Grouper Users - Open Discussion List

["Bryan E. Wooten" <>]

I have wired up grouper to my IDE debugger and stop on a break point when I run the PSP change consumer after adding a group.

 

My initial break point was set in LdapSpmlTarget.java line 937:

 

/**

     * Handle provisioning add requests with no references to a target which requires references to not be empty, such

     * as OpenLDAP.

     *

     * @param addRequest the add request

     * @throws PspException if a psp error occurs

     * @throws DSMLProfileException if a dsml error occurs

     */

    protected void handleEmptyReferences(AddRequest addRequest) throws PspException, DSMLProfileException {

 

After a few steps I found myself in psp.java line 451: public void execute(AddRequest addRequest, AddResponse addResponse).

 

Anyway I can’t seem to find where during the process the CN is set for the add request. Can you point me to the correct place in the source?

 

Thanks,

 

Bryan

 

From: [mailto:] On Behalf Of Bryan E. Wooten
Sent: Friday, June 21, 2013 8:27 AM
To: Shilen Patel;
Subject: RE: [grouper-users] Update on my AD PSP issue, some progress (New Update)

 

Ok, so I configured my sources.xml and ldap.properties to use AD instead of LDAP (I left all the psp*.xml files alone) and am able to provision a group to AD.

 

Checking the wireshark trace I see that the cn equals the group name. This confirms my speculation below.

 

So for some reason when the subject source is ldap the cn gets set to uofu:bryan22:groupname but when the subject source is AD the cn is set to just groupname.

 

If someone can point me  to the code that sets cn when the ldap addrequest is made I’ll try and debug the cause. This will be a show stopper for me if I can’t find a work around.  If I can’t get the PSP to provision groups to AD with an LDAP source I’ll probably be force to write my own change log consumer or something.

 

I am sure I will run into similar issues when I try and add members to a group. But I’ll save that hurdle for another day.

 

Thanks,

 

Bryan

 

From: Bryan E. Wooten
Sent: Thursday, June 20, 2013 4:37 PM
To: Shilen Patel; Bryan E. Wooten;
Subject: Re: [grouper-users] Update on my AD PSP issue, some progress

 

With the help of a colleague we noticed that the cn was passed as uofu:bryan22:group1 while the dn was cn=group1,ou=bryan22,ou=uofu,ou=groups,ou=grouper,dc=testad,dc=utah,dc=edu.

 

We think the cn value is the problem. I am going to reconfigure back to my known good AD provisioning (with AD subject source) and capture a group add request and do a comparison of the cn value passed.

 

I'll do the test tomorrow and get back with an update.

 

Thanks,

 

Bryan

 

From: Shilen Patel <>
Date: Thursday, June 20, 2013 4:08 PM
To: Bryan Wooten <>, "" <>
Subject: Re: [grouper-users] Update on my AD PSP issue, some progress

 

From the logs, what does the <addRequest> look like?

 

Thanks!

 

-- Shilen

 

From: "Bryan E. Wooten" <>
Date: Thursday, June 20, 2013 4:20 PM
To: "" <>
Subject: [grouper-users] Update on my AD PSP issue, some progress

 

In case anyone is interested.

 

Thanks to Shilen I am able to have an LDAP subject source and use the PSP to provision stems as an OU to AD.

The trick was to NOT change the <Service> id=”ldap”. I had thought I could change it to id=”ad” and make adjustments in the other psp xml files.

 

My next was to create a group in my new stem and provision that group to AD. The good news is that the PSP tried. The bad news is that I get an LDAP error:

 

2013-06-20 13:35:24,604: [main] ERROR BaseSpmlProvider.execute(188) -  - Target 'ldap' - Add AddResponse[pso=<null>,status=failure,error=customError,errorMessages={cn=g9,ou=bryan23,ou=uofu,OU=groups,OU=grouper,DC=testad,DC=utah,DC=edu: [LDAP: error code 34 - 00002081: NameErr: DSID-03050C42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:

        'cn=g9,ou=bryan23,ou=uofu,OU=groups,OU=grouper,DC=testad,DC=utah,DC=edu'

 

I traced the request with wireshark and can see the add request and returned error. Looking at the request packet I don’t see anything wrong (but I am not an expert at decoding the LDAP protocol).

 

I have successfully created groups in AD using the PSP (with an AD subject source), so I know the PSP can do it. As usual I have no clue what is causing this given that Grouper/PSP can successfully bind and create an OU.

 

Thanks for listening.

 

-Bryan