grouper-users - Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question

From: "Bee-Lindgren, Bert" <>
To: Jeffrey Williams <>
Cc: "" <>
Subject: Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question
Date: Wed, 29 Nov 2017 20:32:02 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) ;
Ironport-phdr: 9a23:kjFo5x0ORyWvD5v1smDT+DRfVm0co7zxezQtwd8ZsesWK/XxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4byqkAUoheiGQWhHv/jxiNVinLwwKY00/4hEQbD3AE4Ed4DrWrbo8vsOKkUUOC1yrTHzTrZb/xI3zfx8JXDfw0/rvGWQbJ8f9faxE40GAzblFWQtZbpMCiL2esTqmSb6+tgVeSyhG4osQF+vD6vy9wrionImoIZ0F/E+j9lwIkrOdK4SFR3bsC5H5tNriyXMZZ9TM0lQ2Ftoik6y7sGtIa0fCgQz5Qn2gbfZ+aBc4eS5xLsSuCcKip7inJ9YL+zmgq+/Ee6xuDzVMS4ylhHoyhfntTIq3wBzwLf58maRvdh+0qtxDmC2gPW5+1ZL0A4ibTXJps8zrM+ipYfrUHOEyHolEj5j6Kbc0Up9+qo5unnZ7jrqZ2ROoBphgz7L6gulNGzDfo+PwMTRWaU4/6826fm/UDhQLVFkPk2kq7BvZ7COckVobK1DxFM3os96RmzEi6q0NMDknYZNl5Ffw+Hj5TyNFHJPfD4C+qwj060kDdxwPDGIqPuDYnRLnjCl7fhe6xx60lByAovydBf4JVUCrIbLP3vXU/xscTUDh4/MwOq3+bqEMhx2p8RVG6VDaKUMrnevFGK6+41J+SAeZcZuDPnJPgk4/7ug2U5mVgYfaSxxpQYdmq4Huh8L0qCf3XjnM4NEWMLvgo4UePqh0eCXiBVZ3upWKI85y07BJipDYjZWoCinqCO3CehEpJIe29GF0iAEW30eIWcR/cMdCWSL9dukjweUrihVpch2g+0tAPj1rpnNfTb+jcDtZ/40Nh15vbTlQ0p9TBqFcid0meNT31qkWMSQT85wrx/rVJnxlidzKd4nq8QKdsGxf5HXB03JNbjzuh+Ctn3QUqVfNmWSVKiQ9yOHDc6QZQ8z8JYMGhnHND3xDrO0m+OArkZmKaGAth82K/GwzK5c8xw0WqA3qQsyl0nRMdAL2Cgrql+607cDpLEmEXfmqq3I/dPlBXR/XuOmDLd9HpTVxR9BOCcBSgS
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

> is [string shortening] being applied to the OU's in AD as well, or only group objects?

1) At GT, our group-provisioning is flat, so it has not come up

2) How often is a folder's name (or display name) > 64 characters?

The other thing with this approach is to reverse the CN so it is

GroupExtension:GroupFolder:ParentFolder:GrandParentFolder

so the most important part (GroupExtension) is not lost in the shortening.

From: Jeffrey Williams <>
Sent: Wednesday, November 29, 2017 2:30 PM
To: Bee-Lindgren, Bert
Cc:
Subject: Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question

Hi Bert,

That's an interesting/cool way to handle the limitation. If you're doing a bushy provisioning model with that idea, is this being applied to the OU's in AD as well, or only group objects? When this occurs in provisioning, is the group/folder name in Grouper updated to reflect the change?

On Wed, Nov 29, 2017 at 11:57 AM, Bee-Lindgren, Bert <> wrote:

Let's see if this makes sense. If so, we can add a jexl utility function to help or make it automatic in AD provisioners...

In my experience with Georgia Tech's Active-Directory provisioning (not a grouper process, but a ldap-to-ad process), CN's in Active Directory are limited to 64 characters. Within this GT process, we put the whole group path in the CN which means we semi-often run into the 64-character limit.

Here is how we dealt with that limit:

a) Don't do anything unusual with the cn if it is <=64 chars

b) If the desired CN is >64 characters, we shorten the string to 59 characters (which might not be unique, of course) and then add -HASH where HASH is the first few characters of a hash of the entire CN.

So, for this example:

Let's say the group cn wants to be

Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY-BECAUSE-CNs-MUST-BE-SHORT [84 characters]

At GT, this results in a group something like:

cn=Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY--e15 (because e15 are the first characters of the hash of all 84 characters).

Obviously, the gobbly-gook at the end could confuse someone, but the beginning of the group's cn tends to be informative enough. In fact, we've been doing this for 5-10 years and no one has asked me.

So... what do people think? Or, how would people like to otherwise shorten CNs?

From: <> on behalf of Jeffrey Williams <>
Sent: Wednesday, November 29, 2017 11:35 AM
To:
Subject: [grouper-users] Re: Bushy PSPNG to AD provisioning question

Another line of particular interest from the logs:

2017-11-29 15:40:14,526: [DefaultQuartzScheduler_Worker-5] ERROR LdapSystem.performLdapAdd(336) - - Problem while creating new ldap object: [dn=cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu[[ou[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [cn[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [objectclass[organizationalunit]]]]

I'm pretty new to Grouper, so I may be missing something obvious to the more experienced eye. I can provide more info upon request.

Thanks

-Jeff

On Tue, Nov 28, 2017 at 5:39 PM, Jeffrey Williams <> wrote:

I'm working on switching to a bushy hierarchy in grouper and am encountering this sort of error:

[LDAP: error code 64 - 00002073: NameErr: DSID-03050E53, problem 2005 (NAMING_VIOLATION), data 0, best match of: 'cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu'

I based the PSPNG config off of the AD template and the bushy configuration suggestion. This is what I'm currently using for the groupCreationLdifTemplate = dn: cn=${group.name},${utils.bushyDn(group.name, "cn", "ou")}||cn: ${group.name}||objectclass: group

The flat version works fine(except for a 64-char DN limit):

groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group

I switch back to flat and it works just fine. Any ideas what I might be missing here?

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

[grouper-users] Bushy PSPNG to AD provisioning question, Jeffrey Williams, 11/28/2017
- [grouper-users] Re: Bushy PSPNG to AD provisioning question, Jeffrey Williams, 11/29/2017
  - Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question, Bee-Lindgren, Bert, 11/29/2017
    - Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question, Bee-Lindgren, Bert, 11/29/2017
    - Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question, Jeffrey Williams, 11/29/2017
      - Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question, Bee-Lindgren, Bert, 11/29/2017
        
        Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question, Jeffrey Williams, 11/29/2017
        
        Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question, Jeffrey Williams, 11/30/2017

List archive

Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question