Grouper Users - Open Discussion List

[Jeffrey Williams <>]

2) How often is a folder's name (or display name) > 64 characters?

We have not encountered this ourselves.  The thought came up while looking at the error logs and seeing where PSPNG seemingly was trying to provision a long group name as an OU. 

Try ${group.extension} to see if that’s the current problem, 

Like so?  dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${group.extension}||objectclass: group 

if so, it does provision a few groups before throwing DUPLICATE_ENTRIES errors.  I think that's the duplicate entries you were mentioning before.  I'm trying to see if there's a log I can turn up that'll show me what value is it bricking on.  If you know of one, do share.

  

and then let’s continue this thread for how to better shorten them. 

In your experience, do consumers wind up keeping the shortened names or decide on another name that fits the requirement?  I'm thinking UNCG would use it as a means of identifying groups for remediation. and would not keep them long-term.  

On Wed, Nov 29, 2017 at 3:32 PM, Bee-Lindgren, Bert <> wrote:

>  is [string shortening] being applied to the OU's in AD as well, or only group objects?

1) At GT, our group-provisioning is flat, so it has not come up

2) How often is a folder's name (or display name) > 64 characters?

The other thing with this approach is to reverse the CN so it is 

GroupExtension:GroupFolder:ParentFolder:GrandParentFolder 

so the most important part (GroupExtension) is not lost in the shortening.

---

From: Jeffrey Williams <>
Sent: Wednesday, November 29, 2017 2:30 PM
To: Bee-Lindgren, Bert
Cc:
Subject: Re: [grouper-users] Re: Bushy PSPNG to AD provisioning question

 

Hi Bert,

That's an interesting/cool way to handle the limitation.  If you're doing a bushy provisioning model with that idea, is this being applied to the OU's in AD as well, or only group objects?  When this occurs in provisioning, is the group/folder name in Grouper updated to reflect the change? 

On Wed, Nov 29, 2017 at 11:57 AM, Bee-Lindgren, Bert <> wrote:

Let's see if this makes sense. If so, we can add a jexl utility function to help or make it automatic in AD provisioners...

In my experience with Georgia Tech's Active-Directory provisioning (not a grouper process, but a ldap-to-ad process), CN's in Active Directory are limited to 64 characters. Within this GT process, we put the whole group path in the CN which means we semi-often run into the 64-character limit.

Here is how we dealt with that limit:

a) Don't do anything unusual with the cn if it is <=64 chars

b) If the desired CN is >64 characters, we shorten the string to 59 characters (which might not be unique, of course) and then add -HASH where HASH is the first few characters of a hash of the entire CN.

So, for this example:

Let's say the group cn wants to be

Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY-BECAUSE-CNs-MUST-BE-SHORT [84 characters]

At GT, this results in a group something like:

cn=Class-A_GROUPNAME_MUCHTOOLONG-FOR-FLAT-IN-ACTIVE-DIRECTORY--e15 (because e15 are the first characters of the hash of all 84 characters).

Obviously, the gobbly-gook at the end could confuse someone, but the beginning of the group's cn tends to be informative enough. In fact, we've been doing this for 5-10 years and no one has asked me.

So... what do people think? Or, how would people like to otherwise shorten CNs?

---

From: <> on behalf of Jeffrey Williams <>
Sent: Wednesday, November 29, 2017 11:35 AM
To:
Subject: [grouper-users] Re: Bushy PSPNG to AD provisioning question

 

Another line of particular interest from the logs:

2017-11-29 15:40:14,526: [DefaultQuartzScheduler_Worker-5] ERROR LdapSystem.performLdapAdd(336) -  - Problem while creating new ldap object: [dn=cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu[[ou[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [cn[Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD]], [objectclass[organizationalunit]]]]

I'm pretty new to Grouper, so I may be missing something obvious to the more experienced eye.  I can provide more info upon request.

Thanks

-Jeff

On Tue, Nov 28, 2017 at 5:39 PM, Jeffrey Williams <> wrote:

I'm working on switching to a bushy hierarchy in grouper and am encountering this sort of error:

[LDAP: error code 64 - 00002073: NameErr: DSID-03050E53, problem 2005 (NAMING_VIOLATION), data 0, best match of: 'cn=Class-A_GROUPNAME_MUCHTOOLONG-FORFLATINAD,ou=appName,ou=apps,ou=uncg,ou=devgroups,dc=devauth,dc=uncg,dc=edu'

I based the PSPNG config off of the AD template and the bushy configuration suggestion. This is what I'm currently using for the groupCreationLdifTemplate = dn: cn=${group.name},${utils.bushyDn(group.name, "cn", "ou")}||cn: ${group.name}||objectclass: group

The flat version works fine(except for a 64-char DN limit):

groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group

I switch back to flat and it works just fine.  Any ideas what I might be missing here?

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)