grouper-users - RE: [grouper-users] PSPNG creates group in AD with random samaccountname

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] PSPNG creates group in AD with random samaccountname

From: "Sawyer, Mona Zarei" <>
To: "Bee-Lindgren, Bert" <>, "Black, Carey M." <>
Cc: "" <>
Subject: RE: [grouper-users] PSPNG creates group in AD with random samaccountname
Date: Mon, 23 Oct 2017 19:53:09 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) ;
Ironport-phdr: 9a23:+vNvbxJ5naXKJndoXNmcpTZWNBhigK39O0sv0rFitYgXKvT7rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZXshfSTFPAp+yYYUMAeoOP+dYoJXyqFYVtxuyGRWgCfnzxjNUmHP727Ax3eQ7EQHB2QwtB9wCvmnOo9T7NKYdT/q1wLHVxjvEaPNW3y3y45XLfR87u/GDQ7NwfcTMwkQoEgPFiVOQppbkPj6O0+QNsnKU7+9hVe61lWEothxxryGpy8wxhIfJgYcVxUrF9SV/2Is1Ktq4SEl0Yd6gDpRcrT2VN4xzQs86X2FouDw6xaMctpGmZiQK0oknxxjHZ/yIaYiI5Q/jVP6LLTd+nn1lfaywiw618Ui91u38Us600FFJriZfjtbMsXUN2wTX6siARft98Vmu2SyV2w/N9+5EPEY5nrfYJZ452rM8iIAcvVjeEiLzhUn6kbKae0Aq+uWn9+jrfrDrppGCOIJ7lw3zN6Ejl86iDegmKgQCQnaX9OCm2LH+/0D1Xa9GguM5n6TdqpzWOMsWqrC/DgRIyIgs8Qy/AC2j0NkAnXkIMlZFeBWfgobxJ1zAJ+z0Aeqmj1mxiDlmyenKPrr6DZrTNHTDl6rhfapm5E5b1Qozy81Q64hMCrEbJ/LzRlH+u8DEDh84NAy0xfzrCNJg1oMCXWKPBaiZMKDIvVCU4eIvJvGAZI4TuDnjN/go/+DigmUllVMAeKSlwIYbZG29E/RoLEiVfWbgj9IPEWgUsQcyUennhViAXDJOeXq+R6c86Ss6CIKiA4fDXIetgLmZ0Se+GZ1WYHpJC1GXHHftdoWLQfIMaCOILsB/jzMESKCtS5U92hG2qA/6171nI/Lb+i0CspLjycB16PPJlR0r6Dx0FNqS03uWT2xvmmMIRiQ23LxkoUBj0FuD0K54g+BGGtxJ4fNGTBs6OYDGw+NkFt/yR1GJQtDcAnyrT5CCADc9Qcg8xZtGSUtnB5/q2hrOxTbsCbIY0riKApA76K/a93/wO4BywmrL36lnglU7FI8Hf0eij6V8s0D4DpTEgg280eziIa4Y1SXOsj7ZlkKJp1weXQJtB/brR3caMwHtpMvo61mGB5qpD71vAAJbxM/IYv9Pbdvgn31DRf7mOZLTb3/nyDT4PgqB2r7ZNNmiQG4axiiITRFcyw0=
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

It was the white space issue. It worked fine when I did what Bert suggested.

dn:cn=${ grouperUtil.extensionFromName(group.name) }||objectclass: group||samAccountName: ${grouperUtil.extensionFromName(group.name)}

Thanks a lot for your time and help.

Thank you so much,

Best Reagrds,

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

"At the U, we transform lives through teaching, research and service."

UMIT Logo -
Email Signature

From: Bee-Lindgren, Bert [mailto:]
Sent: Monday, October 23, 2017 3:42 PM
To: Black, Carey M. <>; Sawyer, Mona Zarei <>
Cc:
Subject: Re: [grouper-users] PSPNG creates group in AD with random samaccountname

Yes, you're right, Carey! It was nagging me, but I couldn't quite put my finger on it.

From: Black, Carey M. <>
Sent: Monday, October 23, 2017 3:35 PM
To: Sawyer, Mona Zarei
Cc: Bee-Lindgren, Bert
Subject: RE: [grouper-users] PSPNG creates group in AD with random samaccountname

I could be wrong… but…. This does not look correct ( in an LDAP sense) to me…

2017-10-23 12:33:29,134: [pspng_activedirectory-FullSync-Thread] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=testsamacc ,CN=Users

Shouldn’t this “dn=cn=testsamacc ,CN=Users” be “dn=cn=testsamacc,CN=Users” (without the space after the “testsamacc” and before the comma) ?

I find the notation of “dn=” off putting. ( But maybe that is just a logging artifact that could be improved? ) I would actually prefer the output in LDIF format. Example: dn: cn=testsamacc,CN=Users …. In LDIF form the attribute to be set is suffixed with a “: “ (or “:: “ for binary values) and the value is appended and line wrapped if needed.

HTH.

Carey Matthew

From: [] On Behalf Of Bee-Lindgren, Bert A
Sent: Monday, October 23, 2017 1:37 PM
To: Sawyer, Mona Zarei <>;
Cc: Coleman, Erik C <>;
Subject: Re: [grouper-users] PSPNG creates group in AD with random samaccountname

Maybe some whitespace issues?

Remove the space before the ||

dn:cn=${ grouperUtil.extensionFromName(group.name) } ||

Add a space after the colon:

samAccountName:${grouperUtil.extensionFromName(name)}

If one or both of these help, please create a jira so we can make the configuration more resilient.

Thanks,

Bert

From: <> on behalf of Sawyer, Mona Zarei <>
Sent: Monday, October 23, 2017 12:37 PM
To:
Cc: Coleman, Erik C;
Subject: RE: [grouper-users] PSPNG creates group in AD with random samaccountname

Ii made the change, but got the same error: groupCreationLdifTemplate = dn:cn=${ grouperUtil.extensionFromName(group.name) } ||objectclass: group ||samAccountName:${grouperUtil.extensionFromName(name)}

2017-10-23 12:33:29,055: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,056: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.fetchTargetSystemGroups(388) - - pspng_activedirectory: Searching for 1 groups with:: (|(&(objectclass=group)(cn=testsamacc)))

2017-10-23 12:33:29,056: [pspng_activedirectory-FullSync-Thread] DEBUG LdapSystem.performLdapSearchRequest(424) - - Doing ldap search: [org.ldaptive.SearchFilter@-2105838738::filter=(|(&(objectclass=group)(cn=testsamacc))), parameters={}] / CN=Users,DC=cgcent,DC=miami,DC=edu / [cn, gidNumber, samAccountName, objectclass, member]

2017-10-23 12:33:29,057: [pspng_activedirectory-FullSync-Thread] DEBUG LdapSystem.performLdapSearchRequest(434) - - Using attribute-value paging

2017-10-23 12:33:29,057: [pspng_activedirectory-FullSync-Thread] DEBUG LdapSystem.performLdapSearchRequest(443) - - Using ldap search-result paging

2017-10-23 12:33:29,059: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.fetchTargetSystemGroups(402) - - pspng_activedirectory: Group search returned 0 groups

2017-10-23 12:33:29,082: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,105: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: true FROM ${utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to']) && !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to'])} WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,105: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.shouldGroupBeProvisioned(1318) - - pspng_activedirectory: Group UM_External_Groups:testsamacc matches group-selection filter.

2017-10-23 12:33:29,105: [pspng_activedirectory-FullSync-Thread] INFO LdapGroupProvisioner.createGroup(299) - - Creating LDAP group for GrouperGroup: UM_External_Groups:testsamacc

2017-10-23 12:33:29,129: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${ grouperUtil.extensionFromName(group.name) } WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,129: [pspng_activedirectory-FullSync-Thread] DEBUG Provisioner.evaluateJexlExpression(538) - - Evaluated Jexl _expression_: testsamacc FROM ${grouperUtil.extensionFromName(name)} WITH variables {idIndex=10183, userSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, stemAttributes={}, , groupSearchBaseDn=CN=Users,DC=cgcent,DC=miami,DC=edu, name=UM_External_Groups:testsamacc, provisionerName=pspng_activedirectory, group=Group[name=UM_External_Groups:testsamacc,uuid=48c65309d6934eaca8143a2dbf97a436], provisionerType=LdapGroupProvisioner}

2017-10-23 12:33:29,131: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.createGroup(329) - - pspng_activedirectory: LDIF for new group (with partial DN): dn:cn=testsamacc ||objectclass: group ||samAccountName:testsamacc

2017-10-23 12:33:29,131: [pspng_activedirectory-FullSync-Thread] DEBUG LdapGroupProvisioner.createGroup(338) - - pspng_activedirectory: Adding group: [dn=cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu[[samAccountName[testsamacc]], [objectclass[group ]]]]

2017-10-23 12:33:29,131: [pspng_activedirectory-FullSync-Thread] INFO LdapProvisioner.performLdapAdd(722) - - pspng_activedirectory: Creating LDAP object: cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu

2017-10-23 12:33:29,132: [pspng_activedirectory-FullSync-Thread] INFO LdapSystem.performLdapAdd(329) - - umldap: Creating LDAP object: cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu

2017-10-23 12:33:29,134: [pspng_activedirectory-FullSync-Thread] ERROR LdapSystem.performLdapAdd(337) - - Problem while creating new ldap object: [dn=cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu[[samAccountName[testsamacc]], [objectclass[group ]]]]

[org.ldaptive.LdapException@1841854468::resultCode=NO_SUCH_ATTRIBUTE, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu', providerException=javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu']

at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)

at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)

at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection.java:326)

at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:335)

at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:725)

at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:340)

at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:47)

at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:749)

at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:475)

at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:598)

at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:256)

at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:188)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3110)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3035)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841)

at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:337)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:266)

at org.ldaptive.provider.jndi.JndiConnection.add(JndiConnection.java:315)

... 10 more

2017-10-23 12:33:29,135: [pspng_activedirectory-FullSync-Thread] ERROR LdapGroupProvisioner.createGroup(346) - - Problem while creating new group: dn:cn=testsamacc

objectclass: group

samAccountName:testsamacc

edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090DB1, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'cn=testsamacc ,CN=Users,DC=cgcent,DC=miami,DC=edu'

at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:338)