grouper-users - Re: [grouper-users] PSPNG creates group in AD with random samaccountname

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSPNG creates group in AD with random samaccountname

From: "Bee-Lindgren, Bert" <>
To: "Black, Carey M." <>, "Sawyer, Mona Zarei" <>
Cc: "" <>
Subject: Re: [grouper-users] PSPNG creates group in AD with random samaccountname
Date: Mon, 23 Oct 2017 19:42:23 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) ;
Ironport-phdr: 9a23:jdTZgh84S8AQ3P9uRHKM819IXTAuvvDOBiVQ1KB+0eseIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfVzBPDI2/YYsADesBMvpXoITmvVsCsQeyCBOwCO/zyjJFgGL9060g0+QmFAHLxAIsEs8Qv3vKtdn7MqYSUeaow6nH1zXMcfVW1S/g44XVbB8hu+2MUbxtesfW0kYgCRnFjkmKpYP+ITyayP0Bs2ya7+pmSO2vhHQnpB93ojW0wccsi5XJipgayl/e6SV23po6Jd2iREFlfNGkDYJduieHPIV4RcMiRntnuCc8yrAetp67ey8KyJsjxxHBcfCIb4+I4hf7WOaNITd4nmxqd6iiiBqo60ig1+v8WtG70FZQqSpFj8HMumoL1xPJ78iIVONx/ki72TaIygDT8vtILVoylaXBLp4u3KY8lp0OsUTfGi/2n0L2jKyMeko4/eio7vzrYrHhpp+TOI97lBv+Pr4wlcOiHOQ1NBUFUWuD+emkyrHs51H1TKhPg/Erj6XVrZXXJcoUq6KlHwNY14gj5AiwAjqp1dkVmHsKIE5Ydx6fkYTkOkzCLOz9APuijFmhkzJmy+3IPrH9HJnAK2XPnbn9cbpg7kNRxhQ/wN9c6p9RCrwMIvL+V0/0udHXDBI0PBG4zuP6BNVzyI8TV2SCCbKDPqzIq1+H/OcvLvGMZIALvDb9LOAo6ebygHE+hVMRY7Cl04YPZnylB/hmJF6WbmT2jtcGDGcKohExTOv3iF2ETDFffW6yX7g75jEnFo2pEZvDRoGqgLyHxiu7GYBWZnxCClCLFnfodJ+IVOsLaCKXOsNhkzoEWqa9S4I5yx2hrhP2x6diI+bJ5yEUqJfu1NZ66uHPiR0/8DJ0ANqS3myCSmx5m2EFSyMr06xnpExy0FaD0ax2g/xCEtxT4utEXRwkOp7G0+x2Ecv9VRzfcduQTFamQ9OmDiw+TtIr3dAOZV1wG9KjjhDfxSaqDKUal6CVC5Mo8qLQxWb+KNtgy3rezqkuk0EmQtdTNW2hnqN/+BLTB4nUk0WBiamqb70Q3DPW9Gid12qOp1pVUApxUaXeQXAffVXaoc745kPEU7+hF64nMg1fxs6eNKdGcMPmgkhbRKSrBNOLKUi1kmyzQV6jz6mBfcLPPS9ViC/ZAUMH1VlJpl6BLhV4Cyu89SaWRgdnCkPieQek1O54oTuJR1U5zkvCO0hm0bOn0hsUjPmdDf4fw+RXlj0mrmA+NluwmvbXDdaPvQdnOO12bMkhqh8T32/Dq0p3M5HlK6FkilEEfgJfuELykRp+FohLkY4noG58n1k6Er6RzF4UL2DQ5pv3ILCCbzCqpB0=
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Yes, you're right, Carey! It was nagging me, but I couldn't quite put my finger on it.

From: Black, Carey M. <>
Sent: Monday, October 23, 2017 3:35 PM
To: Sawyer, Mona Zarei
Cc: Bee-Lindgren, Bert
Subject: RE: [grouper-users] PSPNG creates group in AD with random samaccountname

I could be wrong… but…. This does not look correct ( in an LDAP sense) to me…

2017-10-23 12:33:29,134: [pspng_activedirectory-FullSync-Thread] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=testsamacc ,CN=Users

Shouldn’t this “dn=cn=testsamacc ,CN=Users” be “dn=cn=testsamacc,CN=Users” (without the space after the “testsamacc” and before the comma) ?

I find the notation of “dn=” off putting. ( But maybe that is just a logging artifact that could be improved? ) I would actually prefer the output in LDIF format. Example: dn: cn=testsamacc,CN=Users …. In LDIF form the attribute to be set is suffixed with a “: “ (or “:: “ for binary values) and the value is appended and line wrapped if needed.

HTH.

Carey Matthew

From: [mailto:] On Behalf Of Bee-Lindgren, Bert A
Sent: Monday, October 23, 2017 1:37 PM
To: Sawyer, Mona Zarei <>;
Cc: Coleman, Erik C <>;
Subject: Re: [grouper-users] PSPNG creates group in AD with random samaccountname

Maybe some whitespace issues?

Remove the space before the ||

dn:cn=${ grouperUtil.extensionFromName(group.name) } ||

Add a space after the colon:

samAccountName:${grouperUtil.extensionFromName(name)}

If one or both of these help, please create a jira so we can make the configuration more resilient.

Thanks,

Bert

From: <> on behalf of Sawyer, Mona Zarei <>
Sent: Monday, October 23, 2017 12:37 PM
To:
Cc: Coleman, Erik C;
Subject: RE: [grouper-users] PSPNG creates group in AD with random samaccountname

Ii made the change, but got the same error: groupCreationLdifTemplate = dn:cn=${ grouperUtil.extensionFromName(group.name) } ||objectclass: group ||samAccountName:${grouperUtil.extensionFromName(name)}

2017-10-23 12:33:29,055: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,056: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.fetchTargetSystemGroups(388) - - pspng_activedirectory: Searching for 1 groups with:: (|(&(objectclass=group)(cn=testsamacc)))

2017-10-23 12:33:29,056: [pspng_activedirectory-FullSync-Thread] DEBUG LdapSystem.performLdapSearchRequest(424) - - Doing ldap search: [org.ldaptive.SearchFilter@-2105838738::filter=(|(&(objectclass=group)(cn=testsamacc))), parameters={}] / CN=Users,DC=cgcent,DC=miami,DC=edu / [cn, gidNumber, samAccountName, objectclass, member]

2017-10-23 12:33:29,057: [pspng_activedirectory-FullSync-Thread] DEBUG LdapSystem.performLdapSearchRequest(434) - - Using attribute-value paging

2017-10-23 12:33:29,057: [pspng_activedirectory-FullSync-Thread] DEBUG LdapSystem.performLdapSearchRequest(443) - - Using ldap search-result paging

2017-10-23 12:33:29,059: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.fetchTargetSystemGroups(402) - - pspng_activedirectory: Group search returned 0 groups

2017-10-23 12:33:29,082: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,105: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: true FROM ${utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to']) && !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to'])} WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,105: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.shouldGroupBeProvisioned(1318) - - pspng_activedirectory: Group UM_External_Groups:testsamacc matches group-selection filter.

2017-10-23 12:33:29,105: [pspng_activedirectory-FullSync-Thread] INFO LdapGroupProvisioner.createGroup(299) - - Creating LDAP group for GrouperGroup: UM_External_Groups:testsamacc

2017-10-23 12:33:29,129: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,129: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${grouperUtil.extensionFromName(name)} WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,131: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.createGroup(329) - - pspng_activedirectory: LDIF for new group (with partial DN): dn:cn=testsamacc ||objectclass: group ||samAccountName:testsamacc

2017-10-23 12:33:29,131: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.createGroup(338) - - pspng_activedirectory: Adding group: [dn=cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu[[samAccountName[testsamacc]], [objectclass[group ]]]]

2017-10-23 12:33:29,131: [pspng_activedirectory-FullSync-Thread] INFO LdapProvisioner.performLdapAdd(722) - - pspng_activedirectory: Creating LDAP object: cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu

2017-10-23 12:33:29,132: [pspng_activedirectory-FullSync-Thread] INFO LdapSystem.performLdapAdd(329) - - umldap: Creating LDAP object: cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu

2017-10-23 12:33:29,134: [pspng_activedirectory-FullSync-Thread] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu[[samAccountName[testsamacc]], [objectclass[group ]]]]

[org.ldaptive.LdapException@1841854468::resultCode=NO_SUCH_ATTRIBUTE, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu', providerException=javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu']

at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)

at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)

at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection.java:326)

at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:335)

at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3035)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841)

at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:337)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:266)

at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection.java:315)

... 10 more

2017-10-23 12:33:29,135: [pspng_activedirectory-FullSync-Thread] ERROR LdapGroupProvisioner.createGroup(346) - - Problem while creating new group: dn:cn=testsamacc

objectclass: group

samAccountName:testsamacc

edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:338)