Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question

Chronological Thread 
  • From: "Bee-Lindgren, Bert" <>
  • To: Jeffrey Williams <>, "" <>
  • Subject: Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question
  • Date: Wed, 29 Nov 2017 16:57:19 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:R603IxDrqfUIRR5tSFWnUyQJP3N1i/DPJgcQr6AfoPdwSP36pciwAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95RWSJfH428c4UBAekPPelaronyu1QBoACkCgWwGO/i0CNEimPr0aA8zu8vERvG3AslH98WvnjZscv6O7kLXe6zzanIyyjMb/xM2Tjj7ojEag0qrOySUrJqbcrdx1QkGgTegVqOs4zlIymZ2f8TvGeF9uZgUeOvi2g6pAF+uDig2MEsh5LOhoIU1lDI7yp5z5wpJdKmVEF7YcSoH4VNuCGHLoZ7RN4pTW9vuCY/0LIGuJi7cTAFyJQ9wB7fduSHf5KO4h35UeaePzF1j29mdrKnnxu+71KvxvHhWsSxzVpGszdJn9zCtn0CyxDf9s2KSvVj8Uqu1juC0gXe5+NZLUwqjabXNZ8szqMsmpcWrEjOESz7lUDrgK+Yakko5O2l5/npb7n6upORMoF5hh/xP6ktn8GyAeY1PwgOUmWe9umx1rLu8VD8TblXgP06j6bUvZbHLsoBvKG5GRVa0oM75ha/ETim1NMYkGEfIl9ZfxyLk5blN0jTLv7gEPuzmlOsnyx1yPzcOb3hH4nNIWPEkLf8e7Zy9lRQyBIpzdBY+5JbFK0OIO7yWk/2stzUFBg5MxGow+bjD9V90YAeVXiTDa+eNaPeqV6I5uQxLOmQfIIZpizyJ+Q46/PrkHM1hEIRcKyn3ZYYdHy0AvFrI0uHbnfjjdoMFGIHswgjQOD0kFGCVCRcZ3e2X6Iy/DE7D4emAJ/YSY+zmryBwD23EYZIaW9YE1yMFXbod4OZVPcDciKdPMlhnycDVbigV48tzx6uuxXmy7V5MuXU+jcUuoz+29ho/+HTjw099SRoD8SB1GGAV250nnkPRz8rxKBwv1Z9xk6e0ahjnfNYD8dT6uhNUgc7Lp7c0/d6B87oVgLAeNeJVEipQs+gAT4vUtI93cUCbFhgFNW/3Vj/2H+IDrEbjbGaTKM19qbd1n3qb5J/xWnH0K0ghnE7RMBAc2Cqm/g7v0LcHYnUi0iD0ruxeL4H9C/L6GqZy2eS5gdVXBM6GfHKR3cCfkbM6Mni61nZZ76oFbk9NAZdk4iPJrYcOfPzilATDt3uNZH6YmS9lH29A1LA7L6WcMCiL28QxjmbAkUJ1gQS+3qJLwU4LiCgvyTRBSBjHlKpbk/xp7ot4EinR1M5mlnZJ3Zq0KC4r1tM3aSR
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Let's see if this makes sense. If so, we can add a jexl utility function to help or make it automatic in AD provisioners...

In my experience with Georgia Tech's Active-Directory provisioning (not a grouper process, but a ldap-to-ad process), CN's in Active Directory are limited to 64 characters. Within this GT process, we put the whole group path in the CN which means we semi-often run into the 64-character limit.

Here is how we dealt with that limit:

a) Don't do anything unusual with the cn if it is <=64 chars

b) If the desired CN is >64 characters, we shorten the string to 59 characters (which might not be unique, of course) and then add -HASH where HASH is the first few characters of a hash of the entire CN.

So, for this example:

Let's say the group cn wants to be


At GT, this results in a group something like:

cn=Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY--e15 (because e15 are the first characters of the hash of all 84 characters).

Obviously, the gobbly-gook at the end could confuse someone, but the beginning of the group's cn tends to be informative enough. In fact, we've been doing this for 5-10 years and no one has asked me.

So... what do people think? Or, how would people like to otherwise shorten CNs?

From: <> on behalf of Jeffrey Williams <>
Sent: Wednesday, November 29, 2017 11:35 AM
Subject: [grouper-users] Re: Bushy PSPNG to AD provisioning question
Another line of particular interest from the logs:

2017-11-29 15:40:14,526: [DefaultQuartzScheduler_Worker-5] ERROR LdapSystem.performLdapAdd(336) -  - Problem while creating new ldap object: [dn=cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu[[ou[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [cn[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [objectclass[organizationalunit]]]]

I'm pretty new to Grouper, so I may be missing something obvious to the more experienced eye.  I can provide more info upon request.



On Tue, Nov 28, 2017 at 5:39 PM, Jeffrey Williams <> wrote:
I'm working on switching to a bushy hierarchy in grouper and am encountering this sort of error:

[LDAP: error code 64 - 00002073: NameErr: DSID-03050E53, problem 2005 (NAMING_VIOLATION), data 0, best match of: 'cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu'

I based the PSPNG config off of the AD template and the bushy configuration suggestion. This is what I'm currently using for the groupCreationLdifTemplate = dn: cn=${},${utils.bushyDn(, "cn", "ou")}||cn: ${}||objectclass: group

The flat version works fine(except for a 64-char DN limit):
groupCreationLdifTemplate = dn: cn=${}||cn: ${}||objectclass: group

I switch back to flat and it works just fine.  Any ideas what I might be missing here?

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

Archive powered by MHonArc 2.6.19.

Top of Page