Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Update on my AD PSP issue, some progress

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Update on my AD PSP issue, some progress


Chronological Thread 
  • From: "Bryan E. Wooten" <>
  • To: Shilen Patel <>, "Bryan E. Wooten" <>, "" <>
  • Subject: Re: [grouper-users] Update on my AD PSP issue, some progress
  • Date: Thu, 20 Jun 2013 22:37:18 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

With the help of a colleague we noticed that the cn was passed as uofu:bryan22:group1 while the dn was cn=group1,ou=bryan22,ou=uofu,ou=groups,ou=grouper,dc=testad,dc=utah,dc=edu.

We think the cn value is the problem. I am going to reconfigure back to my known good AD provisioning (with AD subject source) and capture a group add request and do a comparison of the cn value passed.

I'll do the test tomorrow and get back with an update.

Thanks,

Bryan

From: Shilen Patel <>
Date: Thursday, June 20, 2013 4:08 PM
To: Bryan Wooten <>, "" <>
Subject: Re: [grouper-users] Update on my AD PSP issue, some progress

From the logs, what does the <addRequest> look like?

Thanks!

-- Shilen

From: "Bryan E. Wooten" <>
Date: Thursday, June 20, 2013 4:20 PM
To: "" <>
Subject: [grouper-users] Update on my AD PSP issue, some progress

In case anyone is interested.

 

Thanks to Shilen I am able to have an LDAP subject source and use the PSP to provision stems as an OU to AD.

The trick was to NOT change the <Service> id=”ldap”. I had thought I could change it to id=”ad” and make adjustments in the other psp xml files.

 

My next was to create a group in my new stem and provision that group to AD. The good news is that the PSP tried. The bad news is that I get an LDAP error:

 

2013-06-20 13:35:24,604: [main] ERROR BaseSpmlProvider.execute(188) -  - Target 'ldap' - Add AddResponse[pso=<null>,status=failure,error=customError,errorMessages={cn=g9,ou=bryan23,ou=uofu,OU=groups,OU=grouper,DC=testad,DC=utah,DC=edu: [LDAP: error code 34 - 00002081: NameErr: DSID-03050C42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:

        'cn=g9,ou=bryan23,ou=uofu,OU=groups,OU=grouper,DC=testad,DC=utah,DC=edu'

 

I traced the request with wireshark and can see the add request and returned error. Looking at the request packet I don’t see anything wrong (but I am not an expert at decoding the LDAP protocol).

 

I have successfully created groups in AD using the PSP (with an AD subject source), so I know the PSP can do it. As usual I have no clue what is causing this given that Grouper/PSP can successfully bind and create an OU.

 

Thanks for listening.

 

-Bryan




Archive powered by MHonArc 2.6.16.

Top of Page