Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAPPC issues with whitespace in Active Directory

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAPPC issues with whitespace in Active Directory


Chronological Thread 
  • From: Raymond D Walker <>
  • To: Tom Zeller <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] LDAPPC issues with whitespace in Active Directory
  • Date: Thu, 29 Oct 2009 15:43:34 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

On Oct 23, 2009, at 11:05 AM, Tom Zeller wrote:

>>> Firing this message off at the end of the day without really looking
>>> for past reports of this particular issue...
>>>
>>> When provisioning to Active Directory environment with LDAPPC 1.4,
>>> I'm
>>> noticing that if you are working with user DN's that have
>>> whitespaces,
>>> LDAPPC takes that and converts to "%20" when actually provisioning,
>>> thus throwing errors/warnings:
>>>
>>> ---
>>> 2009-10-22 16:58:16,976: [Timer-0] ERROR ErrorLog.error(108) -
>>> [edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer]
>>> GROUP[[ DISPLAY NAME = ENT:ITS-SIA-TEST ][NAME = ENT:ITS-SIA-TEST]
>>> [UID
>>> = 10ea9fd09f744e6fb0ad3cd0baf2dbb0]] ::
>>> javax.naming.NameNotFoundException: [LDAP: error code 32 - 00000525:
>>> NameErr: DSID-031A11A5, problem 2001 (NO_OBJECT), data 0, best
>>> match of:
>>> ''
>>> ---
>>>
>>> This error in LDAPPC makes you think it's the group that's at fault,
>>> my initial guesses were that it wasn't being created due to
>>> permission
>>> issues, etc... This is in fact not the case, but rather due to
>>> whitespace conversion in user DN's...
>>>
>>> Bumped up the log levels and found the attempt to create the group:
>>>
>>> ---
>>> 009-10-22 16:58:16,938: [Timer-0] INFO
>>> GroupEntrySynchronizer.addGroupEntry(870) - Creating 'cn=ENT:ITS-
>>> SIA-
>>> TEST,ou=Enterprise Groups,dc=froot,dc=nau,dc=edu' attrs
>>> {grouptype=groupType: -2147483640, objectclass=objectClass: group,
>>> member=member: CN=rdw4,OU=Student%20Wage,OU=Exchange
>>> %20Mailboxes,DC=nau,DC=froot,DC=nau,DC=edu, cn=cn: ENT:ITS-SIA-TEST}
>>> 2009-10-22 16:58:16,976: [Timer-0] ERROR ErrorLog.error(108) -
>>> [edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer]
>>> GROUP[[ DISPLAY NAME = ENT:ITS-SIA-TEST ][NAME = ENT:ITS-SIA-TEST]
>>> [UID
>>> = 10ea9fd09f744e6fb0ad3cd0baf2dbb0]] ::
>>> javax.naming.NameNotFoundException: [LDAP: error code 32 - 00000525:
>>> NameErr: DSID-031A11A5, problem 2001 (NO_OBJECT), data 0, best
>>> match of:
>>> ''
>>> ---
>>>
>>> ...but still the same warning/error... I tried adding by hand...
>>> walah!
>>>
>>> ---
>>> changetype: modify
>>> add: member
>>> member: CN=aga7,OU=Student%20Wage,OU=Exchange
>>> %20Mailboxes,DC=nau,DC=froot,DC=nau,DC=edu
>>>
>>> modifying entry "CN=ENT:ITS-SIA-TEST,OU=Enterprise
>>> Groups,DC=froot,DC=nau,DC=edu"
>>> ldap_modify: No such object (32)
>>> additional info: 00000525: NameErr: DSID-031A11A5, problem
>>> 2001
>>> (NO_OBJECT), data 0, best match of:
>>> ''
>>> ---
>>>
>>> Converting the %20 back to " " solves the issue in AD. These
>>> "whitespace" DN users only exist in production thanks to the
>>> flexibility of Exchange.
>>>
>>> I'm assuming there is no configuration changes to get around this
>>> issue?
>>
>> Well, not yet :-). I'll add "member dns containing whitespace" to the
>> 1.5.0 tests and see what happens.
>
> 1.5.0 and Active Directory (at least Memphis') appear to handle
> whitespace just fine. I don't think I'll try and fix 1.4, you'll want
> to use 1.5 anyway for better AD support (vt-ldap 3.2 paged search
> results and "range" attribute expansion).
>
> TomZ

Excellent to hear Tom!

Note: Apologies for the running up the red flag. It appears that it
was actually our code modification (in the SubjectCache.java) to allow
for "non-relative" search result DN's to be included is actually where
our issue stemmed from.

-Ray Walker



Archive powered by MHonArc 2.6.16.

Top of Page