Grouper Users - Open Discussion List

["Bee-Lindgren, Bert A" <>]

> our LDAP doesn't let us search on dn so we search against entryDN.

I'm used to the first and hadn't seen the second. I'll have to try it on some ldap servers. I wonder if that's why some LDAPs (AD) have dn and DistinguishedName? 

Anyway, PSPNG does searches in bulk and then sorts through the results in memory with unboundid's ability to run queries in memory. It is this second phase that is failing, hopefully just because EntryDn is not being brought into memory (your original theory). This will probably work if you can ask for entrydn when you do a normal ldapsearch.

If, indeed, entrydn is returned like any other attribute... Define a groupSearchAttributes property to be entryDn,cn,objectclass.

--Bert

---

From: Jeffrey Crawford <>
Sent: Tuesday, June 28, 2016 7:40 PM
To: Bee-Lindgren, Bert A
Cc: Gouper Users List
Subject: Re: [grouper-users] Re: PSPNG failing to create records that already exist

 

yes I do have something similar to what you posted. However our LDAP doesn't let us search on dn so we search against entryDN. We have to modify the dn string somewhat since we provision out from something higher than the root grouper tree:

(&(objectclass=groupOfNames)(entryDN=${utils.bushyDn(group.name, "cn", "ou").substring(0, utils.bushyDn(group.name, "cn", "ou").length()-15)},ou=svc,ou=groups,dc=ucsc,dc=edu))

Group Names | Name the Best Group Sites + Websites

group.name

Opinion.org is a collaborative research tool in its beta maintained and supported by a team of social researchers, political scientists and market analysts.

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Tue, Jun 28, 2016 at 1:06 PM, Bee-Lindgren, Bert A <> wrote:

There appears to be a bug related to searching/matching based on DN. Is it true that your configuration includes something like the following?

changeLog.consumer.pspng_groupOfUniqueNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(dn=${utils.bushyDn(group.name, "cn", "ou")}))

If so (and gidNumber can't be used), I'll coordinate something so that the filter works.

Thanks,

  Bert

---

From: <> on behalf of Jeffrey Crawford <>
Sent: Tuesday, June 28, 2016 1:02 PM
To: Gouper Users List
Subject: [grouper-users] Re: PSPNG failing to create records that already exist

 

Bump :)

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Fri, Jun 17, 2016 at 12:39 PM, Jeffrey Crawford <> wrote:

Greetings,

I've got the DN naming squared away but The system seems to be unable to understand that a group already exists. basically I'm finding the following in my LDAP logs:

[2016-Jun-17 12:30:23.863 -0700] SEARCH REQ conn=1663604 op=187 msgID=188 base="ou=svc,ou=groups,dc=ucsc,dc=edu" scope=wholeSubtree filter="(|(&(objectclass=groupOfNames)(entryDN=cn=group,ou=substem,ou=its,ou=svc,ou=groups,dc=ucsc,dc=edu)))" attrs="cn,gidNumber,samAccountName,objectclass,member"
[2016-Jun-17 12:30:23.863 -0700] SEARCH RES conn=1663604 op=187 msgID=188 result=0 nentries=1 etime=1
[2016-Jun-17 12:30:24.073 -0700] ADD REQ conn=1663603 op=193 msgID=194 dn="cn=group,ou=substem,ou=its,ou=svc,ou=groups,dc=ucsc,dc=edu"
[2016-Jun-17 12:30:24.073 -0700] ADD RES conn=1663603 op=193 msgID=194 result=68 message="The entry cn=group,ou=substem,ou=its,ou=svc,ou=groups,dc=ucsc,dc=edu cannot be added because an entry with that name already exists" etime=1

Is this a bug or do I need to make sure an additional attribute is being returned?

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------