Grouper Users - Open Discussion List

["Bee-Lindgren, Bert" <>]

Let's see if this makes sense. If so, we can add a jexl utility function to help or make it automatic in AD provisioners...

In my experience with Georgia Tech's Active-Directory provisioning (not a grouper process, but a ldap-to-ad process), CN's in Active Directory are limited to 64 characters. Within this GT process, we put the whole group path in the CN which means we semi-often run into the 64-character limit.

Here is how we dealt with that limit:

a) Don't do anything unusual with the cn if it is <=64 chars

b) If the desired CN is >64 characters, we shorten the string to 59 characters (which might not be unique, of course) and then add -HASH where HASH is the first few characters of a hash of the entire CN.

So, for this example:

Let's say the group cn wants to be

Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY-BECAUSE-CNs-MUST-BE-SHORT [84 characters]

At GT, this results in a group something like:

cn=Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY--e15 (because e15 are the first characters of the hash of all 84 characters).

Obviously, the gobbly-gook at the end could confuse someone, but the beginning of the group's cn tends to be informative enough. In fact, we've been doing this for 5-10 years and no one has asked me.

So... what do people think? Or, how would people like to otherwise shorten CNs?

---

From: <> on behalf of Jeffrey Williams <>
Sent: Wednesday, November 29, 2017 11:35 AM
To:
Subject: [grouper-users] Re: Bushy PSPNG to AD provisioning question

 

Another line of particular interest from the logs:

2017-11-29 15:40:14,526: [DefaultQuartzScheduler_Worker-5] ERROR LdapSystem.performLdapAdd(336) -  - Problem while creating new ldap object: [dn=cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu[[ou[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [cn[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [objectclass[organizationalunit]]]]

I'm pretty new to Grouper, so I may be missing something obvious to the more experienced eye.  I can provide more info upon request.

Thanks

-Jeff

On Tue, Nov 28, 2017 at 5:39 PM, Jeffrey Williams <> wrote:

I'm working on switching to a bushy hierarchy in grouper and am encountering this sort of error:

[LDAP: error code 64 - 00002073: NameErr: DSID-03050E53, problem 2005 (NAMING_VIOLATION), data 0, best match of: 'cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu'

I based the PSPNG config off of the AD template and the bushy configuration suggestion. This is what I'm currently using for the groupCreationLdifTemplate = dn: cn=${group.name},${utils.bushyDn(group.name, "cn", "ou")}||cn: ${group.name}||objectclass: group

The flat version works fine(except for a 64-char DN limit):

groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group

I switch back to flat and it works just fine.  Any ideas what I might be missing here?

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)