Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: PSPNG issues

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: PSPNG issues


Chronological Thread 
  • From: Jeffrey Williams <>
  • To: "Black, Carey M." <>
  • Cc: Dave Churchley <>, "Bee-Lindgren, Bert" <>, Grouper-Users <>
  • Subject: Re: [grouper-users] RE: PSPNG issues
  • Date: Fri, 2 Mar 2018 10:56:30 -0500
  • Ironport-phdr: 9a23:154OYB3CeghuFJiVsmDT+DRfVm0co7zxezQtwd8ZseIRI/ad9pjvdHbS+e9qxAeQG9mDsLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPbQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWhOXshRWSJPAY2ycpUBAPYaMOlCs4XwvUEDoQeiCQSuAu7k1z9GhmXx3a0/y+kvFR/J3AIuH9IUrnvVrMj+O6cTUeCxyKnIzC/Mb/ZN2Tzg74XIcB4hoP+NXbJ0dcrRyFMgGhjYjlWWtYPlMCmZ2foQvGiG9udtU/+khWAgqwF0uDevx8Esh5HIhoIT1lDL6z95wIArKt2kVkJ3e8CrH4ZNty2COIt2WMQiQ3xwuCogzL0Jo5u7czYMxZ86xBDfc+SKf5aJ7x7/VuucJDl4iXF+d76jghu//lSsxvHgWcSxzFlGsilIn9zJu3wT2RHe5M6KQeZn8Ei7wzaAzQXT5/lEIU8qkarbLIYswrsqmZoStUTPBzL2l1/qgKOPeUQo5Oal5ur9brXpoZ+cMIB0igXgPag0hsO/BuE4PhAPX2id5+u8yKXu8VP4TblWjPA7l6fZvZPBKsgHo6O0DBNZ3po/5Bu6EziqzNcVkHwCIV5bdh+KgZDlO1TUL/D5Cfe/jU6skDBux/3ePL3hDJvMLnnHkLflfLZy8VVRyBc1zd9D6JJYEK8OL+/uWkPprtzXEgc5MxCow+bgENh92ZkeWWWSAq+BLqzSq0aE5v80I+aSfo8Voy3wK/wk5/71kX85gkERcbOo3ZsRdHC3AO5mI0OHbnrwnNsNC3kFsRcjTL+itFrXGxRXbn2xG+oX7ys2GcqDS82LEoqpibeCmn7hRbVRfX0AB1yRRyTGbYKBDtUBZiyIL94prT0AUbmoTpRpgROgqw7+z7tuBvfS8SJeuJ7+gosmr9bPnA0/oGQnR/+W1HuAGiQtxjsF


On Fri, Mar 2, 2018 at 9:45 AM, Black, Carey M. <> wrote:

I could be off base here… but… Is this an AD limitation that PSPNG ( or the config of these jobs )  is not handling well?

That's my take on it.
 

 

Maybe you could look at the values that are being used and find shorter and unique values(OU, DN, etc…) to send instead?

I think it's fine with leaving it to the deployer to determine how to resolve the issue(I have a script to set DNP's on the long-name offenders).  It's the infinite retries blocking further valid provisioning that I think needs to be adjusted or configurable(ignoreADErrors:if isActiveDirectory AND ignoreADErrors are true, log returned errors and move the last provisioned needle), if possible. However, I'm not sure if such a request is within the scope of the "simpler, faster" model that PSPNG operates.
 

 

HTH.

 

--

Carey Matthew

 

From: [mailto:] On Behalf Of Jeffrey Williams
Sent: Friday, March 2, 2018 9:05 AM
To: Dave Churchley <>
Cc: Bee-Lindgren, Bert <>; Grouper-Users <>
Subject: Re: [grouper-users] RE: PSPNG issues

 

Is there a difference between  ${grouperUtil.extensionFromName(name)} and ${group.extension}?

 

And

 

 When PSP-NG can’t update AD, the whole process gets stuck and no other updates go through. It doesn’t skip the one it’s having a problem with.

 

We're seeing this as well for when PSPNG attempts to provision a group whose name length > 64.  PSPNG stays in a loop until the daemon is stopped and the needle on the provisioner is moved past the offending changelogs.

 

On Fri, Mar 2, 2018 at 8:15 AM, Dave Churchley <> wrote:

Hi Bert

 

We’ve recently started looking at PSPNG again. I have a fully patched Grouper 2.3.0 but we’re still experiencing provisioning errors when a group name has special characters in it. I’m assuming I’ve got a configuration error in my groupCreationLdifTemplate but I’ve tried all sorts of different combinations and haven’t been able to get it to work yet.

 

I haven’t been able to find any definitive documentation. Is it possible to update the info at https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG#GrouperProvisioning:PSPNG-ACTIVEDIRECTORYGROUPS? Or is there somewhere else I should be looking?

 

For info, this is where we’ve got to so far:

 

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group||samaccountname: ${grouperUtil.extensionFromName(name)}||description: ${group.description} ${grouperUtil.extensionFromName(name)}

 

Any suggestions would be more than welcome!

 

I’ve just spotted that https://bugs.internet2.edu/jira/browse/GRP-1533 has been reopened. Is it actually the case that there isn’t a solution to this yet?

 

Thanks
Dave

 

 

 

From: [mailto:] On Behalf Of Bee-Lindgren, Bert
Sent: 02 August 2017 00:31
To: Dave Churchley <>; Grouper-Users <>
Subject: [grouper-users] Re: PSPNG issues

 

Hello,

 

PSPNG 2.3 Patch 14 now makes sure that the escaping sticks all the way through the expressions and into LDAP; there was a gap in that process as Patch 13 implemented it.

 

In response to several of your other problems, my next task is to (as quickly as possible) address the updates that do not get propagated to LDAP groups name/description (GRP-1345) and DN (GRP-1346).

 

Thanks,

  Bert Bee-Lindgren

 

From: Bee-Lindgren, Bert
Sent: Wednesday, July 26, 2017 11:40 AM
To: Dave Churchley; Grouper-Users
Subject: Re: PSPNG issues

 

bushyDn should already do all the escaping that is necessary. It was tested with OU commas and escapleLdapRdn was tested with group-name commas, but I'm duplicating and patching the problem with bushyDn and group-name commas/pluses. 

 

From: <> on behalf of Dave Churchley <>
Sent: Tuesday, July 25, 2017 12:13 PM
To: Grouper-Users
Subject: [grouper-users] RE: PSPNG issues

 

Good afternoon

I see that Bert has released a patch for issue https://bugs.internet2.edu/jira/browse/GRP-1533

I've installed the patch but I'm still seeing the same issue (with  + and , for example).

I suspect that I need to do something with utils.escapeLdapRdn(string) in grouper-loader.properties. I've tried various things but haven't been able to work it out yet. Any advice, please?

I've attached the relevant part of grouper-loader.properties.

Thanks
Dave

>-----Original Message-----
>From: [mailto:
>] On Behalf Of Dave Churchley
>Sent: 19 July 2017 14:43
>To: Grouper-Users <>
>Subject: [grouper-users] RE: PSPNG issues
>
>Just to add to number 1 below, it seems that PSPNG also struggles with plus
>signs, parentheses and spaces in group names. This could be related to
>https://bugs.internet2.edu/jira/browse/GRP-1533?
>
>Thanks
>Dave
>
>>-----Original Message-----
>>From: [mailto:
>>] On Behalf Of Dave Churchley
>>Sent: 18 July 2017 16:56
>>To: Grouper-Users <>
>>Subject: [grouper-users] PSPNG issues
>>
>>Hi
>>
>>I'm currently testing PSPNG provisioning to a test AD. So far, I really like what
>I
>>see but I've now run into a couple of snags.
>>
>>1. I get an error when the Grouper group name has multiple consecutive
>>asterisks, eg LIBR_Auto_CEG****. The old PSP service could handle this
>group
>>name. I've attached the an extract from grouper_error.log to show the
>error.
>>
>>2. Related to the above, when the full sync can't provision a group, it appears
>>to get stuck and retry ever second. This means that it will never complete. I
>>think it would be preferable to write a nice error and then skip that group.
>>
>>I'm not sure if these are real issues or if I'm doing something wrong, so any
>>advice would be appreciated! Also, is there a gsh command to force PSPNG
>to
>>sync a specific group? Similar to the old PSP?
>>
>>Thanks
>>Dave
>>
>>Dave Churchley
>>Newcastle University



 

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)




--
Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

Archive powered by MHonArc 2.6.19.

Top of Page