Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: Rob Gorrell <>, "" <>
- Subject: RE: [grouper-users] Grouper Loader LDAP and AD page size limitations
- Date: Thu, 4 Aug 2016 16:41:40 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Try setting this in the grouper-loader.properties for that ldap connection: (i.e. substitute “personLdap” for the name of your ldap config if its not personLdap
J )
# if there is a max size limit on ldap server, then this will retrieve results in pages
#ldap.personLdap.pagedResultsSize =
Thanks
Chris
From: [mailto:]
On Behalf Of Rob Gorrell
Sent: Wednesday, August 03, 2016 9:20 AM
To:
Subject: [grouper-users] Grouper Loader LDAP and AD page size limitations
I was trying to do a SIMPLE_LDAP loader job to load the disabled users in our AD (userAccountControl attrb) and couldn't figure out why it failed to load any members. After searching around a bit I realized we have over 1000 disabled users
matching this LDAP query and it remembered AD has a default server-side limit of 1000 entries as the maximum number of results that are returned in a single LDAP request. Sure enough, when I enabled debug logging, I see grouper hitting a Sizelimit Exceeded.
So, my question is, without modifying my LDAP filter to return less than 1000 results, is there a way to make Grouper LDAP client do some sort of Paged Results control so I can load large groups against an AD LDAP directory?
2016-08-03 08:54:52,400: [main] DEBUG AbstractResultHandler.process(95) - - Ignoring naming exception
javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3084)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:147)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:216)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:189)
at edu.vt.middleware.ldap.handler.AbstractResultHandler.process(AbstractResultHandler.java:83)
at edu.vt.middleware.ldap.AbstractLdap.search(AbstractLdap.java:231)
at edu.vt.middleware.ldap.Ldap.search(Ldap.java:431)
at edu.vt.middleware.ldap.Ldap.search(Ldap.java:347)
at edu.vt.middleware.ldap.Ldap.search(Ldap.java:273)
at edu.internet2.middleware.grouper.ldap.LdapSession$1.callback(LdapSession.java:289)
at edu.internet2.middleware.grouper.ldap.LdapSession.callbackLdapSession(LdapSession.java:236)
at edu.internet2.middleware.grouper.ldap.LdapSession.list(LdapSession.java:271)
at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.<init>(GrouperLoaderResultset.java:345)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:746)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJobLdap(GrouperLoaderJob.java:571)
at edu.internet2.middleware.grouper.app.loader.GrouperLoader.runJobOnceForGroup(GrouperLoader.java:1008)
at edu.internet2.middleware.grouper.app.gsh.loaderRunOneJob.invoke(loaderRunOneJob.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at bsh.Reflect.invokeMethod(Unknown Source)
at bsh.Reflect.invokeStaticMethod(Unknown Source)
at bsh.Reflect.invokeCompiledCommand(Unknown Source)
at bsh.Name.invokeLocalMethod(Unknown Source)
at bsh.Name.invokeMethod(Unknown Source)
at bsh.BSHMethodInvocation.eval(Unknown Source)
at bsh.BSHPrimaryExpression.eval(Unknown Source)
at bsh.BSHPrimaryExpression.eval(Unknown Source)
at bsh.Interpreter.eval(Unknown Source)
at bsh.Interpreter.eval(Unknown Source)
at bsh.Interpreter.eval(Unknown Source)
at edu.internet2.middleware.grouper.app.gsh.ShellHelper.eval(ShellHelper.java:63)
at edu.internet2.middleware.grouper.app.gsh.GrouperShell.run(GrouperShell.java:429)
at edu.internet2.middleware.grouper.app.gsh.GrouperShell.grouperShellHelper(GrouperShell.java:232)
at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:162)
at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)
2016-08-03 08:54:52,403: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1948) - - loader:refDisabledAccounts start syncing membership
2016-08-03 08:54:52,403: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1964) - - loader:refDisabledAccounts syncing 0 rows
2016-08-03 08:54:52,405: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2077) - - Done assigning privilege to related groups: loader:refDisabledAccounts
2016-08-03 08:54:52,412: [main] INFO GrouperLoaderType.syncOneGroupMembership(2347) - - loader:refDisabledAccounts done syncing membership, processed 0 records. Total members: 0, inserts: 0, deletes: 0
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
|
Archive powered by MHonArc 2.6.19.