grouper-users - Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16]
Subject: Grouper Users - Open Discussion List
List archive
- From: Julio Macavilca <>
- To: "Bee-Lindgren, Bert A" <>
- Cc: Grouper Users <>
- Subject: Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16]
- Date: Mon, 18 Sep 2017 21:56:00 -0400
- Ironport-phdr: 9a23:VCocxxHaKCLIeU5t8FPVS51GYnF86YWxBRYc798ds5kLTJ76p8u8bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7WYNEUSndbXstJVSNBDIOyYYUMAeQcI+hXs5LwqEESoRakHwSgGP/jxz1Oi3Tr3aM6yeMhEQTe0QIkAtIOtHXUrNLoP6kVS++60LPHzSvCb/NSxTjy8pXDfxcjofGRWbJwcM3RxFIpFwLFk1Wcs5LqMC6I1ukUtWWQ8uRuVeWqi2E9qgFxpCCixsUriobSnIIV11bE9T55wIkrId24TFR3YcS5EJdIuCGaLYx2Qt46Q252oiY20KcJuYajfCQSyZQnwQLfZOKdc4iO/B3jSPidLS1mi314ZbKznxCy8Ei9yuHmSMa7zUtKojJYktXWqH8CygHT5tCFSvt65UihwyuP1wbI6uFEP080ka7bJ4Q7wr4tkJofqUvDHjXxmEXrlK+ZaF8k9vKu6+v9Z7XpuIeQN4B1igHiMqQuh9ewDf4kPQgJWmiX4eu81Kfk/U3kWLVGlPs2nbPcsJ/EPcgaprO5DxVL3Yk+9hayCSqt3tcAnXQfMl5IeQ6LgorsNlHAI/33FuuzjlGjnTt32/zKILjsDYnRInXDlbrseKhx5kBcxQc10NtR/YhbCqsbL/L2QkLxtMLXDhs+MwGsxuboEtR91ocHVWOPDK6VLLresFCW6u8hI+SAfoAVuDH6K/gq4/7hk2U1lkMafamsxZcXaXa4Eep6I0iBf3bhg8sNHGUPswowT+Hlk0GOXDtcanquQ64w+DQ2B566AYrDQ42ghaKN0Sm7E5FOY2BJEFGMEXPmd4WeXPcMbTqfIs1kkjEEVLWsSpMt2AqotA761rprNPTb9TAFtZ77zth6+/XTlQ0u9TxzF8md3HuNT2ZpnmMQWTA2xrlzoVFmylidy6h4mOdVFdhS5/NSTgc6LoDQw/Z7C9D0RgLOYM2JSFC4TdW6Hz09VMw+zMITYxU1J9L3xDrO0m+OArkZmKaGAth82K/GwzDYbY4pwXvcyO8rglRjRspJOWK8i6hX8AnPQYHAj0iSl+CneblKjxTA7GOS8W3bvlxcUQlYV7TYG30Texj4t9P8s2HfS76pQZEuOQJfyMqJI+MeaMDtjFJuQub+ftnSfjTiyC+LGR+Uy+bUP8LRcGIH0XCYURBcng==
Julio,
I found two filter syntaxes that should improve the behavior and, if so, which can then be patched into the utils.bushyDn function.
Please try either of these:${utils.escapeLdapFilter( "${utils.bushyDn(group.name, "cn", "ou")}" )}orThanks,Bert
From: Julio Macavilca <>
Sent: Wednesday, September 6, 2017 4:27 PM
To: Bee-Lindgren, Bert A
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16]I just gave it a try but this time I'm not able to even create the group as per the error below:
2017-09-06 16:10:55,583: [DefaultQuartzScheduler_Worker
-7] ERROR Provisioner.evaluateJexlExpres sion(556) - - Jexl _expression_ (&(objectclass=groupOfNames)(e ntryDN=${utils.escapeLdapFilte r(${utils.bushyDn(group.name, "cn", "ou")})},ou=test,o=nyu.edu,o=n yu)) could not be evaluated for subject 'null/null' and group 'test:This_-_is_Not,_Vanilla32 /null' which used variableMap '{idIndex=18222, userSearchBaseDn=ou=people,o=n yu.edu ,o=nyu, groupAttributes={}, groupCreationBaseDn=ou=test,o=nyu.edu ,o=nyu, stemAttributes={}, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@ 1a710d5, groupSearchBaseDn=ou=test,o=ny u.edu ,o=nyu, name=test:This_-_is_Not,_Vanilla32, provisionerName=pspng_ldap, group=Group[name=test:This_-_i s_Not,_Vanilla32,uuid=26ebc59a 7d4a4d3fb9d2dafffb88819d], provisionerType=LdapGroupProvi sioner}'
Academics. Our world-class students, faculty, and scholars expect high achievement in pursuit of engaging the world's diverse challenges.
Academics. Our world-class students, faculty, and scholars expect high achievement in pursuit of engaging the world's diverse challenges.
Academics. Our world-class students, faculty, and scholars expect high achievement in pursuit of engaging the world's diverse challenges.
Academics. Our world-class students, faculty, and scholars expect high achievement in pursuit of engaging the world's diverse challenges.
java.lang.RuntimeException: Error substituting string: '${utils.escapeLdapFilter(cn=This_-_is_Not\,_Vanilla32)}'
at edu.internet2.middleware.grouper.util.GrouperUtil.substitute ExpressionLanguage(GrouperUtil .java:9341)
at edu.internet2.middleware.grouper.pspng.Provisioner.evaluateJ exlExpression(Provisioner. java:537)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. getGroupLdapFilter(LdapGroupPr ovisioner.java:495)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. fetchTargetSystemGroups(LdapGr oupProvisioner.java:449)
at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:721)
at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner. java:475)
at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1373)
at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 )
at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$5.runJob(GrouperLoaderType. java:720)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 462)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob. java:342)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run( SimpleThreadPool.java:573)
Caused by: org.apache.commons.jexl2.JexlException: edu.internet2.middleware.group er.util.GrouperUtil.substitute ExpressionLanguage@9286 tokenization failed
at org.apache.commons.jexl2.JexlEngine.parse(JexlEngine.java: 812)
at org.apache.commons.jexl2.JexlEngine.createExpression(JexlEng ine.java:384)
at org.apache.commons.jexl2.JexlEngine.createExpression(JexlEng ine.java:368)
at edu.internet2.middleware.grouper.util.GrouperUtil.substitute ExpressionLanguage(GrouperUtil .java:9286)
... 13 more
Caused by: org.apache.commons.jexl2.parser.TokenMgrError: Lexical error at line 1, column 40. Encountered: "\\" (92), after : ""
at org.apache.commons.jexl2.parser.ParserTokenManager.getNextTo ken(ParserTokenManager.java: 3053)
On Wed, Sep 6, 2017 at 3:56 PM, Bee-Lindgren, Bert A <> wrote:
I think I see that the filter escaping within bushyDn is happening at the wrong time. Let's manually adjust the filter escaping to verify the problem and then I'll patch bushyDn:
replace
${utils.bushyDn(group.name, "cn", "ou", true, true)}with
${utils.escapeLdapFilter(${utils.bushyDn(group.name, "cn", "ou")} )}
Thanks yet again!,
Bert
From: Julio Macavilca <>
Sent: Wednesday, September 6, 2017 3:40 PM
To: Bee-Lindgren, Bert A
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16]Sounds good, so I set singleGroupSearchFilter only and another time along with groupCreationLdifTemplate) to ${utils.bushyDn(group.name, "cn", "ou", true, true)} but the search still appears to not be adding the \5c 2017-09-06 14:46:51,128: [DefaultQuartzScheduler_Worker
-10] DEBUG Provisioner.evaluateJexlExpres sion(538) - - Evaluated Jexl _expression_: cn=This_-_is_Not\,_Vanilla29,o u=test FROM ${utils.bushyDn(group.name, "cn", "ou", true, true)} .... ....
2017-09-06 14:46:51,129: [DefaultQuartzScheduler_Worker
-10] DEBUG LdapGroupProvisioner.fetchTarg etSystemGroups(451) - - pspng_ldap: Searching for group app:pspngtest:ad:This_-_is_Not ,_Vanilla29 with:: [org.ldaptive.SearchFilter@-20 50519868::filter=(&(objectclas s=groupOfNames)(entryDN=cn=Thi s_-_is_Not\,_Vanilla29,ou=test ,o=nyu.edu,o=nyu)), parameters={}]
About NYU. Connecting talented and ambitious people in the world's greatest cities, our mission is to be a top quality institution.2017-09-06 14:46:51,130: [DefaultQuartzScheduler_Worker
-10] DEBUG LdapSystem.performLdapSearchRe quest(424) - - Doing ldap search: [org.ldaptive.SearchFilter@-20 50519868::filter=(&(objectclas s=groupOfNames)(entryDN=cn=Thi s_-_is_Not\,_Vanilla29,ou=test ,o=nyu.edu,o=nyu)), parameters={}] / o=nyu.edu,o=nyu / [entrydn, cn, objectclass, member]
About NYU. Connecting talented and ambitious people in the world's greatest cities, our mission is to be a top quality institution.
About NYU. Connecting talented and ambitious people in the world's greatest cities, our mission is to be a top quality institution.2017-09-06 14:46:51,141: [DefaultQuartzScheduler_Worker
-10] DEBUG LdapSystem.performLdapSearchRe quest(447) - - Not using ldap search-result paging 2017-09-06 14:46:51,145: [DefaultQuartzScheduler_Worker
-10] DEBUG LdapGroupProvisioner.fetchTarg etSystemGroups(472) - - pspng_ldap: Group search did not return any results
On Wed, Sep 6, 2017 at 2:13 PM, Bee-Lindgren, Bert A <> wrote:
Julio,
In order to generate the \5c syntax, please try using true & true in the bushyDn parameters in the filter properties.
Thanks,
Bert
From: Julio Macavilca <>
Sent: Wednesday, September 6, 2017 12:07 PM
To: Bee-Lindgren, Bert A
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16]Gotcha, the first one comes back with a "Bad search filter" and the second one returns no results and lastly, I tried:'entryDN=cn=This_-_is_Not\5c,_
Vanilla28, ou=test,o=nyu.edu,o=nyu'
About NYU. Connecting talented and ambitious people in the world's greatest cities, our mission is to be a top quality institution.and this works and comes back with the attributes.
On Wed, Sep 6, 2017 at 11:12 AM, Bee-Lindgren, Bert A <> wrote:
I'm sorry that I wasn't clear about baseDn and filter.
Can you try these:
ldapsearch ... -b ou=test,o=nyu.edu,o=nyu 'entryDN=cn=This_-_is_Not\,_Va
nilla20,ou=test,o=nyu.edu,o=ny u' cn
[Theoretically, this duplicates what pspng is doing without the new parameters and will not return the group]
and (without escaping)
ldapsearch ... -b ou=test,o=nyu.edu,o=nyu 'entryDN=cn=This_-_is_Not,_Vanilla20,ou=test,o=nyu.edu,o=nyu ' cn [My idea is that this will work]
Finally, your logs look like the second search won't work. :-(
From: Julio Macavilca <>
Sent: Wednesday, September 6, 2017 10:53 AM
To: Bee-Lindgren, Bert A
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16]Thanks Bert. The ldapsearch without the scape character (e.g. set as base dn "cn=This_-_is_Not\,_Vanilla28,ou=test,o=nyu.edu,o=nyu" to lookup the description attribute) and I get back "result: 34 Invalid DN syntax". The one with the scape character comes back successful (err=0) and comes back with the value.
Just to confirm, I've been applying the additional parameters to both singleGroupSearchFilter and groupCreationLdifTemplate
and in the grouper logs I am seeing2017-09-06 02:39:51,843: [DefaultQuartzScheduler_Worker-5] DEBUG LdapSystem.performLdapSearchRe quest(424) - - Doing ldap search: [org.ldaptive.SearchFilter@372 787093::filter=(&(objectclass= groupOfNames)(entryDN=
cn=This_-_is_Not\,_Vanilla28,ou=test,o=nyu.edu,o=nyu)), parameters={}] / ou=nyu,ou=Groups,o=nyu.edu,o=n yu / [entrydn, cn, objectclass, member]
2017-09-06 02:39:51,857: [DefaultQuartzScheduler_Worker-5] DEBUG LdapSystem.performLdapSearchRe quest(447) - - Not using ldap search-result paging
2017-09-06 02:39:51,874: [DefaultQuartzScheduler_Worker-5] DEBUG LdapGroupProvisioner.fetchTarg etSystemGroups(472) - - pspng_ldap: Group search did not return any results And it then tries to provision the group rather than just adding the member
On the ldap side, I saw these operations, this lookup on the group[06/Sep/2017:02:39:51 -0400] conn=4199 op=20 msgId=21 - SRCH base="ou=nyu,ou=groups,o=nyu.edu,o=nyu" scope=2 filter="(&(objectClass=groupOf Names)(entrydn=cn=This_-_is_No t,_Vanilla28,ou=test,o=nyu.edu ,o=nyu))" attrs="entrydn cn objectClass member"
[06/Sep/2017:02:39:51 -0400] conn=4199 op=20 msgId=21 - RESULT err=0 tag=101 nentries=0 etime=0
And this is the behavior once it gets stuck, it tries to add the group but it's already there even though I was just adding a member.[06/Sep/2017:02:39:52 -0400] conn=4198 op=12 msgId=13 - ADD dn="cn=This_-_is_Not\5c,_Vanilla28,ou=test,o=nyu.edu,o=nyu" [06/Sep/2017:02:39:52 -0400] conn=4198 op=12 msgId=13 - RESULT err=68 tag=105 nentries=0 etime=0 csn=59af9838000000030000
I hope this helps, thanks again!
On Sat, Sep 2, 2017 at 10:19 PM, Bee-Lindgren, Bert A <> wrote:
Julio,
Thanks again for the logging details!
PSPNG Patch #16 adds some optional parameters to utils.bushyDn( ):
Old parameters (that continue to work, of course):utils.bushyDn(group.name,"cn","ou")
New parameters:utils.bushyDn(group.name,"cn","ou", performRdnEscaping, performLdapEscaping)
(The default values for these are performRdnEscaping=true, performLdapEscaping=false)
I think that your NYU configuration will benefit from false/false for these settings, particularly if the second ldap search I asked about earlier works.
Please let us know what happens!
--Bert
From: <> on behalf of Bee-Lindgren, Bert A <>
Sent: Saturday, September 2, 2017 7:28 PM
To:
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issueJulio,
I've been racking my brain and test harness on this. My best idea is that the entrydn search filter on your ldap server flavor is actually looking to match the backslash in the dn.
To verify this, I could use your help in trying a couple ldap searches:
entryDN=cn=This_-_is_Not\,_Van
illa20,ou=test,o=nyu.edu,o=nyu [Theoretically, this duplicates what pspng is doing and will not return the group]
and (without escaping)
entryDN=cn=This_-_is_Not,_Vanilla20,ou=test,o=nyu.edu,o=nyu [My idea is that this will work]
Now, running the first search from a command-line ldapsearch command will require the filter to be in quotes to protect the backslash from the shell.
In the meantime, I'm going to package a patch with a bushyDn function that will enable escaping controls.
Thank you,Bert
From: Julio Macavilca <>
Sent: Thursday, August 17, 2017 10:42 AM
To: Bee-Lindgren, Bert A
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issueI ended up turning the log level to debug as some of the debugging lines applied in the patch are set at this level. When I grep for "enableBulkGroupSearching" in grouper_error.log, I see that the config is being read:
2017-08-16 15:12:53,696: [DefaultQuartzScheduler_Worker
-8] DEBUG LdapGroupProvisionerConfigurat ion.readConfiguration(197) - - Ldap Group Provisioner pspng_ldap - Setting enableBulkGroupSearching to true 2017-08-16 15:12:53,832: [DefaultQuartzScheduler_Worker
-8] INFO LdapSystem.buildLdapConn ectionPool(92) - - Setting up LDAP Connection with properties: {org.ldaptive.ldapUrl=ldaps:// devldap:636, org.ldaptive.enableBulkGroupSe arching=true, org.ldaptive.searchResultPagin gEnabled=false, org.ldaptive.baseDn=ou=zz,o=zz z,o=nyu, org.ldaptive.bindDn=uid=zzzz, org.ldaptive.bindCredential=zz zzz} Or
2017-08-16 15:59:51,331: [DefaultQuartzScheduler_Worker
-9] DEBUG LdapGroupProvisionerConfigurat ion.readConfiguration(197) - - Ldap Group Provisioner pspng_ldap - Setting enableBulkGroupSearching to false
The debug lines added in GRP-1588 display when I create a "vanilla" group (without the need for scape chars) then I can see these lines, with or without members in int.
2017-08-16 16:55:57,835: [DefaultQuartzScheduler_Worker
-1] DEBUG LdapGroupProvisioner.fetchTarg etSystemGroups(451) - - pspng_ldap: Searching for group test:thisisvanilla with:: [org.ldaptive.SearchFilter@166 5898991::filter=(&(objectclass =groupOfNames)(entryDN=cn=this isvanilla,ou=test,ou=nyu,ou=Gr oups,o=nyu.edu,o=nyu)), parameters={}] 2017-08-16 16:55:57,863: [DefaultQuartzScheduler_Worker
-1] DEBUG LdapGroupProvisioner.fetchTarg thisisvanilla,ou=test,ou=nyetSystemGroups(462) - - pspng_ldap: Group search returned cn= u,ou=groups,o=nyu.edu,o=nyu Here I create a group with no members in it that requires escape characters and it is successful:
2017-08-16 17:01:51,700: [DefaultQuartzScheduler_Worker
-5] DEBUG LdapGroupProvisioner.fetchTarg etSystemGroups(451) - - pspng_ldap: Searching for group test:This_-_is_Not,_Vanilla20 with:: [org.ldaptive.SearchFilter@-17 15593699::filter=(&(objectclas s=groupOfNames)(entryDN=cn=Thi s_-_is_Not\,_Vanilla20,ou=test ,o=nyu.edu,o=nyu)), parameters={}]
But this debug line below did not print out in the logs as is the case above:
DEBUG LdapGroupProvisioner.fetchTarg
etSystemGroups(462) - .....
So, creating a group with no members requiring escape chars is successful but when I go back 10 minutes later to add a member, that's when it fails as it tries to create the group again, see below before it throws LDAP 68 and changelog consequently stuck.
2017-08-16 15:16:52,161: [DefaultQuartzScheduler_Worker-10] DEBUG Provisioner.shouldGroupBeProvi sioned(1318) - - pspng_ldap: Group test:This_-_is_Not,_Vanilla21 matches group-selection filter. 2017-08-16 15:16:52,162: [DefaultQuartzScheduler_Worker-10] INFO LdapGroupProvisioner.createGr oup(299) - - Creating LDAP group for GrouperGroup: test:This_-_is_Not,_Vanilla21 2017-08-16 15:16:52,334: [DefaultQuartzScheduler_Worker-10] DEBUG Provisioner.evaluateJexlExpres sion(538) - - Evaluated Jexl _expression_: cn=This_-_is_Not\,_Vanilla21,o u=test FROM ${utils.bushyDn(grouper.name, "cn", "ou")} WITH variables {idIndex=17889, userSearchBaseDn=ou=people,o=n yu.edu ,o=nyu, groupAttributes={}, groupCreationBaseDn=ou=test,o=nyu.edu ,o=nyu, stemAttributes={}, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@40 b0c0, groupSearchBaseDn=ou=test,o=ny u.edu ,o=nyu, name=test:This_-_is_Not, _Vanilla21, provisionerName=pspng_ldap, group=Group[name=test:This_-_i s_Not, _Vanilla21,uuid=5dcad47 6b1a2461ba3fad017a6393c05], provisionerType=LdapGroupProvi sioner} 2017-08-16 15:16:52,336: [DefaultQuartzScheduler_Worker-10] DEBUG Provisioner.evaluateJexlExpres sion(538) - - Evaluated Jexl _expression_: boo hoo FROM ${group.description} WITH variables {idIndex=17889, userSearchBaseDn=ou=people,o=n yu.edu ,o=nyu, groupAttributes={}, groupCreationBaseDn=ou=test,o=nyu.edu ,o=nyu, stemAttributes={}, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@40 b0c0, groupSearchBaseDn=ou=test,o=ny u.edu ,o=nyu, name=test:This_-_is_Not, _Vanilla21, provisionerName=pspng_ldap, group=Group[name=test:This_-_i s_Not, _Vanilla21,uuid=5dcad47 6b1a2461ba3fad017a6393c05], provisionerType=LdapGroupProvi sioner} 2017-08-16 15:16:52,349: [DefaultQuartzScheduler_Worker-10] DEBUG LdapGroupProvisioner.createGro up(329) - - pspng_ldap: LDIF for new group (with partial DN): dn: cn=This_-_is_Not\,_Vanilla21,o u=test||objectclass: groupOfNames||description: boo hoo 2017-08-16 15:16:52,351: [DefaultQuartzScheduler_Worker-10] DEBUG LdapGroupProvisioner.createGro up(338) - - pspng_ldap: Adding group: [dn=cn=This_-_is_Not\,_Vanilla 21,ou=test,o=nyu.edu,o=nyu[[de scription[boo hoo]], [objectclass[groupOfNames]]]] 2017-08-16 15:16:52,351: [DefaultQuartzScheduler_Worker-10] INFO LdapProvisioner.performLdapAd d(722) - - pspng_ldap: Creating LDAP object: cn=This_-_is_Not\,_Vanilla21,o u=test,o=nyu.edu,o=nyu 2017-08-16 15:16:52,354: [DefaultQuartzScheduler_Worker-10] INFO LdapSystem.performLdapAdd(329 ) - - enterpriseldap: Creating LDAP object: cn=This_-_is_Not\,_Vanilla21,o u=test,o=nyu.edu,o=nyu 2017-08-16 15:16:52,416: [DefaultQuartzScheduler_Worker-10] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=This_-_is_Not\,_Vanilla 21,ou=test,o=nyu.edu,o=nyu[[de scription[foo foo]], [objectclass[groupOfNames]]]] [org.ldaptive.LdapException@17704354::resultCode=ENTRY_ALREA DY_EXISTS, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.NameAlrea dyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla21, test,ou=nyu,ou=Groups,o=nyu.ed u,o=nyu', providerException=javax.naming .NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla21, test,o=nyu.edu,o=nyu']
thanks,
Julio
On Thu, Aug 10, 2017 at 4:32 PM, Julio Macavilca <> wrote:
I grepped for that string and didn't find it but looking at the last lines in my {grouper_home}/grouperPatchStatus.properties I see the following:
# added by grouper-installer
grouper_v2_3_0_pspng_patch_15.
date = 2017/08/10 10:22:01 # added by grouper-installer
grouper_v2_3_0_pspng_patch_15.
state = applied
When I create an empty group, everything works fine (no errors, last_sequence_processed are all the same and provisioned to ldap), but for instance for test #4 after I added a member was when I saw those ldap 68's/changelog stuck. I will keep looking on my end, thanks for all the help.
regards,Julio
On Thu, Aug 10, 2017 at 4:03 PM, Bee-Lindgren, Bert <> wrote:
Just to make sure Patch 15 is in place... Can you see if "Slower fetching will be attempted" is logged in your Test 4?
Thank you,
Bert
From: <> on behalf of Julio Macavilca <>
Sent: Thursday, August 10, 2017 2:26 PM
To: Bee-Lindgren, Bert
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issueHey Bert,
Thanks so much for that. I'm all patched up to #15 and was testing this out with the new attribute in the config, please see below as I was not successful in provisioning but perhaps I'm missing something. I changed my singleGroupSearchFilter to a more resilient attribute (gidNumber) and set the enableBulkGroupSearching.
regards,
Julio
As before, the group is provisioned to ldap but no members and changelog is stuck and keeps display the stacktrace.Test 1:
Single search filter with gid:
changeLog.consumer.pspng_ldap.
singleGroupSearchFilter = (gidNumber=${group.idIndex}) changeLog.consumer.pspng_ldap.
enableBulkGroupSearching=false After adding a group and members that requires escape chars, no errors/stacktrace of changelog being stuck in logs but I did see in the logs each of the nonaffected changelog consumers display the following:
[DefaultQuartzScheduler_Worker
-4] INFO PspChangelogConsumerShim.proce ssChangeLogEntries(52) - - pspng_<consumer-name>: +processChangeLogEntries(6) But for the affected one (pspng_ldap) I didn't see this appear. Then, when looking at the grouper_change_log_consumer table the last_sequence_processed number is stuck on the same number it was before while the other ones are all caught up. In this case, nothing gets provisioned to ldap (group/members).
Test 2: still with gidNumber but this time setting the new attribute to true
I do see:changeLog.consumer.pspng_ldap.
singleGroupSearchFilter = (gidNumber=${group.idIndex}) changeLog.consumer.pspng_ldap.
enableBulkGroupSearching=true
but same effect on the other tables and not provisioned to ldap.Worker-5] INFO PspChangelogConsumerShim.proce
ssChangeLogEntries(52) - - pspng_ldap: +processChangeLogEntries(1)
Test 3: went back to the old singleGroupSearchFilter with the new attribute set to false:
changeLog.consumer.pspng_ldap.
singleGroupSearchFilter = (&(objectclass=groupOfNames)(e ntryDN=${utils.bushyDn(group.n ame , "cn", "ou")},ou=test,o=nyu.edu,o=nyu)) changeLog.consumer.pspng_ldap.
enableBulkGroupSearching=false
I see in the logs:
INFO PspChangelogConsumerShim.proce
ssChangeLogEntries(52) - - pspng_ldap: +processChangeLogEntries(5) but shortly followed by the error
[DefaultQuartzScheduler_Worker
-1] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=This_-_is_Not\,_Vanilla 6,ou=ad,ou=pspngtest,ou=test,o =nyu.edu,o=nyu[[description[ba ck again]], [objectclass[groupOfNames]]]] [org.ldaptive.LdapException@13
083363::resultCode=ENTRY_ALREA DY_EXISTS, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.NameAlrea dyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla6,o u=test,o=nyu.edu,o=nyu', providerException=javax.naming .NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla6,o u=test,o=nyu.edu,o=nyu']
Test 4: Set enableBulkGroupSearching to true, result is same ast test3.
On Wed, Aug 9, 2017 at 10:03 AM, Bee-Lindgren, Bert <> wrote:
Hello,
GRP-1588 was created to describe the problem when searching for groups by their DN/EntryDn/DistinguishedName attribute when the DNs contain escaped characters.
This was resolved by PSPNG Patch #15.
While this patch should start working and populating memberships, I would suggest that you consider searching for groups by gidNumber (or cn, if they're unique) so that modified groups (folder change) do not cause deletion of the old group (by an authoritative full sync) and creation of a new one in the new OU.
Sincerely,
Bert Bee-Lindgren
From: Julio Macavilca <>
Sent: Wednesday, August 2, 2017 12:12 PM
To: Bee-Lindgren, Bert
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issueThank you Bert. I do see improvements and can confirm the group gets created in LDAP with the escape characters but it is shortly followed by an "LDAP: error code 68 - Entry Already Exists" and the members are not added. I tried creating a group without characters that require escaping and it goes through fine.
2017-08-02 11:15:52,373: [DefaultQuartzScheduler_Worker-9] INFO EventLog.info(156) - - [789f520b467b4d648b704674947e6 f6b,'GrouperSystem','applicati on'] session: start (3ms) 2017-08-02 11:15:52,378: [DefaultQuartzScheduler_Worker-8] INFO EventLog.info(156) - - [7b4ab6d2d4024d7eb2c7eb82d0755 a1b,'GrouperSystem','applicati on'] session: start (2ms) 2017-08-02 11:15:52,384: [DefaultQuartzScheduler_Worker-8] INFO EventLog.info(156) - - [72c1c4856fdb4cda951a40a2f1652 13a,'GrouperSystem','applicati on'] session: start (2ms) 2017-08-02 11:15:52,418: [DefaultQuartzScheduler_Worker-2] INFO LdapGroupProvisioner.createGr oup(299) - - Creating LDAP group for GrouperGroup: test:This_-_is_Not,_Vanilla 2017-08-02 11:15:52,423: [DefaultQuartzScheduler_Worker-9] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Ignoring work item because group is not provisioned,clog=clog #347647 / ChangeLog type: membership: addMembership,group=test:This_ -_is_Not,_Vanilla,subject=tst9 1@nyuperson] 2017-08-02 11:15:52,424: [DefaultQuartzScheduler_Worker-9] INFO Provisioner.provisionBatchOfI tems(1362) - - pspng_groupOfNames: 1 work items need to be processed futher 2017-08-02 11:15:52,425: [DefaultQuartzScheduler_Worker-9] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Nothing to do (not a supported change),clog=clog #347646 / ChangeLog type: privilege: addPrivilege] 2017-08-02 11:15:52,426: [DefaultQuartzScheduler_Worker-9] INFO PspChangelogConsumerShim.proc essChangeLogEntries(113) - - Provisioning summary: 2017-08-02 11:15:52,555: [DefaultQuartzScheduler_Worker-8] INFO EventLog.info(156) - - [4bea4d29b507434bbcf01fb52cd55 99a,'GrouperSystem','applicati on'] session: start (3ms) 2017-08-02 11:15:52,598: [DefaultQuartzScheduler_Worker-8] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Ignoring work item because group is not provisioned,clog=clog #347647 / ChangeLog type: membership: addMembership,group=test:This_ -_is_Not,_Vanilla,subject=tst9 1@nyuperson] 2017-08-02 11:15:52,600: [DefaultQuartzScheduler_Worker-8] INFO Provisioner.provisionBatchOfI tems(1362) - - pspng_activedirectory: 2 work items need to be processed futher 2017-08-02 11:15:52,602: [DefaultQuartzScheduler_Worker-8] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Nothing to do (not a supported change),clog=clog #347645 / ChangeLog type: member: addMember,subject=b1135d924da4 4c47b8158355292d4859@g:gsa] 2017-08-02 11:15:52,604: [DefaultQuartzScheduler_Worker-8] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Nothing to do (not a supported change),clog=clog #347646 / ChangeLog type: privilege: addPrivilege] 2017-08-02 11:15:52,605: [DefaultQuartzScheduler_Worker-8] INFO PspChangelogConsumerShim.proc essChangeLogEntries(113) - - Provisioning summary: 2017-08-02 11:15:52,641: [DefaultQuartzScheduler_Worker-2] INFO LdapProvisioner.performLdapAd d(722) - - pspng_ldap: Creating LDAP object: cn=This_-_is_Not\,_Vanilla,ou= test,o=nyu.edu,o=nyu
2017-08-02 11:15:52,644: [DefaultQuartzScheduler_Worker-2] INFO LdapSystem.performLdapAdd(329 ) - - enterpriseldap: Creating LDAP object: cn=This_-_is_Not\,_Vanilla,ou= test,o=nyu.edu,o=nyu
2017-08-02 11:15:53,112: [DefaultQuartzScheduler_Worker-4] INFO EventLog.info(156) - - [c207d011bb0e4e71b3f34bf1b57c7 a08,'GrouperSystem','applicati on'] session: start (3ms) 2017-08-02 11:15:53,152: [DefaultQuartzScheduler_Worker-2] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Group test:This_-_is_Not,_Vanilla already exists,clog=clog #347644 / ChangeLog type: group: addGroup,group=test:This_-_is_ Not,_Vanilla] 2017-08-02 11:15:53,154: [DefaultQuartzScheduler_Worker-2] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Nothing to do (not a supported change),clog=clog #347645 / ChangeLog type: member: addMember,subject=b1135d924da4 4c47b8158355292d4859@g:gsa] 2017-08-02 11:15:53,156: [DefaultQuartzScheduler_Worker-2] INFO ProvisioningWorkItem.setStatu s(143) - - Work item handled: ProvisioningWorkItem[successfu l=true,msg=Nothing to do (not a supported change),clog=clog #347646 / ChangeLog type: privilege: addPrivilege] 2017-08-02 11:15:53,157: [DefaultQuartzScheduler_Worker-2] INFO PspChangelogConsumerShim.proc essChangeLogEntries(113) - - Provisioning summary: 2017-08-02 11:15:53,279: [DefaultQuartzScheduler_Worker-1] INFO EventLog.info(156) - - [fb95c3dd8b3544b0a95a1dfba7183 c1e,'GrouperSystem','applicati on'] session: start (2ms) 2017-08-02 11:15:53,546: [DefaultQuartzScheduler_Worker-7] INFO EventLog.info(156) - - [e05ef8d960ce4f9dbba87b0276358 203,'GrouperSystem','applicati on'] session: start (3ms) 2017-08-02 11:15:53,624: [DefaultQuartzScheduler_Worker-7] INFO PspChangelogConsumerShim.proc essChangeLogEntries(52) - - pspng_ldap: +processChangeLogEntries(1) 2017-08-02 11:15:53,625: [DefaultQuartzScheduler_Worker-7] INFO Provisioner.flushCachesIfNece ssary(1434) - - pspng_ldap: Keeping caches in tact for provisioning batch 2017-08-02 11:15:53,633: [DefaultQuartzScheduler_Worker-7] INFO EventLog.info(156) - - [c7a187c0748c4701899b42e591ca2 e19,'GrouperSystem','applicati on'] session: start (1ms) 2017-08-02 11:15:53,638: [DefaultQuartzScheduler_Worker-7] INFO EventLog.info(156) - - [6fe1626a7ebb4dde92fb4ef696c3b 3bc,'GrouperSystem','applicati on'] session: start (1ms) 2017-08-02 11:15:53,772: [DefaultQuartzScheduler_Worker-7] INFO EventLog.info(156) - - [596605cd18844d3ba9a273c88ac06 717,'GrouperSystem','applicati on'] session: start (2ms) 2017-08-02 11:15:53,809: [DefaultQuartzScheduler_Worker-7] INFO Provisioner.provisionBatchOfI tems(1362) - - pspng_ldap: 1 work items need to be processed futher 2017-08-02 11:15:54,111: [DefaultQuartzScheduler_Worker-6] INFO EventLog.info(156) - - [a6931e88591d4d999e38c3ad9ba0c fa4,'GrouperSystem','applicati on'] session: start (3ms) 2017-08-02 11:15:54,278: [DefaultQuartzScheduler_Worker-5] INFO EventLog.info(156) - - [a3d5a1680efe401587c447878fcfe bd5,'GrouperSystem','applicati on'] session: start (2ms) 2017-08-02 11:15:54,425: [DefaultQuartzScheduler_Worker-7] INFO LdapGroupProvisioner.createGr oup(299) - - Creating LDAP group for GrouperGroup: test:This_-_is_Not,_Vanilla 2017-08-02 11:15:54,615: [DefaultQuartzScheduler_Worker-7] INFO LdapProvisioner.performLdapAd d(722) - - pspng_ldap: Creating LDAP object: cn=This_-_is_Not\,_Vanilla,ou= test,o=nyu.edu,o=nyu
2017-08-02 11:15:54,617: [DefaultQuartzScheduler_Worker-7] INFO LdapSystem.performLdapAdd(329 ) - - enterpriseldap: Creating LDAP object: cn=This_-_is_Not\,_Vanilla,ou= test,o=nyu.edu,o=nyu
2017-08-02 11:15:54,664: [DefaultQuartzScheduler_Worker-7] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=This_-_is_Not\,_Vanilla ,ou=test,o=nyu.edu,o=nyu[[desc ription[]], [objectclass[groupOfNames]]]] [org.ldaptive.LdapException@2414009::resultCode=ENTRY_ALREAD Y_EXISTS, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.NameAlrea dyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =test,o=nyu.edu,o=nyu', providerException=javax.naming .NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =test,o=nyu.edu,o=nyu'] at org.ldaptive.provider.ProviderUtils.throwOperationException( ProviderUtils.java:55) at org.ldaptive.provider.jndi.JndiConnection.processNamingExcep tion(JndiConnection.java:619) at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection .java:326) at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pAdd(LdapSystem.java:335) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :725) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:340) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:47) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:749) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :475) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1373) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$5.runJob(GrouperLoaderType.j ava:717) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 423) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :323) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =test,o=nyu.edu,o=nyu' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3083) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:303 4) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:284 1) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:81 2) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcont ext(ComponentDirContext.java:3 37) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSu bcontext(PartialCompositeDirCo ntext.java:266) at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection .java:315) ... 14 more2017-08-02 11:15:54,681: [DefaultQuartzScheduler_Worker-7] ERROR LdapGroupProvisioner.createGro up(346) - - Problem while creating new group: dn: cn=This_-_is_Not\,_Vanilla,ou= ad,ou=pspngtest,ou=app objectclass: groupOfNamesdescription:edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.NameAlreadyBoundE xception: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =test,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pAdd(LdapSystem.java:338) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :725) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:340) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:47) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:749) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :475) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1373) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$5.runJob(GrouperLoaderType.j ava:717) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 423) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :323) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) 2017-08-02 11:15:54,684: [DefaultQuartzScheduler_Worker-7] ERROR Provisioner.provisionBatchOfIt ems(1376) - - Unable to begin the provisioning batch edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.NameAlreadyBoundE xception: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =test,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pAdd(LdapSystem.java:338) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :725) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:340) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:47) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:749) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :475) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1373) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$5.runJob(GrouperLoaderType.j ava:717) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 423) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :323) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) 2017-08-02 11:15:54,686: [DefaultQuartzScheduler_Worker-7] ERROR ChangeLogHelper.processRecords (255) - - Error java.lang.RuntimeException: No entries provisioned. Batch-Start failed: LDAP problem creating object: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =ad,ou=pspngtest,ou=app,ou=nyu ,ou=Groups,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1378) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$5.runJob(GrouperLoaderType.j ava:717) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 423) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :323) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.NameAlreadyBoundE xception: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =ad,ou=pspngtest,ou=app,ou=nyu ,ou=Groups,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pAdd(LdapSystem.java:338) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :725) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:340) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:47) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:749) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :475) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1373) ... 7 more2017-08-02 11:15:54,702: [DefaultQuartzScheduler_Worker-7] ERROR ChangeLogHelper.processRecords (286) - - Did not get all the way through the batch! -1 != 347647 2017-08-02 11:15:54,703: [DefaultQuartzScheduler_Worker-7] ERROR GrouperLoaderJob.runJob(443) - - Error on job: CHANGE_LOG_consumer_pspng_ldap java.lang.RuntimeException: Error in loader job: null, check logs: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed: LDAP problem creating object: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =ad,ou=pspngtest,ou=app,ou=nyu ,ou=Groups,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1378) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$5.runJob(GrouperLoaderType.j ava:717) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 423) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :323) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.NameAlreadyBoundE xception: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=This_-_is_Not\,_Vanilla,ou =ad,ou=pspngtest,ou=app,ou=nyu ,ou=Groups,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pAdd(LdapSystem.java:338) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :725) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:340) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:47) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:749) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :475) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1373) ... 7 moreDid not get all the way through the batch! -1 != 347647at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 432) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :323) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573)
On Tue, Aug 1, 2017 at 9:49 PM, Bee-Lindgren, Bert <> wrote:
Hello,
PSPNG 2.3 Patch 14 addresses a gap in Patch 13's RDN escaping. Please let us know if you see improvements!
Thanks much,
Bert
From: Julio Macavilca <>
Sent: Tuesday, August 1, 2017 12:22 PM
To: Bee-Lindgren, Bert
Cc: Grouper Users
Subject: Re: [grouper-users] Re: PSPNG issueI saw that pspgn 2.3.0 patch 13 (GRP-1533) was recently released (many thanks for this!) so I've patched to:grouper_v2_3_0_api_patch_71 and grouper_v2_3_0_pspng_patch_13 and tested out but I am still seeing the same behavior. My config is:
changeLog.consumer.pspng_ldap.
allGroupsSearchFilter = objectclass=groupOfNames
changeLog.consumer.pspng_ldap.groupCreationLdifTemplate = dn: ${utils.bushyDn(grouper.name, "cn", "ou")}||objectclass: groupOfNames||description: ${group.description}
changeLog.consumer.pspng_ldap.singleGroupSearchFilter = (&(objectclass=groupOfNames)(e ntryDN=${utils.bushyDn(group.n ame , "cn", "ou")},ou=nyu,ou=Groups,o=nyu.edu ,o=nyu))
And the output in the log says:
Caused by: edu.internet2.middleware.group
er.pspng.PspException: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameExcept ion: ou=regular,ou=School_of_Cultur e,_Education,_Human_Developmen t,ou=test,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name 'ou=regular,ou=School_of_Cultu re,_Education,_Human_Developme nt,ou=test,o=nyu.edu,o=nyu') at edu.internet2.middleware.group
er.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:688) at edu.internet2.middleware.group
er.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :724) at edu.internet2.middleware.group
er.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:340) at edu.internet2.middleware.group
er.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:47) at edu.internet2.middleware.group
er.pspng.Provisioner.prepareGr oupCache(Provisioner.java:740) at edu.internet2.middleware.group
er.pspng.Provisioner.startProv isioningBatch(Provisioner.java :475) at edu.internet2.middleware.group
er.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1364) ... 7 more
Did not get all the way through the batch! -1 != 346592]
thanks,Julio
On Tue, Jun 27, 2017 at 12:31 PM, Bee-Lindgren, Bert <> wrote:
Hello,
This is my current task, and I should have the DN/RDN part of it patched this week. In other words, cn=${group.name},ou=groups,dc=
example,dc=edu will work even for a group with commas/plusses/etc in its name.
I'm keeping the Jira updated as I go.
Thanks,
Bert
From: <> on behalf of Julio Macavilca <>
Sent: Wednesday, June 21, 2017 12:11 PM
To: Grouper Users
Subject: [grouper-users] Re: PSPNG issueHi folks,
Just resurfacing this issue, I'm aware that the Jira was created (https://bugs.internet2.edu/jira/browse/GRP-1533 ) back in April and wanted to see if there was an update. We'd like to run the PSPNG in prod but this is preventing us from going forward with it.
many thanks,Julio
On Mon, Apr 17, 2017 at 3:17 PM, Julio Macavilca <> wrote:
Hi,
Bumping this up. We came across this bug because while running a loader job coming from a system of records, the PSPNG became "stuck". The name of the groups that would trigger this behavior all had commas there and I was then able to reproduce this by creating them manually.
thanks,Julio
On Thu, Feb 23, 2017 at 1:30 PM, Julio Macavilca <> wrote:
Hi folks,
I am testing the PSPNG in dev environment running pspng patch 7. When creating a group or stem with a name that includes a comma I am seeing that the changelog consumer becomes stuck when provisioning to LDAP. After looking at the logs the dn looks malformed whereas using the PSP we have similar ones but it includes the escape character in the dn so it doesn't cause an LDAP error 34.
thanks,Julio
Name: This_-_is_My,_Test Path: app:pspngtest:This_-_is_My,_Te st ID path: app:pspngtest:This_-_is_My,_Te st Alternate ID path: ID: This_-_is_My,_Test Created: Thu Feb 23 1:09:24 PM EST 2017
2017-02-23 13:09:51,375: [DefaultQuartzScheduler_Worker-1] INFO PspChangelogConsumerShim.proc essChangeLogEntries(52) - - pspng_activedirectory: +processChangeLogEntries(2) 2017-02-23 13:09:51,376: [DefaultQuartzScheduler_Worker-1] INFO ProvisionerFactory.createProv isionerWithName(80) - - Constructing provisioner: pspng_activedirectory 2017-02-23 13:09:51,416: [DefaultQuartzScheduler_Worker-2] INFO EventLog.info(156) - - [dbd228ec52b04b1dbb98aaedef378 dfb,'GrouperSystem','applicati on'] session: start (1ms) 2017-02-23 13:09:51,437: [DefaultQuartzScheduler_Worker-1] INFO EventLog.info(156) - - [9f5124c4b49d4247bc0d8aacbf210 5dc,'GrouperSystem','applicati on'] session: start (1ms) 2017-02-23 13:09:51,466: [DefaultQuartzScheduler_Worker-2] INFO EventLog.info(156) - - [3157a17bd1c0433c8fb6cefb4a191 ee8,'GrouperSystem','applicati on'] session: start (1ms) 2017-02-23 13:09:51,557: [DefaultQuartzScheduler_Worker-2] INFO EventLog.info(156) - - [7db294383c8340c58b14b5d02ec19 576,'GrouperSystem','applicati on'] session: start (2ms) 2017-02-23 13:09:51,570: [DefaultQuartzScheduler_Worker-1] INFO EhcacheController.getCache(20 0) - - cache not configured explicitly: PSP-pspng_activedirectory-Grou perGroupInfoCache, to override default values, configure in the resource /grouper.cache.base.properties and /grouper.cache.properties. Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false 2017-02-23 13:09:51,572: [DefaultQuartzScheduler_Worker-1] INFO EhcacheController.getCache(20 0) - - cache not configured explicitly: PSP-pspng_activedirectory-Grou perSubjectCache, to override default values, configure in the resource /grouper.cache.base.properties and /grouper.cache.properties. Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false 2017-02-23 13:09:51,573: [DefaultQuartzScheduler_Worker-1] INFO EhcacheController.getCache(20 0) - - cache not configured explicitly: PSP-pspng_activedirectory-Targ etSystemUserCache, to override default values, configure in the resource /grouper.cache.base.properties and /grouper.cache.properties. Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false 2017-02-23 13:09:51,575: [DefaultQuartzScheduler_Worker-1] INFO EhcacheController.getCache(20 0) - - cache not configured explicitly: PSP-pspng_activedirectory-Targ etSystemGroupCache, to override default values, configure in the resource /grouper.cache.base.properties and /grouper.cache.properties. Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false 2017-02-23 13:09:51,576: [DefaultQuartzScheduler_Worker-1] INFO EhcacheController.getCache(20 0) - - cache not configured explicitly: PSP-pspng_activedirectory-Ldap UserCache, to override default values, configure in the resource /grouper.cache.base.properties and /grouper.cache.properties. Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false 2017-02-23 13:09:51,578: [DefaultQuartzScheduler_Worker-1] INFO ProvisionerFactory.createProv isionerWithName(80) - - Constructing provisioner: pspng_activedirectory 2017-02-23 13:09:51,587: [DefaultQuartzScheduler_Worker-2] INFO ProvisioningWorkItem.getSubje ctId(201) - - Not a supported change for finding subject (not MEMBERSHIP_ADD nor MEMBERSHIP_DELETE): ChangeLog type: group: addGroup 2017-02-23 13:09:51,591: [DefaultQuartzScheduler_Worker-2] INFO ProvisioningWorkItem.getSubje ctSourceId(225) - - Not a supported change for finding subject (not MEMBERSHIP_ADD nor MEMBERSHIP_DELETE): ChangeLog type: group: addGroup 2017-02-23 13:09:51,674: [pspng_activedirectory-FullSync] INFO EventLog.info(156) - - [4e69be2f9f1d4f18a9855299ed4ef d9b,'GrouperSystem','applicati on'] session: start (3ms) 2017-02-23 13:09:51,692: [DefaultQuartzScheduler_Worker-1] INFO EventLog.info(156) - - [5d3ed92061e44293bea0c15cc3b82 467,'GrouperSystem','applicati on'] session: start (1ms) 2017-02-23 13:09:51,781: [DefaultQuartzScheduler_Worker-1] INFO EventLog.info(156) - - [24d06f83d7684a6090fd342b3025d c62,'GrouperSystem','applicati on'] session: start (2ms) 2017-02-23 13:09:51,849: [DefaultQuartzScheduler_Worker-1] INFO Provisioner.getAllGroupsForPr ovisioner(1163) - - pspng_activedirectory: There are 0 folders that match etc:pspng:provision_to attribute 2017-02-23 13:09:51,850: [DefaultQuartzScheduler_Worker-1] INFO Provisioner.getAllGroupsForPr ovisioner(1164) - - pspng_activedirectory: There are 0 groups that match etc:pspng:provision_to attribute 2017-02-23 13:09:51,969: [DefaultQuartzScheduler_Worker-1] INFO Provisioner.getAllGroupsForPr ovisioner(1163) - - pspng_activedirectory: There are 0 folders that match etc:pspng:do_not_provision_to attribute 2017-02-23 13:09:51,970: [DefaultQuartzScheduler_Worker-1] INFO Provisioner.getAllGroupsForPr ovisioner(1164) - - pspng_activedirectory: There are 0 groups that match etc:pspng:do_not_provision_to attribute 2017-02-23 13:09:51,971: [DefaultQuartzScheduler_Worker-1] INFO Provisioner.flushCachesIfNece ssary(1346) - - pspng_activedirectory: Keeping caches in tact for provisioning batch 2017-02-23 13:09:51,981: [DefaultQuartzScheduler_Worker-2] INFO LdapGroupProvisioner.createGr oup(251) - - Creating LDAP group for GrouperGroup: app:pspngtest:This_-_is_My,_Te st 2017-02-23 13:09:52,060: [DefaultQuartzScheduler_Worker-1] INFO EventLog.info(156) - - [16d7c162c83549cf89a7537c6ef2a e72,'GrouperSystem','applicati on'] session: start (2ms) 2017-02-23 13:09:52,098: [DefaultQuartzScheduler_Worker-1] INFO ProvisioningWorkItem.getSubje ctId(201) - - Not a supported change for finding subject (not MEMBERSHIP_ADD nor MEMBERSHIP_DELETE): ChangeLog type: group: addGroup 2017-02-23 13:09:52,099: [DefaultQuartzScheduler_Worker-1] INFO ProvisioningWorkItem.setStatu s(125) - - Not a supported change for finding subject (not MEMBERSHIP_ADD nor MEMBERSHIP_DELETE): ChangeLog type: group: addGroup 2017-02-23 13:09:52,100: [DefaultQuartzScheduler_Worker-1] INFO ProvisioningWorkItem.setStatu s(125) - - Work item done: ProvisioningWorkItem[successfu l=true,msg=Ignoring work item ProvisioningWorkItem[successfu l=true,clog=clog #285000 / ChangeLog type: group: addGroup,group=app:pspngtest:T his_-_is_My,_Test ] because group app:pspngtest:This_-_is_My,_Te st is not provisioned,clog=clog #285000 / ChangeLog type: group: addGroup,group=app:pspngtest:T his_-_is_My,_Test ] 2017-02-23 13:09:52,101: [DefaultQuartzScheduler_Worker-1] INFO ProvisioningWorkItem.getSubje ctId(201) - - Not a supported change for finding subject (not MEMBERSHIP_ADD nor MEMBERSHIP_DELETE): ChangeLog type: group: addGroup 2017-02-23 13:09:52,102: [DefaultQuartzScheduler_Worker-1] INFO ProvisioningWorkItem.getSubje ctSourceId(225) - - Not a supported change for finding subject (not MEMBERSHIP_ADD nor MEMBERSHIP_DELETE): ChangeLog type: group: addGroup 2017-02-23 13:09:52,109: [DefaultQuartzScheduler_Worker-2] INFO LdapProvisioner.performLdapAd d(628) - - pspng_groupOfNames: Creating LDAP object: cn=This_-_is_My,_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu 2017-02-23 13:09:52,136: [DefaultQuartzScheduler_Worker-2] ERROR LdapSystem.performLdapRead(387 ) - - Problem during ldap read _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu [org.ldaptive.LdapException@27941234::resultCode=INVALID_DN_ SYNTAX, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.InvalidNa meException: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu', providerException=javax.naming .InvalidNameException: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu'] at org.ldaptive.provider.ProviderUtils.throwOperationException( ProviderUtils.java:55) at org.ldaptive.provider.jndi.JndiConnection.processNamingExcep tion(JndiConnection.java:619) at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator .initialize(JndiConnection.jav a:741) at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnect ion.java:463) at org.ldaptive.SearchOperation.executeSearch(SearchOperation.j ava:103) at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) at org.ldaptive.AbstractOperation.execute(AbstractOperation.jav a:126) at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pRead(LdapSystem.java:372) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:585) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :630) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:269) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:54) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:715) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :468) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1285) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) Caused by: javax.naming.InvalidNameException: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:302 6) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:284 1) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1850) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1773) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Compon entDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(P artialCompositeDirContext.java :356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(P artialCompositeDirContext.java :339) at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator .search(JndiConnection.java:80 6) at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator .initialize(JndiConnection.jav a:735) ... 20 more2017-02-23 13:09:52,146: [DefaultQuartzScheduler_Worker-2] ERROR LdapProvisioner.ensureLdapOusE xist(593) - - pspng_groupOfNames: Unable to find existing OU (_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu) edu.internet2.middleware.grouper.pspng.PspException: Problem during LDAP read: javax.naming.InvalidNameExcept ion: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu' at edu.internet2.middleware.grouper.pspng.LdapSystem.performLda pRead(LdapSystem.java:388) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:585) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :630) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:269) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:54) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:715) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :468) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1285) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) 2017-02-23 13:09:52,149: [DefaultQuartzScheduler_Worker-2] ERROR LdapGroupProvisioner.createGro up(275) - - Problem while creating new group: dn: cn=This_-_is_My,_Test ,ou=pspngtest,ou=app objectclass: groupOfNamesdescription:gidNumber: 15066objectclass: posixGroupedu.internet2.middleware.grouper.pspng.PspException: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameExcept ion: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:594) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :630) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:269) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:54) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:715) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :468) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1285) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) 2017-02-23 13:09:52,152: [DefaultQuartzScheduler_Worker-2] ERROR Provisioner.provisionBatchOfIt ems(1288) - - Unable to begin the provisioning batch edu.internet2.middleware.grouper.pspng.PspException: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameExcept ion: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:594) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :630) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:269) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:54) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:715) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :468) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1285) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) 2017-02-23 13:09:52,155: [DefaultQuartzScheduler_Worker-2] ERROR ChangeLogHelper.processRecords (255) - - Error java.lang.RuntimeException: No entries provisioned. Batch-Start failed: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameException: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1290) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) Caused by: edu.internet2.middleware.grouper.pspng.PspException: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameExcept ion: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:594) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :630) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:269) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:54) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:715) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :468) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1285) ... 7 more2017-02-23 13:09:52,160: [DefaultQuartzScheduler_Worker-2] ERROR ChangeLogHelper.processRecords (286) - - Did not get all the way through the batch! -1 != 285001 2017-02-23 13:09:52,161: [DefaultQuartzScheduler_Worker-2] ERROR GrouperLoaderJob.runJob(438) - - Error on job: CHANGE_LOG_consumer_pspng_grou pOfNames java.lang.RuntimeException: Error in loader job: null, check logs: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameException: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1290) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) Caused by: edu.internet2.middleware.grouper.pspng.PspException: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameExcept ion: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.LdapProvisioner.ensur eLdapOusExist(LdapProvisioner. java:594) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.perfo rmLdapAdd(LdapProvisioner.java :630) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:269) at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner. createGroup(LdapGroupProvision er.java:54) at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGr oupCache(Provisioner.java:715) at edu.internet2.middleware.grouper.pspng.Provisioner.startProv isioningBatch(Provisioner.java :468) at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1285) ... 7 moreDid not get all the way through the batch! -1 != 285001at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 427) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573) 2017-02-23 13:09:52,189: [DefaultQuartzScheduler_Worker-2] ERROR GrouperLoaderJob.execute(321) - - Error running up job java.lang.RuntimeException: Error in loader job: null, check logs: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed: Unable to find existing OU nor create new one (Problem during LDAP read: javax.naming.InvalidNameException: _Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu: [LDAP: error code 34 - Invalid DN]; remaining name '_Test ,ou=pspngtest,ou=app,ou=nyu,ou =Groups,o=nyu.edu,o=nyu') at edu.internet2.middleware.grouper.pspng.Provisioner.provision BatchOfItems(Provisioner.java: 1290) at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerS him.processChangeLogEntries(Ps pChangelogConsumerShim.java:71 ) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.p rocessRecords(ChangeLogHelper. java:245) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderTyp e$4.runJob(GrouperLoaderType.j ava:652) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .runJob(GrouperLoaderJob.java: 418) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob .execute(GrouperLoaderJob.java :318) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThr eadPool.java:573)
- Re: [grouper-users] Re: PSPNG issue, Bee-Lindgren, Bert A, 09/02/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/03/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/17/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/19/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Julio Macavilca, 09/06/2017
- Re: [grouper-users] Re: PSPNG issue [DN-Searching, PSPNG Patch #16], Bee-Lindgren, Bert A, 09/03/2017
Archive powered by MHonArc 2.6.19.