer.pspng_groupOfNames.ldapPoolName = ldapMasterPool
      changeLog.consumer.pspng_groupOfNames.quartzCron = 0/10 * * * * ?
      changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
      changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
      changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,o=myorg,dc=myorg,dc=org
      changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
      changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name}))
      changeLog.consumer.pspng_groupOfNames.groupSearchAttributes=cn,objectclass
      changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
      changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,o=myorg,dc=myorg,dc=org
      changeLog.consumer.pspng_groupOfNames.userSearchFilter = employeeNumber=${subject.id}
      changeLog.consumer.pspng_groupOfNames.userSearchAttributes = dn,cn,uid,mail,eduPersonPrincipalName,objectclass,employeeNumber,isMemberOf

      changeLog.consumer.pspng_attributes.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
      changeLog.consumer.pspng_attributes.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
      changeLog.consumer.pspng_attributes.quartzCron = 0/10 * * * * ?
      changeLog.consumer.pspng_attributes.retryOnError = true
      changeLog.consumer.pspng_attributes.ldapPoolName = ldapMasterPool
      changeLog.consumer.pspng_attributes.provisionedAttributeName = isMemberOf
      changeLog.consumer.pspng_attributes.provisionedAttributeValueFormat = ${group.name}
      changeLog.consumer.pspng_attributes.userSearchBaseDn = ou=people,o=myorg,dc=myorg,dc=org
      changeLog.consumer.pspng_attributes.userSearchFilter = employeeNumber=${subject.id}
      changeLog.consumer.pspng_attributes.userSearchAttributes = dn,cn,uid,mail,eduPersonPrincipalName,objectclass,employeeNumber,isMemberOf
      changeLog.consumer.pspng_attributes.allProvisionedValuesPrefix = *
      changeLog.consumer.pspng_attributes.grouperIsAuthoritative = true

      otherJob.pspng_groupOfNames_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
      #otherJob.pspng_groupOfNames_full.quartzCron = 0 0 0 * * ?   #Every midnight
      otherJob.pspng_groupOfNames_full.quartzCron = 0 * * * * ?    #Every minute for testing

      otherJob.pspng_attributes_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
      #changeLog.consumer.pspng_attributes.quartzCron = 0 0 0 * * ?   #Every midnight
      otherJob.pspng_attributes_full.quartzCron = 0 * * * * ?         #Every minute for testing

      Attachments

        Issue Links

          is subtask of

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. GRP-2208 Issues addressed by PSPNG 2.4 Patch 8

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              bert.beelindgren@at.internet2.edu Bert Bee-Lindgren (gatech.edu)
              scott.koranda.3@at.internet2.edu Scott Koranda SCG (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: