Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: LDAP Loader and AD ranged attributes

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: LDAP Loader and AD ranged attributes

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Redman, Chad Eric" <>, grouper-users <>
  • Subject: [grouper-users] RE: LDAP Loader and AD ranged attributes
  • Date: Thu, 26 Jan 2017 17:34:40 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:9yG3txaMdQfh4tZd14jdK3j/LSx+4OfEezUN459isYplN5qZpsy4bB7h7PlgxGXEQZ/co6odzbGH7+a9BCdZuczJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBq7oR/Ru8QWjoduN7o9xgXUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU063/chNBug61HoRKhvx1/zJDSYIGJL/p1Y6fRccoHSWZdQspdUipMCZ6+YYQSFeoMJeZWoZfgqVsSoxWwBgesC+HuyjBUiXD7xrc13/g9HQzcwAAsA8wCvXLJp9v1LqcSVuW1wbHGwTvBb/JX2Cny6JLQfhs8v/yMXahwccvKyUUhCgjIiVCQppDlPzKV1+UCrXKb4vFhVeK0l2ErsRxxoiCxyccqjInFnJwaxU3Z9Shgxos+ONO2SEl+YdG+EZtQsTmXN4RxQsMlTGFovDg1xqcatp68eSgG0JMnxwPDa/yDdIiI5RHjWPyNLjd/gXJofq+0iRWq8UW41OHzTNW43EtPoyZYj9XAq3UA1xLc58SbVvdw+0Ws1iiA2gzP7+xJJF44mbbUJpI537I9mIYfvV7HEyPrgkn6krKae0E+9uS16enqY7PrrYKGOYBukAHxKKEul9S/AesmNggOWHCW9/yg2bPk4UH1XaxGgOAunKXEqZzaIt8UqbCjDw9Sz4Yj9w2wDzC70NQegHYLNkpFeAiAj4j1JV7BPOz4Dfa4g1SqijtrwO3GPqHlApXKKXjDk63tcqp6605Z0AYzzNZf6IxICrwZPv78QFP9uMHdAxMkLgC43uPqCNty248CRW6CB62UP73dvFOU4+8iJveAaJMatTrlLvgq/f/ujXs3mV8Heqmp2IMaaHWkEfRmI0SYYGTjgs0aHGcLpQoxUPbmiECaUTFNYXayWbgw6S8mB4K7FYvDXJyigKSd3CenGZ1bfm9GCkqLEXf1b4WLRe0MZDuPIs96jDMET6OhRpQl1RGvrw/616FnIvTO9i0Zs5LjyMZ65/fVlR4s6Tx4Ed6R3H+QQGFpzSs0QGp85q1zpEV7jh+o0aF0y9FCFNcZr6dCUg42AoTRw+lzDfjvXAmHc9uUHhLuTc+hHCk8VJcs2NIUeA4pFM+lkwjOxW+3GLIPjJSKAoA56KTRwyK3KspgnSXozq4k2hMGU9lCLynura5l9hOZT9rMmEWIhauwXaUH12jQ7GqFyyyDsFwOA104arnMQX1KPhielt/+/E6XCub2Ubk=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

To be consistent with grouper if you misspell a class in a config, or if it cant find it, it should throw an exception…  note, e.printStackTrace() and System.out or System.err shouldn’t be used, so if swallowing exception it needs to be logged with logger..


If its in the code its supported.  If you want to add to docs that would be great!





From: Redman, Chad Eric [mailto:]
Sent: Thursday, January 26, 2017 10:12 AM
To: Hyzer, Chris <>; grouper-users <>
Subject: RE: LDAP Loader and AD ranged attributes


Thanks! Your change looks a lot cleaner, and I'll try it out when I can. I'll try how it handles an invalid class name in the field; it should be non-functional either way, but leaving the exception uncaught may be a harder stop.


In the ticket, I wondered if using the property readers directly from vt-ldap would be a better long-term fix, since it would allow all its properties to be set, instead of passing a partial set through Grouper translations of them. Right after that, I noticed there is an ldap.*.configFileFromClasspath property that can nearly do this already -- it's just the validator that would still need a custom handling. Is this something supported? I didn't see it documented in the wiki or mentioned on the mailing lists.





From: Hyzer, Chris []
Sent: Thursday, January 26, 2017 2:38 AM
To: Redman, Chad Eric <>; grouper-users <>
Subject: RE: LDAP Loader and AD ranged attributes


Thanks for the contribution Chad.  I modified it slightly (please review), and put it in patch api 2.3.0 #50





From: [] On Behalf Of Hyzer, Chris
Sent: Tuesday, January 24, 2017 4:06 PM
To: Redman, Chad Eric <>; grouper-users <>
Subject: [grouper-users] RE: LDAP Loader and AD ranged attributes


Yes please for pull request


From: [] On Behalf Of Redman, Chad Eric
Sent: Tuesday, January 24, 2017 3:34 PM
To: grouper-users <>
Subject: [grouper-users] LDAP Loader and AD ranged attributes




We have some LDAP loader jobs that query AD for subjects. An issue we found when going to production was that our AD source returns a ranged attribute for a membership fields when there are over 1500 members. What this means is that the attribute returned from the query is not "member" but "member;range=0-1499". The client is then expected to do further queries to get the rest of the members, e.g. "member;range=1500-*" and so on.


The closest mention I could find for this problem was a 2009 post mentioning a custom result handler for LDAPPC that could handle ranged results. We applied a similar solution to the LDAP Loader. We created a custom RangeSearchResultHandler class (based on the one from to handle the non-standard attribute label and the loop to get the results. The vt-ldap config has an option (searchResultHandlers) for a multi-valued list of search result handler classes. However, we needed to patch the Grouper code so that it could handle a new ldap.*.searchResultHandlers property in the file and pass it on the LDAP config.


Has anyone come across the same issue in getting large result sets from AD? Has this already been solved? I tried the other recommended methods of setting pagedResultsSize, referral, and/or batchSize, with no success. From a debug session, it looks like they all fail to account for "member;range=0-1499" really being the member field.


I can put a pull request together, if this is something useful outside of our own installation.




Archive powered by MHonArc 2.6.19.

Top of Page