Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] PSP Sync error with groups with more than 1500 members in AD

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] PSP Sync error with groups with more than 1500 members in AD


Chronological Thread 
  • From: David Langenberg <>
  • To: Sebastien Gagne <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] PSP Sync error with groups with more than 1500 members in AD
  • Date: Tue, 14 Jan 2014 10:42:21 -0700
Hi Sebastien,

Have you enabled the RangeSearchResultHandler in your ldap.properties?

# handle Active Directory groups with a large (>1500) number of members

# see https://bugs.internet2.edu/jira/browse/GRP-335

# see http://code.google.com/p/vt-middleware/wiki/vtldapAD#Range_Attributes

 edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler


Dave



On Tue, Jan 14, 2014 at 9:38 AM, Sebastien Gagne <> wrote:
Hi,
it's been a while that I had problems with the PSP, but I ran into something recently :

Groups that have more than 1500 members generates an error when synchronizing them to our Active Directory. 

Test Group : acad:1801:Cours:A13_SPT6000-A
Number of members : 3059

Doing a manual calc on the groups returns the 3059 members that should be in the group.

Doing a manual diff on the group return 3059 ADD request, but in Active Directory, I see that the group already has more than 1500  members from an initial sync.

I believe the problem comes from an LDAP limitation of a maximum of 1500 retrieved members in a search. If there's more than 1500 members, the query need to have the "range=" option in it. The ldap used by the PSP isn't probably using it so it return no values. Since there's no values, the PSP tries to add the same members again and gets the below errors.


Since it's only 3 groups, it's not a big problem here, but it would be nice to have a fix for this problem.

Thank you



Log from a PSP realtime sync :

2014-01-14 06:37:01,856: [main] ERROR BaseSpmlProvider.execute(386) -  - Target 'ldap' - Modify ModifyResponse[pso=<null>,status=failure,error=customError,errorMessages={[LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0
_]},requestID=2014/01/14-06:36:59.928]
2014-01-14 06:37:01,859: [main] ERROR BaseSpmlProvider.execute(386) -  - Target 'psp' - Modify ModifyResponse[pso=<null>,status=failure,error=customError,errorMessages={[LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0
_]},requestID=2014/01/14-06:36:59.928]
2014-01-14 06:37:01,859: [main] ERROR Psp.execute(1440) -  - Psp 'psp' - Sync SyncResponse[id=acad:1801:Cours:A13_SPT6000-A,status=failure,error=customError,errorMessages={[LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0
_]},requestID=2014/01/14-06:36:55.635,ModifyResponse[pso=<null>,status=failure,error=customError,errorMessages={[LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0
_]},requestID=2014/01/14-06:36:59.928]]


PSP Sync (manual)
<psp:syncResponse xmlns:psp='http://grouper.internet2.edu/psp' status='failure' requestID='2014/01/14-11:32:02.059' error='customError'>
  <modifyResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure' requestID='2014/01/14-11:32:29.559' error='customError'>
    <errorMessage>[LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0
_]</errorMessage>
  </modifyResponse>
  <errorMessage>[LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0
_]</errorMessage>
  <psp:id ID='acad:1801:Cours:A13_SPT6000-A'/>
</psp:syncResponse>


---
Sébastien Gagné, M.Ing., ing. jr




--
David Langenberg
Identity & Access Management
The University of Chicago

Archive powered by MHonArc 2.6.16.

Top of Page