Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAPPC issues with whitespace in Active Directory

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAPPC issues with whitespace in Active Directory


Chronological Thread 
  • From: Tom Zeller <>
  • To: Raymond D Walker <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] LDAPPC issues with whitespace in Active Directory
  • Date: Fri, 23 Oct 2009 13:05:21 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=haYaH9N3f9YWMeCtUpsL8QMCFKbUGjM6DGxWdnXIZxF5Lq9XMYAGF7oBL1C/dwToqb pxVNXdPmHDHoJc8o19kYiZrKSKbUA4b36lK12Xv9VVJifXS0TcgXmzcUBLYglvKQGnwP XlScvYhIwAV2axe+1GZURCRfx8AVHbVdOJQvA=
>> Firing this message off at the end of the day without really looking
>> for past reports of this particular issue...
>>
>> When provisioning to Active Directory environment with LDAPPC 1.4, I'm
>> noticing that if you are working with user DN's that have whitespaces,
>> LDAPPC takes that and converts to "%20" when actually provisioning,
>> thus throwing errors/warnings:
>>
>> ---
>> 2009-10-22 16:58:16,976: [Timer-0] ERROR ErrorLog.error(108) -
>> [edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer]
>> GROUP[[ DISPLAY NAME = ENT:ITS-SIA-TEST ][NAME = ENT:ITS-SIA-TEST][UID
>> = 10ea9fd09f744e6fb0ad3cd0baf2dbb0]] ::
>> javax.naming.NameNotFoundException: [LDAP: error code 32 - 00000525:
>> NameErr: DSID-031A11A5, problem 2001 (NO_OBJECT), data 0, best match of:
>>        ''
>> ---
>>
>> This error in LDAPPC makes you think it's the group that's at fault,
>> my initial guesses were that it wasn't being created due to permission
>> issues, etc... This is in fact not the case, but rather due to
>> whitespace conversion in user DN's...
>>
>> Bumped up the log levels and found the attempt to create the group:
>>
>> ---
>> 009-10-22 16:58:16,938: [Timer-0] INFO
>> GroupEntrySynchronizer.addGroupEntry(870) - Creating 'cn=ENT:ITS-SIA-
>> TEST,ou=Enterprise Groups,dc=froot,dc=nau,dc=edu' attrs
>> {grouptype=groupType: -2147483640, objectclass=objectClass: group,
>> member=member: CN=rdw4,OU=Student%20Wage,OU=Exchange
>> %20Mailboxes,DC=nau,DC=froot,DC=nau,DC=edu, cn=cn: ENT:ITS-SIA-TEST}
>> 2009-10-22 16:58:16,976: [Timer-0] ERROR ErrorLog.error(108) -
>> [edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer]
>> GROUP[[ DISPLAY NAME = ENT:ITS-SIA-TEST ][NAME = ENT:ITS-SIA-TEST][UID
>> = 10ea9fd09f744e6fb0ad3cd0baf2dbb0]] ::
>> javax.naming.NameNotFoundException: [LDAP: error code 32 - 00000525:
>> NameErr: DSID-031A11A5, problem 2001 (NO_OBJECT), data 0, best match of:
>>        ''
>> ---
>>
>> ...but still the same warning/error... I tried adding by hand... walah!
>>
>> ---
>> changetype: modify
>> add: member
>> member: CN=aga7,OU=Student%20Wage,OU=Exchange
>> %20Mailboxes,DC=nau,DC=froot,DC=nau,DC=edu
>>
>> modifying entry "CN=ENT:ITS-SIA-TEST,OU=Enterprise
>> Groups,DC=froot,DC=nau,DC=edu"
>> ldap_modify: No such object (32)
>>        additional info: 00000525: NameErr: DSID-031A11A5, problem 2001
>> (NO_OBJECT), data 0, best match of:
>>        ''
>> ---
>>
>> Converting the %20 back to " " solves the issue in AD. These
>> "whitespace" DN users only exist in production thanks to the
>> flexibility of Exchange.
>>
>> I'm assuming there is no configuration changes to get around this issue?
>
> Well, not yet :-). I'll add "member dns containing whitespace" to the
> 1.5.0 tests and see what happens.

1.5.0 and Active Directory (at least Memphis') appear to handle
whitespace just fine. I don't think I'll try and fix 1.4, you'll want
to use 1.5 anyway for better AD support (vt-ldap 3.2 paged search
results and "range" attribute expansion).

TomZ

Archive powered by MHonArc 2.6.16.

Top of Page