grouper-users - RE: [grouper-users] PSPNG problem accessing group info in AD
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: "Guenther, Dean R." <>, "" <>
- Subject: RE: [grouper-users] PSPNG problem accessing group info in AD
- Date: Fri, 15 Jun 2018 15:42:09 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:31RsxBPDIwEqQNUadMwl6mtUPXoX/o7sNwtQ0KIMzox0K/z/oMbcNUDSrc9gkEXOFd2Cra4c1qyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhDexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOsBMvpXoITmvVQCsQeyCBOwCO/zyDJFgGL9060g0+QmFAHLxAIsEdAOsXXVstr1Lr8eWv2rwanI1zXDbuhW1Tng44XPdxAuvfGMXLJxcMXP00kiDALFjk6MpoD/IjOVzvoCs26d7+Z6S+2glnMnphh3rzOyyMksjYzJiZgUylDC7Sh4zp01JcCiREFlfNGkDZ1dvDyZOYtuWs4uXXtntDonxrADpJK3YTUGxZEpxxPQd/CLb42F7xD9W+ueOzh1gXdodKyjixuz6USs1+PxWtWu3FtOsyZJiMfAum0J2hDJ98SKSPpw8l+v2TmR1A3f9uRJLEU6lafUMZEt3Ls9m5sNvUjdAyP7nVj6gLOMeUgk/+Wl5OfqYrv7qZKaKoR6kBvxMr40lcy6Gek4MhYBX2yc+emkzLPu4Ur3TKlEg/Evj6TWso7WKd0cpqGiHQBZyIEj6wujDzi919QYgH8HI09fdBKflYjpPE3OL+7kAvejglSslzFry+rBPr38HpXNKn/DkLDifbpn90Fczw8zwche55JSFL4BPOr+VlHru9DEExM0NhG4z/v6BNh42IMTVn6DDrOcPa7Qr1CF6fggLuyJaYMLpDrwKuAp5/v0gn84nV8dc7Op3ZwSaH2gG/RpP0WZYHrtg9gfC2cHpQs+TPf2h1GYTD5Tf2i9X6Q65j0hFo2pEJrDSpi3gLOdxCe7AoFWZmdeB1CDC3focJiEW+8SZyKIO8NhjycEWqa7S486zhyusA76y6F7LurP5CEUr5Pj1N5p5+LNjxEy8yJ7D9iD322XUW57g34IFHcK2/U1jlFwzEuD3LI8y9BVHNob3bUDGlM1KJPa0+x3EfjtQR+Hc9uUHhLuCNq8BiwpQ8h03sQDeV1VGtO+gwrF0jbwRbIZivbDUJMu9b/E0mK0Ot1w0W3u1a89gkMgT9cVc2Cqm/gs2RLUAtuDs1SLmrzuPY8cxi/Wvi/XyGGOrVNVSiZxSq6DQGgSYE2QoNjksBCRB4SyAKgqZ1MSgfWJLbFHP5iw1Q1L
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Bert, can you please look at this? The “loader” pulls things from AD, and the “pspng” pushes things to AD. You are asking about the pspng right? In my example online that I think you have seen I used: changeLog.consumer.pspng_activedirectory.userSearchBaseDn = DC=kite-dev,DC=upenn,DC=edu changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id} changeLog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,uid,mail,samAccountName, uidNumber,objectclass,employeeID Do you have a similar configuration? You need to tell grouper how to find subjects and resolve subjects from AD. For this one, please include the output from GSH and the full log for that command: groovy:000> edu.internet2.middleware.grouper.ldap.LdapSession.list(String.class, "pspng_activedirectory","OU=WSU From: [mailto:]
On Behalf Of Guenther, Dean R. I hadn’t a response from anybody on this post yet so I thought I’d poke the thread. The error says “problem fetching information on group”. Is it having a problem fetching info from AD? thanks – Dean Dean Guenther From: <> on behalf of ""
<> I’ve built a group in AD that I want to provision members to called “test:ref:employee:hourly.appointed”. When the loader attempts to provision it complains that it cannot fetch information on
the group: 2018-06-03 16:08:01,780: [pspng_activedirectory-FullSync-Thread] ERROR Provisioner.evaluateJexlExpression(556) - - Jexl _expression_ null could not be evaluated for subject
'null/null' and group 'test:ref:employee:hourly.appointed/null' which used variableMap '{idIndex=10095, userSearchBaseDn=ou=NIDs,ou=WSU Accounts,dc=tempad,dc=wsu,dc=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=ou=grouper
groups,ou=provisioned groups,ou=enterprise groups,ou=wsu authorization groups,dc=tempad,dc=wsu,dc=edu, stemAttributes={},
, groupSearchBaseDn=ou=grouper groups,ou=provisioned groups,ou=enterprise groups,ou=wsu authorization groups,dc=tempad,dc=wsu,dc=edu, name=test:ref:employee:hourly.appointed, provisionerName=pspng_activedirectory,
group=Group[name=test:ref:employee:hourly.appointed,uuid=d4395181f7214efda1be4a8b568ece5d], provisionerType=LdapGroupProvisioner}' 2018-06-03 16:08:01,780: [pspng_activedirectory-FullSync-Thread] ERROR Provisioner.prepareGroupCache(736) - - Problem fetching information on group 'test:ref:employee:hourly.appointed' I’m not certain what info the loader is trying to fetch. I am able to do an ldapsearch of the group houly.appointed without any problem from the same host where the loader lives. So it seems the
group is readable. Then I thought I’d try using LdapSession.list within gsh on a user object and that also gave an error: groovy:000> edu.internet2.middleware.grouper.ldap.LdapSession.list(String.class, "pspng_activedirectory","OU=WSU Accounts,dc=tempad,dc=wsu,dc=edu",LdapSearchScope.SUBTREE_SCOPE,"(cn=guenther)","cn"); ERROR java.lang.RuntimeException: Problem with ldap conection: pspng_activedirectory, Error querying ldap server id: pspng_activedirectory, searchDn: OU=WSU Accounts,dc=tempad,dc=wsu,dc=edu, filter: '(cn=guenther)', returning attribute: cn at edu.internet2.middleware.grouper.ldap.LdapSession.callbackLdapSession (LdapSession.java:249) at edu.internet2.middleware.grouper.ldap.LdapSession.list (LdapSession.java:276) at edu.internet2.middleware.grouper.ldap.LdapSession$list.call (Unknown Source) But it does seem odd that it says “Unknown Source”. The ldap bind looks good. So I’m not certain why it thinks its an unknown source. In the log it shows this for the LdapSession.list: 2018-06-04 10:11:29,493: [main] DEBUG LdapSession.callbackLdapSession(228) - - pre-checkout: ldap id: pspng_activedirectory, pool active: 0, available: 1 2018-06-04 10:11:29,494: [main] WARN AbstractLdapFactory.validate(165) - - validate called, but no validator configured 2018-06-04 10:11:29,494: [main] DEBUG HibernateSession.<init>(290) - - grouperTransactionType: READONLY_OR_USE_EXISTING, okToUseHibernate: true, readonlyMode: false, parentSessionExists:
true, newHibernateSession: false, hibernateSession: HibernateSession (4eb175a4): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (7da056b2) 2018-06-04 10:11:29,494: [main] DEBUG LdapSession.callbackLdapSession(234) - - post-checkout: ldap id: pspng_activedirectory, pool active: 1, available: 0 2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(290) - - Paginated search with the following parameters: 2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(291) - - dn = OU=WSU Accounts,dc=tempad,dc=wsu,dc=edu 2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(292) - - filter = (cn=guenther) 2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(293) - - filterArgs = [] Here is the ldaps bind: 2018-06-04 10:49:20,719: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.test(504) - - LDAP Url: ldaps://somehost.wsu.edu:636/dc=tempad,dc=wsu,dc=edu 2018-06-04 10:49:20,719: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.test(510) - - Testing SSL before the LDAP test 2018-06-04 10:49:20,719: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.test(530) - - Making SSL connection to somehost.wsu.edu:636 2018-06-04 10:49:20,886: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.test(544) - - Successfully connected 2018-06-04 10:49:20,887: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.buildLdapConnectionPool(89) - - pspng_activedirectory: Creating LDAP Pool 2018-06-04 10:49:20,940: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.performTestLdapRead(178) - - Performing test read of directory root 2018-06-04 10:49:21,083: [DefaultQuartzScheduler_Worker-1] INFO LdapSystem.performTestLdapRead(198) - - Search success: 2018-06-04 10:49:21,088: [DefaultQuartzScheduler_Worker-4] DEBUG LdapSystem.buildLdapConnectionPool(154) - - pspng_activedirectory: Using default onCheckOut ldap-connection
validation 2018-06-04 10:49:21,362: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.performTestLdapRead(178) - - Performing test read of directory root 2018-06-04 10:49:21,368: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.test(553) - - Success: Ldap pool built 2018-06-04 10:49:21,381: [DefaultQuartzScheduler_Worker-4] INFO LdapSystem.test(556) - - Success: Test ldap read And this is what I have configured: ldap.pspng_activedirectory.url = "ldaps://somehost.wsu.edu:636/dc=tempad,dc=wsu,dc=edu ldap.pspng_activedirectory.user = cn=grouper.writer,ou=service accounts ,dc=tempad,dc=wsu,dc=edu ldap.pspng_activedirectory.pass = ******************* ldap.pspng_activedirectory.pagedResultsSize = 1000 ldap.pspng_activedirectory.referral = follow ldap.pspng_activedirectory.searchResultHandlers=edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler,edu.vt.middleware.ldap.handler.BinarySearchResultHandler,edu.internet2.middleware.grouper.ldap.handler.RangeSearchResultHandler changeLog.consumer.pspng_activedirectory.provisionerName = pspng_activedirectory changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner changeLog.consumer.pspng_activedirectory.quartzCron = 15 * * * * ? changeLog.consumer.pspng_activedirectory.ldapPoolName = pspng_activedirectory changeLog.consumer.pspng_activedirectory.isActiveDirectory = true changeLog.consumer.pspng_activedirectory.memberAttributeName = member changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()} changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = ou=grouper groups,ou=provisioned groups,ou=enterprise groups,ou=wsu authorization groups,dc=tempad,dc=wsu,dc=edu changeLog.consumer.pspng_activedirectory.groupSearchAttributes = cn,samAccountName,objectclass changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group changeLog.consumer.pspng_activedirectory.singleGroupSearchFIlter = (&(objectclass=group)(cn=${group.name})) changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group What do I look at next to figure out my problem with loader trying to fetch info from AD? thanks -- Dean Dean Guenther |
- RE: [grouper-users] PSPNG problem accessing group info in AD, Hyzer, Chris, 06/15/2018
- RE: [grouper-users] PSPNG problem accessing group info in AD, Guenther, Dean R., 06/15/2018
- RE: [grouper-users] PSPNG problem accessing group info in AD, Hyzer, Chris, 06/18/2018
- Message not available
- Re: [grouper-users] PSPNG problem accessing group info in AD, Guenther, Dean R., 06/29/2018
- Message not available
- RE: [grouper-users] PSPNG problem accessing group info in AD, Hyzer, Chris, 06/18/2018
- RE: [grouper-users] PSPNG problem accessing group info in AD, Guenther, Dean R., 06/15/2018
Archive powered by MHonArc 2.6.19.