Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
2.3.0
-
None
Description
I am running PSPNG with patches up to and including 20.
Specifically I am running the TIER Docker image
tier/grouper:2.3.0-a109-u47-w12-p20
I now have a working configuration (see below) that does exactly what I
want--it provisions groupOfNames and manages the isMemberOf attribute on
a person record.
I did notice, however, that even though I have
changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
when all users are deleted from a group I see in the log file
2018-09-05 09:52:20,160: [DefaultQuartzScheduler_Worker-4] ERROR LdapSystem.performLdapModify(418) - - ldapMasterPool: Ldap modification failed
[org.ldaptive.LdapException@1485179000::resultCode=OBJECT_CLASS_VIOLATION, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - object class 'groupOfNames' requires attribute 'member']; remaining name 'cn=myorg_co:co_members_all,ou=groups,o=gn4phase1,dc=myorg,dc=org', providerException=javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - object class 'groupOfNames' requires attribute 'member']; remaining name 'cn=myorg_co:co_members_all,ou=groups,o=gn4phase1,dc=myorg,dc=org']
at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)
at org.ldaptive.provider.jndi.JndiConnection.modify(JndiConnection.java:425)
at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:384)
at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:366)
at edu.internet2.middleware.grouper.pspng.LdapProvisioner.makeIndividualLdapChanges(LdapProvisioner.java:552)
at edu.internet2.middleware.grouper.pspng.LdapProvisioner.finishProvisioningBatch(LdapProvisioner.java:294)
at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1670)
at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
I do see that the group is de-provisioned correctly, presumably by the "background"
full-sync provisioning "engine running which is automatically used when
incremental provisioning finds conflicting changes or otherwise is unable to
handle the changelog events."
So the ERROR message, though strictly accurate, is not helpful since it does
not represent the overall status of PSPNG.
Here is my full configuration:
ldap.ldapMasterPool.ldapUrl = ldap://ldap-master:389
ldap.ldapMasterPool.bindDn = uid=grouper,ou=system,dc=myorg,dc=org
ldap.ldapMasterPool.bindCredential = password
changeLog.consumer.pspng_groupOfNames.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_groupOfNames.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
changeLog.consumer.pspng_groupOfNames.ldapPoolName = ldapMasterPool
changeLog.consumer.pspng_groupOfNames.quartzCron = 0/10 * * * * ?
changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,o=myorg,dc=myorg,dc=org
changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name}))
changeLog.consumer.pspng_groupOfNames.groupSearchAttributes=cn,objectclass
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,o=myorg,dc=myorg,dc=org
changeLog.consumer.pspng_groupOfNames.userSearchFilter = employeeNumber=${subject.id}
changeLog.consumer.pspng_groupOfNames.userSearchAttributes = dn,cn,uid,mail,eduPersonPrincipalName,objectclass,employeeNumber,isMemberOf
changeLog.consumer.pspng_attributes.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_attributes.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
changeLog.consumer.pspng_attributes.quartzCron = 0/10 * * * * ?
changeLog.consumer.pspng_attributes.retryOnError = true
changeLog.consumer.pspng_attributes.ldapPoolName = ldapMasterPool
changeLog.consumer.pspng_attributes.provisionedAttributeName = isMemberOf
changeLog.consumer.pspng_attributes.provisionedAttributeValueFormat = ${group.name}
changeLog.consumer.pspng_attributes.userSearchBaseDn = ou=people,o=myorg,dc=myorg,dc=org
changeLog.consumer.pspng_attributes.userSearchFilter = employeeNumber=${subject.id}
changeLog.consumer.pspng_attributes.userSearchAttributes = dn,cn,uid,mail,eduPersonPrincipalName,objectclass,employeeNumber,isMemberOf
changeLog.consumer.pspng_attributes.allProvisionedValuesPrefix = *
changeLog.consumer.pspng_attributes.grouperIsAuthoritative = true
otherJob.pspng_groupOfNames_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
#otherJob.pspng_groupOfNames_full.quartzCron = 0 0 0 * * ? #Every midnight
otherJob.pspng_groupOfNames_full.quartzCron = 0 * * * * ? #Every minute for testing
otherJob.pspng_attributes_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
#changeLog.consumer.pspng_attributes.quartzCron = 0 0 0 * * ? #Every midnight
otherJob.pspng_attributes_full.quartzCron = 0 * * * * ? #Every minute for testing
Attachments
Issue Links
- is subtask of
-
GRP-2208 Issues addressed by PSPNG 2.4 Patch 8
- Resolved