Skip to Content.
Sympa Menu

grouper-users - [grouper-users] How to provision members into AD with only AD active acounts

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] How to provision members into AD with only AD active acounts


Chronological Thread 
  • From: "Sawyer, Mona Zarei" <>
  • To: "" <>
  • Subject: [grouper-users] How to provision members into AD with only AD active acounts
  • Date: Tue, 1 May 2018 20:08:11 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:fVSRdBz8XxLeSmbXCy+O+j09IxM/srCxBDY+r6Qd0uoSLvad9pjvdHbS+e9qxAeQG9mDsLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPbQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G/ZicJwjb5Urx26qhxl34LYfJuYOOZicq7fe94RWGpPXtxWVyxEGo6wYZYBAPAPPOdYsYb9vUMCpga5CwmrAuPg0CJDiXzs0q0gzeshEA/K1xEnEtILt3TUqs/6NaYJXOCwzanH1zDDb/JM1Tjj9YfIbwksrPeRVrx+dsrRzFMgFwLDjliIpozlJTSV1vkVs2eF9epsT/igi3Y/qw1poDivwdwjipPUhoIT0VDE9Tt2wIIxJdGiUk57fNikHINXtyGHK4t2RsQiQ2ZruCog1rIGvpu7cDAQx5Q7wx7QceeHc5OJ4h35UuadOyt3hHVgeL+5mh288lCgx/XiWsauzFpGsy9InsTRunwQ0hHT5MeKRudh8kqk1zaAyQ/e5+JBLE0xl6fXNpAhzqYtmpYNtUnPBDL6lUfrgKOMaEkp9eyl5/76brjpppKQL4F0hR/9P6gyn8GyBPk0PwcKUmeF/OmzyL3u8En8TbpRjfA7k6fZvZXEKsgGpaO0BRJe3Jw55BalFTim1cwVnXkZI1JBfxKKl5DnNk3JLvzkA/qzmkqhni52y/zfOb3uGYvCImLEkLf8YbZy8ElcyBc1zd9C/Z5UEqsBIPXvWkDvqNPYEh45Mwuyw+r9D9V9y58eWWaIAq+eM6Peq0OH5uUqI+WUZY8VvijyK+Q96vLwl3A1hUIRcKy00ZcKdXy1G/pmLkqFbXbwh9oBH3kFswU9QeHvjVCPUyNfZ3iqU6I5/D47CYamDYnZRoCqhbyMxCK7HppQZm9cC1GBCnLod4SeVPcJaSKeONFunSEZVbS5UY8uyQmutBPmy7pgNufU9TcYtZX+1Nht+eLTjwg+9SFvD8uDyWGNVHp5nmcJRz8twKB/ulJxxk2C0ah+n/xXC8ZT5/VXXQcmK5LQ1fJ1BM3vWlGJQtDcAlm8Rci+DCt0U8k82cQmYkBhFs+kgwyZmSemHvVdw7ORA4Es/7iZwmP8Pd1VynDa2bMngkV8BMZDKDv1qLR48l2ZPIfWgkiD0+6PcqIVlBzE7mqChyLauUZeWRxYVKTMWHFZa0fL+4eqrnjeRqOjXOx0ejBKztSPf/NH
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hello,

 

For some grouper members I have two accounts in AD one Active and one Disabled. I need to only provision and add the group member’s active account to its corresponding AD group using PSPNG. I tried to add the UserAccountControl criteria to the user Search filter in grouper-loader.properties , but the users don’t get added and the logs show the error below. Is it possible that the grouper AD provisioner does not handle complex search filters?

 

user Search filter in grouper-loader.properties:

changeLog.consumer.pspng_activedirectory.userSearchFilter = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=${subject.id}))

 

Logs error

2018-03-19 10:20:00,202: [DefaultQuartzScheduler_Worker-6] ERROR LdapObject.matchesLdapFilter(261) -  - Problem checking ldap filter in memory: [org.ldaptive.SearchFilter@aaaa::filter=(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=xxx)), parameters={}]

LDAPException(resultCode=92 (not supported), errorMessage='Extensible matching is not supported when attempting to determine whether a given entry matches a search filter.')

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3287)

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3205)

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3187)

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3152)

                at edu.internet2.middleware.grouper.pspng.LdapObject.matchesLdapFilter(LdapObject.java:257)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:172)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareUserCache(Provisioner.java:640)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:476)

                at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1373)

                at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)

                at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)

                at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:717)

                at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:423)

                at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:323)

                at org.quartz.core.JobRunShell.run(JobRunShell.java:202)

                at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

 

 

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

UMIT Logo - Email Signature

 

From: Sawyer, Mona Zarei
Sent: Monday, March 19, 2018 11:50 AM
To: 'Hyzer, Chris' <>;
Subject: RE: [grouper-users] How to add only active AD users to a group

 

Hello Chris,

 

I could successfully bring only active users to grouper using your advice. However, I now have an issue to provision only active users from grouper into an AD group using PSPNG. I tried to add the same criteria for the UserAccountControl to the user Search filter in grouper-loader.properties , but the users don’t get added and the logs show the error below. Is it possible that the grouper provisioner does not handle complex search filters?

 

user Search filter in grouper-loader.properties:

changeLog.consumer.pspng_activedirectory.userSearchFilter = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=${subject.id}))

 

Logs error

2018-03-19 10:20:00,202: [DefaultQuartzScheduler_Worker-6] ERROR LdapObject.matchesLdapFilter(261) -  - Problem checking ldap filter in memory: [org.ldaptive.SearchFilter@aaaa::filter=(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=xxx)), parameters={}]

LDAPException(resultCode=92 (not supported), errorMessage='Extensible matching is not supported when attempting to determine whether a given entry matches a search filter.')

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3287)

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3205)

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3187)

                at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3152)

                at edu.internet2.middleware.grouper.pspng.LdapObject.matchesLdapFilter(LdapObject.java:257)

                at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:172)

                at edu.internet2.middleware.grouper.pspng.Provisioner.prepareUserCache(Provisioner.java:640)

                at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:476)

                at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1373)

                at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)

                at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)

                at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:717)

                at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:423)

                at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:323)

                at org.quartz.core.JobRunShell.run(JobRunShell.java:202)

                at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

 

 

 

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

UMIT Logo - Email Signature

 

From: Hyzer, Chris []
Sent: Tuesday, March 13, 2018 10:33 PM
To: Sawyer, Mona Zarei <>;
Subject: RE: [grouper-users] How to add only active AD users to a group

 

I think you have an error message in the logs which says:  Caused by: javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis;

 

I google that and it says to put parens near the exclamation point

 

https://community.atlassian.com/t5/Jira-questions/LDAP-Directory-exception-Unbalanced-parenthesis-remaining-name/qaq-p/40943

 

This works for me in the subject properties:

 

subjectApi.source.kite.search.searchSubject.param.filter.value = (& (cn=%TERM%) (objectclass=person) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 

you might need this in the sources.xml (&amp;)

 

(&amp; (cn=%TERM%) (objectclass=person) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 

Thanks

Chris

 

From: Sawyer, Mona Zarei []
Sent: Tuesday, March 13, 2018 12:14 PM
To: Hyzer, Chris <>;
Subject: RE: [grouper-users] How to add only active AD users to a group

 

Hello Chris,

 

I updated the filter with the below ldap query. The query works fine in AD Ldap search but in grouper when I search to add a member it gives me a “The value entered is not correct” error.

How can I get grouper to give me the active accounts?

 

Filter:

 

<search>

        <searchType>searchSubjectByIdentifier</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

               (&amp;(sAMAccountName=%TERM%*)(!userAccountControl:1.2.840.113556.1.4.803:=2))

            </param-value>

        </param>

        <param>

 

 

AD LDAP seach query: Gives the right result

 

 

Grouper UI add members search. Gives the error.

 

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

UMIT Logo - Email Signature

 

From: Sawyer, Mona Zarei
Sent: Monday, March 12, 2018 4:56 PM
To: 'Hyzer, Chris' <>;
Subject: RE: [grouper-users] How to add only active AD users to a group

 

Hi Chris,

 

This is the search that I am using in the sources.xml. this way, the grouper searches the AD and brings in the disabled account. Where should I specify for the search to just bring in the Active ones?

 

<search>

        <searchType>searchSubject</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (employeeID=%TERM%*)

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>

                SUBTREE_SCOPE           

            </param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>

                Searchbase

            </param-value>

        </param>

        

    </search>

    <search>

        <searchType>searchSubjectByIdentifier</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

               (sAMAccountName=%TERM%)

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>

                SUBTREE_SCOPE           

            </param-value>

        </param>

        <param>

            <param-name>base</param-name>

           <param-value>

                Searchbase

            </param-value>

        </param>

    </search>

   

    <search>

       <searchType>search</searchType>

         <param>

            <param-name>filter</param-name>

            <param-value>

                (cn=%TERM%)

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>

                SUBTREE_SCOPE           

            </param-value>

        </param>

         <param>

            <param-name>base</param-name>

            <param-value>

               Searchbase

            </param-value>

        </param>

    </search>

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

UMIT Logo - Email Signature

 

From: Hyzer, Chris []
Sent: Monday, March 12, 2018 3:39 PM
To: Sawyer, Mona Zarei <>;
Subject: RE: [grouper-users] How to add only active AD users to a group

 

Can you add the attribute to the filters for this source?  If not, can sanitize and send your sources.xml and tell us which attribute name and value identifies active?  J

 

Thanks

Chris

e.g.

(& (original filter) (| (useraccountcontrol = 512) (useraccountcontrol = 66048)) )

 

 

From: [] On Behalf Of Sawyer, Mona Zarei
Sent: Monday, March 12, 2018 1:34 PM
To:
Subject: [grouper-users] How to add only active AD users to a group

 

Hello,

 

I have a case that there is a user with two AD accounts. One is Disabled and the other is Active.

what changes should I make to sources.xml to only bring in and add the member’s active account from AD?

 

Thank you so much,

Best Reagrds,

 

Mona Z Sawyer M.Sc.

Programmer Intermediate

Middleware and Identity Services

Information Technology | University of Miami

1320 S. Dixie Hwy | Suite 1000.49

Coral Gables, Fl 33146

305-284-2214

 

"At the U, we transform lives through teaching, research and service."

UMIT Logo - Email Signature


  • [grouper-users] How to provision members into AD with only AD active acounts, Sawyer, Mona Zarei, 05/01/2018

Archive powered by MHonArc 2.6.19.

Top of Page