Grouper Users - Open Discussion List

["Black, Carey M." <>]

I could be off base here… but… Is this an AD limitation that PSPNG ( or the config of these jobs )  is not handling well?

 

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756101(v=ws.10)

                NOTE well: “windows-server-2008-R2-and-2008”  YMMV in other versions… but it might be the same conditions in later OS’s too….

 

                “Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.)”

                …

                “Common names are limited to 64 characters. For more information, see Common-Name Attribute (http://go.microsoft.com/fwlink/?LinkId=153706).”

                …

                “OU names are limited to 64 characters.”

                                Also supported by https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

                                                Covering “Applies to: Windows Server 2012 StandardWindows Server 2012 StandardWindows Server 2008 R2 StandardWindows Server 2008 StandardMicrosoft Windows Server 2003 R2 Standard Edition (32-bit x86)Microsoft Windows Server 2003 R2 Standard x64 EditionMicrosoft Windows Server 2003, Standard Edition (32-bit x86)Microsoft Windows Server 2003, Standard x64 EditionMicrosoft Windows 2000 Server”

 

 

My guess is that the PSP-NG loop is an error (not being logged?) and the operation is being retried.

 

Maybe you could look at the values that are being used and find shorter and unique values(OU, DN, etc…) to send instead?

                Assuming that this is really an AD limitation, you may have no other choice that to ultimately solve it with such a solution. ( Though it would be nice if the PSP code could “error better” to give the users a clue about how to fix it. J )

 

HTH.

 

--

Carey Matthew

 

From: [mailto:] On Behalf Of Jeffrey Williams
Sent: Friday, March 2, 2018 9:05 AM
To: Dave Churchley <>
Cc: Bee-Lindgren, Bert <>; Grouper-Users <>
Subject: Re: [grouper-users] RE: PSPNG issues

 

Is there a difference between  ${grouperUtil.extensionFromName(name)} and ${group.extension}?

 

And

 

 When PSP-NG can’t update AD, the whole process gets stuck and no other updates go through. It doesn’t skip the one it’s having a problem with.

 

We're seeing this as well for when PSPNG attempts to provision a group whose name length > 64.  PSPNG stays in a loop until the daemon is stopped and the needle on the provisioner is moved past the offending changelogs.

 

On Fri, Mar 2, 2018 at 8:15 AM, Dave Churchley <> wrote:

Hi Bert

 

We’ve recently started looking at PSPNG again. I have a fully patched Grouper 2.3.0 but we’re still experiencing provisioning errors when a group name has special characters in it. I’m assuming I’ve got a configuration error in my groupCreationLdifTemplate but I’ve tried all sorts of different combinations and haven’t been able to get it to work yet.

 

I haven’t been able to find any definitive documentation. Is it possible to update the info at https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG#GrouperProvisioning:PSPNG-ACTIVEDIRECTORYGROUPS? Or is there somewhere else I should be looking?

 

For info, this is where we’ve got to so far:

 

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group||samaccountname: ${grouperUtil.extensionFromName(name)}||description: ${group.description} ${grouperUtil.extensionFromName(name)}

 

Any suggestions would be more than welcome!

 

I’ve just spotted that https://bugs.internet2.edu/jira/browse/GRP-1533 has been reopened. Is it actually the case that there isn’t a solution to this yet?

 

Thanks
Dave

 

 

 

From: [mailto:] On Behalf Of Bee-Lindgren, Bert
Sent: 02 August 2017 00:31
To: Dave Churchley <>; Grouper-Users <>
Subject: [grouper-users] Re: PSPNG issues

 

Hello,

 

PSPNG 2.3 Patch 14 now makes sure that the escaping sticks all the way through the expressions and into LDAP; there was a gap in that process as Patch 13 implemented it.

 

In response to several of your other problems, my next task is to (as quickly as possible) address the updates that do not get propagated to LDAP groups name/description (GRP-1345) and DN (GRP-1346).

 

Thanks,

  Bert Bee-Lindgren

 

---

From: Bee-Lindgren, Bert
Sent: Wednesday, July 26, 2017 11:40 AM
To: Dave Churchley; Grouper-Users
Subject: Re: PSPNG issues

 

bushyDn should already do all the escaping that is necessary. It was tested with OU commas and escapleLdapRdn was tested with group-name commas, but I'm duplicating and patching the problem with bushyDn and group-name commas/pluses. 

 

---

From: <> on behalf of Dave Churchley <>
Sent: Tuesday, July 25, 2017 12:13 PM
To: Grouper-Users
Subject: [grouper-users] RE: PSPNG issues

 

Good afternoon

I see that Bert has released a patch for issue https://bugs.internet2.edu/jira/browse/GRP-1533

I've installed the patch but I'm still seeing the same issue (with  + and , for example).

I suspect that I need to do something with utils.escapeLdapRdn(string) in grouper-loader.properties. I've tried various things but haven't been able to work it out yet. Any advice, please?

I've attached the relevant part of grouper-loader.properties.

Thanks
Dave

>-----Original Message-----
>From: [mailto:
>] On Behalf Of Dave Churchley
>Sent: 19 July 2017 14:43
>To: Grouper-Users <>
>Subject: [grouper-users] RE: PSPNG issues
>
>Just to add to number 1 below, it seems that PSPNG also struggles with plus
>signs, parentheses and spaces in group names. This could be related to
>https://bugs.internet2.edu/jira/browse/GRP-1533?
>
>Thanks
>Dave
>
>>-----Original Message-----
>>From: [mailto:
>>] On Behalf Of Dave Churchley
>>Sent: 18 July 2017 16:56
>>To: Grouper-Users <>
>>Subject: [grouper-users] PSPNG issues
>>
>>Hi
>>
>>I'm currently testing PSPNG provisioning to a test AD. So far, I really like what
>I
>>see but I've now run into a couple of snags.
>>
>>1. I get an error when the Grouper group name has multiple consecutive
>>asterisks, eg LIBR_Auto_CEG****. The old PSP service could handle this
>group
>>name. I've attached the an extract from grouper_error.log to show the
>error.
>>
>>2. Related to the above, when the full sync can't provision a group, it appears
>>to get stuck and retry ever second. This means that it will never complete. I
>>think it would be preferable to write a nice error and then skip that group.
>>
>>I'm not sure if these are real issues or if I'm doing something wrong, so any
>>advice would be appreciated! Also, is there a gsh command to force PSPNG
>to
>>sync a specific group? Similar to the old PSP?
>>
>>Thanks
>>Dave
>>
>>Dave Churchley
>>Newcastle University

 

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)