Congrats! Please do share your configs, we will sometime soon have to do a similar thing (grouper-to-ldap-and-ad-with-ad-subject-source) De : [mailto:] De la part de Bryan E. Wooten Envoyé : 25 juin 2013 11:06 À : Shilen Patel; Objet : RE: [grouper-users] Update on my AD PSP issue, Trying to debug That was the final piece! Also had to do some work with LDAPMemberPersonLook1 and get that all syn’c. Thanks for all your help. I will package this up as an example like psp-example-grouper-to-active-directory-with-ldap-subject-source so others may benefit and I can have my config reviewed. Cheers! -Bryan From: Shilen Patel [] Sent: Tuesday, June 25, 2013 8:18 AM To: Bryan E. Wooten; Subject: Re: [grouper-users] Update on my AD PSP issue, Trying to debug You may need to look at the "psp-example-grouper-to-openldap-multiple" example, specifically at how the memberDn1 attribute definition is computed. From: "Bryan E. Wooten" <> Date: Tuesday, June 25, 2013 9:30 AM To: Shilen Patel <>, "" <> Subject: RE: [grouper-users] Update on my AD PSP issue, Trying to debug Shilen, Changing the ldap properties from “name” to “extension” did the trick. My psp-resolver was aleady correct. So I can now create OUs and Groups in AD while having an LDAP subject source. Thanks! But as expected adding members fails. In the log file I see this: 2013-06-25 07:29:06,237: [main] DEBUG Pso.getPSO(222) - - Pso 'member' - Get pso for 'u0519980' 2013-06-25 07:29:06,238: [main] DEBUG PsoIdentifier.getPSOIdentifier(86) - - PSO Identifier Definition 'memberDn' - Source attribute 'memberDn' does not exist 2013-06-25 07:29:06,240: [main] DEBUG Pso.getPSO(229) - - Pso 'member' - Unable to calculate pso identifier for 'u0519980' 2013-06-25 07:29:06,242: [main] ERROR Psp.execute(1015) - - Psp 'psp' - Calc CalcResponse[id=u0519980,status=failure,error=noSuchIdentifier,errorMessages={Unable to calculate provisioned object.},requestID=2013/06/25-07:29:06.226 I just tried this, so I will dig further to see I can see anything that would cause this, but if you have any ideas shoot them my way. Thanks, Bryan From: Shilen Patel [] Sent: Tuesday, June 25, 2013 5:45 AM To: Bryan E. Wooten; Subject: Re: [grouper-users] Update on my AD PSP issue, Trying to debug In your ldap.properties, edu.internet2.middleware.psp.cnSourceAttributeID is set to "extension" and not "name", right? And in your psp-resolver.xml, the attribute definition for "cn" is something like this? <resolver:AttributeDefinition sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> From: "Bryan E. Wooten" <> Date: Monday, June 24, 2013 9:37 AM To: "Bryan E. Wooten" <>, Shilen Patel <>, "" <> Subject: RE: [grouper-users] Update on my AD PSP issue, Trying to debug I have wired up grouper to my IDE debugger and stop on a break point when I run the PSP change consumer after adding a group. My initial break point was set in LdapSpmlTarget.java line 937: /** * Handle provisioning add requests with no references to a target which requires references to not be empty, such * as OpenLDAP. * * @param addRequest the add request * @throws PspException if a psp error occurs * @throws DSMLProfileException if a dsml error occurs */ protected void handleEmptyReferences(AddRequest addRequest) throws PspException, DSMLProfileException { After a few steps I found myself in psp.java line 451: public void execute(AddRequest addRequest, AddResponse addResponse). Anyway I can’t seem to find where during the process the CN is set for the add request. Can you point me to the correct place in the source? Thanks, Bryan From: [] On Behalf Of Bryan E. Wooten Sent: Friday, June 21, 2013 8:27 AM To: Shilen Patel; Subject: RE: [grouper-users] Update on my AD PSP issue, some progress (New Update) Ok, so I configured my sources.xml and ldap.properties to use AD instead of LDAP (I left all the psp*.xml files alone) and am able to provision a group to AD. Checking the wireshark trace I see that the cn equals the group name. This confirms my speculation below. So for some reason when the subject source is ldap the cn gets set to uofu:bryan22:groupname but when the subject source is AD the cn is set to just groupname. If someone can point me to the code that sets cn when the ldap addrequest is made I’ll try and debug the cause. This will be a show stopper for me if I can’t find a work around. If I can’t get the PSP to provision groups to AD with an LDAP source I’ll probably be force to write my own change log consumer or something. I am sure I will run into similar issues when I try and add members to a group. But I’ll save that hurdle for another day. Thanks, Bryan From: Bryan E. Wooten Sent: Thursday, June 20, 2013 4:37 PM To: Shilen Patel; Bryan E. Wooten; Subject: Re: [grouper-users] Update on my AD PSP issue, some progress With the help of a colleague we noticed that the cn was passed as uofu:bryan22:group1 while the dn was cn=group1,ou=bryan22,ou=uofu,ou=groups,ou=grouper,dc=testad,dc=utah,dc=edu. We think the cn value is the problem. I am going to reconfigure back to my known good AD provisioning (with AD subject source) and capture a group add request and do a comparison of the cn value passed. I'll do the test tomorrow and get back with an update. From: Shilen Patel <> Date: Thursday, June 20, 2013 4:08 PM To: Bryan Wooten <>, "" <> Subject: Re: [grouper-users] Update on my AD PSP issue, some progress From the logs, what does the <addRequest> look like? From: "Bryan E. Wooten" <> Date: Thursday, June 20, 2013 4:20 PM To: "" <> Subject: [grouper-users] Update on my AD PSP issue, some progress In case anyone is interested. Thanks to Shilen I am able to have an LDAP subject source and use the PSP to provision stems as an OU to AD. The trick was to NOT change the <Service> id=”ldap”. I had thought I could change it to id=”ad” and make adjustments in the other psp xml files. My next was to create a group in my new stem and provision that group to AD. The good news is that the PSP tried. The bad news is that I get an LDAP error: 2013-06-20 13:35:24,604: [main] ERROR BaseSpmlProvider.execute(188) - - Target 'ldap' - Add AddResponse[pso=<null>,status=failure,error=customError,errorMessages={cn=g9,ou=bryan23,ou=uofu,OU=groups,OU=grouper,DC=testad,DC=utah,DC=edu: [LDAP: error code 34 - 00002081: NameErr: DSID-03050C42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of: 'cn=g9,ou=bryan23,ou=uofu,OU=groups,OU=grouper,DC=testad,DC=utah,DC=edu' I traced the request with wireshark and can see the add request and returned error. Looking at the request packet I don’t see anything wrong (but I am not an expert at decoding the LDAP protocol). I have successfully created groups in AD using the PSP (with an AD subject source), so I know the PSP can do it. As usual I have no clue what is causing this given that Grouper/PSP can successfully bind and create an OU. Thanks for listening. -Bryan
|