Grouper Users - Open Discussion List

[Julio Macavilca <>]

Can you try ${grouperUtil.extensionFromName(name)} instead and restart the service, let me know how it goes.

On Mon, Oct 23, 2017 at 12:05 PM, Sawyer, Mona Zarei <> wrote:

I tried the following two configurations, and got the same error. I don’t have access to the AD logs but i have the grouper logging in the Debug level, please see the full log below.

groupCreationLdifTemplate = dn:cn=${ grouperUtil.extensionFromName(group.name) } ||objectclass: group ||samAccountName:${ grouperUtil.extensionFromName(group.name) }

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn:cn=${ grouperUtil.extensionFromName(group.name) } ||objectclass: group ||samAccountName: ${group.name}

 

log:

 

2017-10-23 12:00:11,260: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) -  - Evaluated Jexl _expression_: true FROM ${utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to']) && !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to'])} WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@109ed497, groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:00:11,260: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.shouldGroupBeProvisioned(1318) -  - pspng_activedirectory: Group UM_External_Groups:testsamacc matches group-selection filter.

2017-10-23 12:00:11,260: [pspng_activedirectory-FullSync-Thread] INFO  LdapGroupProvisioner.createGroup(299) -  - Creating LDAP group for GrouperGroup: UM_External_Groups:testsamacc

2017-10-23 12:00:11,296: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) -  - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@773d27c1, groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:00:11,296: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) -  - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@773d27c1, groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:00:11,305: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.createGroup(329) -  - pspng_activedirectory: LDIF for new group (with partial DN): dn:cn=testsamacc ||objectclass: group ||samAccountName:testsamacc

2017-10-23 12:00:11,306: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.createGroup(338) -  - pspng_activedirectory: Adding group: [dn=cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu[[samAccountName[testsamacc]], [objectclass[group ]]]]

2017-10-23 12:00:11,306: [pspng_activedirectory-FullSync-Thread] INFO  LdapProvisioner.performLdapAdd(722) -  - pspng_activedirectory: Creating LDAP object: cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu

2017-10-23 12:00:11,306: [pspng_activedirectory-FullSync-Thread] INFO  LdapSystem.performLdapAdd(329) -  - umldap: Creating LDAP object: cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu

2017-10-23 12:00:11,309: [pspng_activedirectory-FullSync-Thread] ERROR LdapSystem.performLdapAdd(337) -  - Problem while creating new ldap object: [dn=cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu[[samAccountName[testsamacc]], [objectclass[group ]]]]

[org.ldaptive.LdapException@1341992207::resultCode=NO_SUCH_ATTRIBUTE, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu', providerException=javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu']

                at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)

                at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)

                at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection.java:326)

                at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:335)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

                at java.lang.Thread.run(Thread.java:745)

Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

                at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)

                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3035)

                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841)

                at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)

                at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:337)

                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:266)

                at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection.java:315)

                ... 10 more

2017-10-23 12:00:11,310: [pspng_activedirectory-FullSync-Thread] ERROR LdapGroupProvisioner.createGroup(346) -  - Problem while creating new group: dn:cn=testsamacc

objectclass: group

samAccountName:testsamacc

edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

                at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:338)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

                at java.lang.Thread.run(Thread.java:745)

2017-10-23 12:00:11,310: [pspng_activedirectory-FullSync-Thread] ERROR FullSyncProvisioner.processGroup(609) -  - pspng_activedirectory-FullSync: Problem doing full sync. Requeuing group UM_External_Groups:testsamacc

edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

                at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:338)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

                at java.lang.Thread.run(Thread.java:745)

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

 

From: Julio Macavilca [mailto:]
Sent: Monday, October 23, 2017 11:53 AM
To: Sawyer, Mona Zarei <>
Cc: Coleman, Erik C <>;
Subject: Re: [grouper-users] PSPNG creates group in AD with random samaccountname

 

Hi Mona,

 

What Erik mentioned is correct, we set samAccountName in groupCreationLdifTemplate.  What do you have in your grouper-loader config for groupCreationLdifTemplate?  Also, if you have access to AD, what does the connection transactions logs say as grouper tries to provision?  Lastly, I would turn up pspng logging to debug while testing, add the following to your log4j.properties:

 

log4j.logger.edu.internet2.middleware.grouper.pspng=DEBUG

log4j.logger.edu.internet2.middleware.grouper.changeLog=DEBUG

 

thanks,

Julio

 

On Mon, Oct 23, 2017 at 11:34 AM, Sawyer, Mona Zarei <> wrote:

I tried to add the samaccountname to the configuration but I get an attribute conversion error. Please see below.

Any ideas how we can fix this issue?

 

2017-10-23 11:26:35,884: [pspng_activedirectory-FullSync-Thread] ERROR LdapGroupProvisioner.createGroup(346) -  - Problem while creating new group: dn:cn=testsamacc

objectclass: group

 samAccountName:cn=testsamacc

edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

                at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:338)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

                at java.lang.Thread.run(Thread.java:745)

2017-10-23 11:26:35,885: [pspng_activedirectory-FullSync-Thread] ERROR FullSyncProvisioner.processGroup(609) -  - pspng_activedirectory-FullSync: Problem doing full sync. Requeuing group UM_External_Groups:testsamacc

edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

                at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:338)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

                at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

                at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

                at java.lang.Thread.run(Thread.java:745)

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

 

From: [mailto:] On Behalf Of Coleman, Erik C
Sent: Friday, October 20, 2017 3:23 PM
To:
Subject: RE: [grouper-users] PSPNG creates group in AD with random samaccountname

 

We are seeing the same issue, and it is on our list of things to track down, just hasn’t bubbled up to the top yet. We are using PSP-NG to sync to Active Directory.  It looks like you can possibly set samAccountName explicitly using the “groupCreationLdifTemplate” property of the connector, perhaps by just appending:  “||samAccountName: ${group.name}”

 

Has anyone else successfully done this?

 

Thanks!

 

-Erik

 

 

--

Erik Coleman

Senior Manager, Enterprise Systems

Technology Services at Illinois

University of Illinois at Urbana-Champaign

 

 

 

From: [] On Behalf Of Sawyer, Mona Zarei
Sent: Friday, October 20, 2017 11:05
To:
Subject: [grouper-users] PSPNG creates group in AD with random samaccountname

 

Hello,

 

We are having PSPNG working to provision new groups into AD. The groups get created in AD with the same name as the group name in grouper, However, the samaccountname is a random character.

(groups name : “TestGroup”; group samaccountname : “$CK8Q00-M7J9243J15RK”)

For consistency, we need to have the group’s samaccountname the same as the name in AD.

Please kindly let me know how we can fix this.

 

Thank you so much.

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology

University of Miami

1320 S. Dixie Hwy

Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."