Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSP provisioning to AD

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSP provisioning to AD

Chronological Thread 
  • From: Rob Gorrell <>
  • To: David Langenberg <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] PSP provisioning to AD
  • Date: Wed, 30 Oct 2013 13:12:03 -0400

How do you know it got back a referral? or is that what 0000202B: RefErr: DSID-031007EF means in Microsoft LDAP server speak? I am pointing grouper to a specific DC in the file...

I'm not sure why it would be referring, nor have i dealt much with referrals in the context of a MS AD ldap server. This domain does indeed have 2 site boundries, one site containing 3 DC's and the other site contain 2 DC's. The majority of everything existing in site 1 where I'm sending grouper. site 2 is for ancillary purposes, but I could see why it fails if DC in site 1 is for some reason giving grouper a referral to DC 4 in site 2 (which would be unacceptable to grouper).

also, is there a way to easily tell from the grouper psp specifically what LDAP operation against what LDAP dn is being performed/attempted at the time of failure?


On Fri, Oct 25, 2013 at 3:17 PM, David Langenberg <> wrote:
Looks like the PSP got back an LDAP Referral.  Try pointing it directly at a specific DC.


On Fri, Oct 25, 2013 at 1:13 PM, Rob Gorrell <> wrote:
So i've watching the training videos and trying to learn more about the PSP and provisioning down to AD, but for whatever reason, am not having success in making the training video examples work in my environment. grouper appears to be connecting to my provisioning source, but is coming back with a custom error that I believe is related to a problem in an LDAP path/referrer according the MS documentation of the error result being returning. This is whats in my grouper error log:
<psp:bulkSyncResponse xmlns:psp='' status='failure' requestID='2013/10/25-14:59:15.807' error='customError'>
  <errorMessage>[LDAP: error code 10 - 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
        ref 1: ''

my contains the following baseDN's:

Our domain,, is pretty simple. All users are flat under an OU called accounts and all groups I want to be provisioned under a similar top level OU called groups. I've created a sub ou called grouper in the meantime as I don't want grouper to step on the manually created groups until we switchover.

Any suggestions on what might not be lining up here and what grouper is doing (presumably trying to create an OU in AD to match a stem) thats causing the ldap server to return a DSID-031007EF? I don't see any incorrect DN's listed in whats going on in the grouper error log.


Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro

David Langenberg
Identity & Access Management
The University of Chicago

Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro

Archive powered by MHonArc 2.6.16.

Top of Page