Subject: Grouper Users - Open Discussion List
- From: David Langenberg <>
- To: Rob Gorrell <>
- Cc: "" <>
- Subject: Re: [grouper-users] PSP provisioning to AD
- Date: Wed, 30 Oct 2013 12:38:04 -0600
On Wed, Oct 30, 2013 at 11:12 AM, Rob Gorrell <> wrote:
How do you know it got back a referral? or is that what 0000202B: RefErr: DSID-031007EF means in Microsoft LDAP server speak? I am pointing grouper to a specific DC in the ldap.properties file...
Googled around & came up with (after reading several message boards regarding others having this issue):
Error 202B is ERROR_DS_REFERRAL
I'm not sure why it would be referring, nor have i dealt much with referrals in the context of a MS AD ldap server. This domain does indeed have 2 site boundries, one site containing 3 DC's and the other site contain 2 DC's. The majority of everything existing in site 1 where I'm sending grouper. site 2 is for ancillary purposes, but I could see why it fails if DC in site 1 is for some reason giving grouper a referral to DC 4 in site 2 (which would be unacceptable to grouper).
Perhaps the specific object it's trying to deal with only exists in site 2?
also, is there a way to easily tell from the grouper psp specifically what LDAP operation against what LDAP dn is being performed/attempted at the time of failure?
It's a bit cryptic, but turning your logs to DEBUG for the PSP and VT-LDAP should get you what you're after.
On Fri, Oct 25, 2013 at 3:17 PM, David Langenberg <> wrote:Looks like the PSP got back an LDAP Referral. Try pointing it directly at a specific DC.Dave--On Fri, Oct 25, 2013 at 1:13 PM, Rob Gorrell <> wrote:
-RobAny suggestions on what might not be lining up here and what grouper is doing (presumably trying to create an OU in AD to match a stem) thats causing the ldap server to return a DSID-031007EF? I don't see any incorrect DN's listed in whats going on in the grouper error log.Our domain, auth.uncg.edu, is pretty simple. All users are flat under an OU called accounts and all groups I want to be provisioned under a similar top level OU called groups. I've created a sub ou called grouper in the meantime as I don't want grouper to step on the manually created groups until we switchover.So i've watching the training videos and trying to learn more about the PSP and provisioning down to AD, but for whatever reason, am not having success in making the training video examples work in my environment. grouper appears to be connecting to my provisioning source, but is coming back with a custom error that I believe is related to a problem in an LDAP path/referrer according the MS documentation of the error result being returning. This is whats in my grouper error log:my ldap.properties contains the following baseDN's:
<psp:bulkSyncResponse xmlns:psp='http://grouper.internet2.edu/psp' status='failure' requestID='2013/10/25-14:59:15.807' error='customError'>
<errorMessage>[LDAP: error code 10 - 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
ref 1: 'auth.uncg.edu'
David LangenbergIdentity & Access ManagementThe University of Chicago
--Robert W. Gorrell
Systems Architect, Identity and Access ManagementUniversity of NC at Greensboro
PGP Key ID B36DB0CA
Identity & Access Management
The University of Chicago
- [grouper-users] PSP provisioning to AD, Rob Gorrell, 10/25/2013
Archive powered by MHonArc 2.6.16.