Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] PSPNG problem accessing group info in AD

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] PSPNG problem accessing group info in AD


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Guenther, Dean R." <>, "" <>
  • Subject: RE: [grouper-users] PSPNG problem accessing group info in AD
  • Date: Fri, 15 Jun 2018 15:42:09 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:31RsxBPDIwEqQNUadMwl6mtUPXoX/o7sNwtQ0KIMzox0K/z/oMbcNUDSrc9gkEXOFd2Cra4c1qyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhDexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOsBMvpXoITmvVQCsQeyCBOwCO/zyDJFgGL9060g0+QmFAHLxAIsEdAOsXXVstr1Lr8eWv2rwanI1zXDbuhW1Tng44XPdxAuvfGMXLJxcMXP00kiDALFjk6MpoD/IjOVzvoCs26d7+Z6S+2glnMnphh3rzOyyMksjYzJiZgUylDC7Sh4zp01JcCiREFlfNGkDZ1dvDyZOYtuWs4uXXtntDonxrADpJK3YTUGxZEpxxPQd/CLb42F7xD9W+ueOzh1gXdodKyjixuz6USs1+PxWtWu3FtOsyZJiMfAum0J2hDJ98SKSPpw8l+v2TmR1A3f9uRJLEU6lafUMZEt3Ls9m5sNvUjdAyP7nVj6gLOMeUgk/+Wl5OfqYrv7qZKaKoR6kBvxMr40lcy6Gek4MhYBX2yc+emkzLPu4Ur3TKlEg/Evj6TWso7WKd0cpqGiHQBZyIEj6wujDzi919QYgH8HI09fdBKflYjpPE3OL+7kAvejglSslzFry+rBPr38HpXNKn/DkLDifbpn90Fczw8zwche55JSFL4BPOr+VlHru9DEExM0NhG4z/v6BNh42IMTVn6DDrOcPa7Qr1CF6fggLuyJaYMLpDrwKuAp5/v0gn84nV8dc7Op3ZwSaH2gG/RpP0WZYHrtg9gfC2cHpQs+TPf2h1GYTD5Tf2i9X6Q65j0hFo2pEJrDSpi3gLOdxCe7AoFWZmdeB1CDC3focJiEW+8SZyKIO8NhjycEWqa7S486zhyusA76y6F7LurP5CEUr5Pj1N5p5+LNjxEy8yJ7D9iD322XUW57g34IFHcK2/U1jlFwzEuD3LI8y9BVHNob3bUDGlM1KJPa0+x3EfjtQR+Hc9uUHhLuCNq8BiwpQ8h03sQDeV1VGtO+gwrF0jbwRbIZivbDUJMu9b/E0mK0Ot1w0W3u1a89gkMgT9cVc2Cqm/gs2RLUAtuDs1SLmrzuPY8cxi/Wvi/XyGGOrVNVSiZxSq6DQGgSYE2QoNjksBCRB4SyAKgqZ1MSgfWJLbFHP5iw1Q1L
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Bert, can you please look at this?

 

The “loader” pulls things from AD, and the “pspng” pushes things to AD.  You are asking about the pspng right?

 

In my example online that I think you have seen I used:

 

changeLog.consumer.pspng_activedirectory.userSearchBaseDn = DC=kite-dev,DC=upenn,DC=edu

changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id}

changeLog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,uid,mail,samAccountName, uidNumber,objectclass,employeeID

 

Do you have a similar configuration?  You need to tell grouper how to find subjects and resolve subjects from AD.

 

For this one, please include the output from GSH and the full log for that command:

 

groovy:000> edu.internet2.middleware.grouper.ldap.LdapSession.list(String.class, "pspng_activedirectory","OU=WSU

 

 

 

From: [mailto:] On Behalf Of Guenther, Dean R.
Sent: Thursday, June 14, 2018 11:37 AM
To:
Subject: Re: [grouper-users] Loader problem accessing group info in AD

 

I hadn’t a response from anybody on this post yet so I thought I’d poke the thread. The error says “problem fetching information on group”. Is it having a problem fetching info from AD?

thanks – Dean

 

 

 

 

Dean Guenther                          
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager

 

 

From: <> on behalf of "" <>
Date: Monday, June 4, 2018 at 12:14 PM
To: "" <>
Subject: [grouper-users] Loader problem accessing group info in AD

 

I’ve built a group in AD that I want to provision members to called “test:ref:employee:hourly.appointed”. When the loader attempts to provision it complains that it cannot fetch information on the group:

 

2018-06-03 16:08:01,780: [pspng_activedirectory-FullSync-Thread] ERROR Provisioner.evaluateJexlExpression(556) -  - Jexl _expression_ null could not be evaluated for subject 'null/null' and group 'test:ref:employee:hourly.appointed/null' which used variableMap '{idIndex=10095, userSearchBaseDn=ou=NIDs,ou=WSU Accounts,dc=tempad,dc=wsu,dc=edu, groupAttributes={etc:pspng:provision_to=[pspng_activedirectory]}, groupCreationBaseDn=ou=grouper groups,ou=provisioned groups,ou=enterprise groups,ou=wsu authorization groups,dc=tempad,dc=wsu,dc=edu, stemAttributes={}, , groupSearchBaseDn=ou=grouper groups,ou=provisioned groups,ou=enterprise groups,ou=wsu authorization groups,dc=tempad,dc=wsu,dc=edu, name=test:ref:employee:hourly.appointed, provisionerName=pspng_activedirectory, group=Group[name=test:ref:employee:hourly.appointed,uuid=d4395181f7214efda1be4a8b568ece5d], provisionerType=LdapGroupProvisioner}'

2018-06-03 16:08:01,780: [pspng_activedirectory-FullSync-Thread] ERROR Provisioner.prepareGroupCache(736) -  - Problem fetching information on group 'test:ref:employee:hourly.appointed'

 

I’m not certain what info the loader is trying to fetch. I am able to do an ldapsearch of the group houly.appointed without any problem from the same host where the loader lives. So it seems the group is readable. Then I thought I’d try using LdapSession.list within gsh on a user object and that also gave an error:

 

groovy:000> edu.internet2.middleware.grouper.ldap.LdapSession.list(String.class, "pspng_activedirectory","OU=WSU Accounts,dc=tempad,dc=wsu,dc=edu",LdapSearchScope.SUBTREE_SCOPE,"(cn=guenther)","cn");

ERROR java.lang.RuntimeException:

Problem with ldap conection: pspng_activedirectory,

Error querying ldap server id: pspng_activedirectory, searchDn: OU=WSU Accounts,dc=tempad,dc=wsu,dc=edu, filter: '(cn=guenther)', returning attribute: cn

        at edu.internet2.middleware.grouper.ldap.LdapSession.callbackLdapSession (LdapSession.java:249)

        at edu.internet2.middleware.grouper.ldap.LdapSession.list (LdapSession.java:276)

        at edu.internet2.middleware.grouper.ldap.LdapSession$list.call (Unknown Source)

 

But it does seem odd that it says “Unknown Source”. The ldap bind looks good. So I’m not certain why it thinks its an unknown source. In the log it shows this for the LdapSession.list:

 

2018-06-04 10:11:29,493: [main] DEBUG LdapSession.callbackLdapSession(228) -  - pre-checkout: ldap id: pspng_activedirectory, pool active: 0, available: 1

2018-06-04 10:11:29,494: [main] WARN  AbstractLdapFactory.validate(165) -  - validate called, but no validator configured

2018-06-04 10:11:29,494: [main] DEBUG HibernateSession.<init>(290) -  - grouperTransactionType: READONLY_OR_USE_EXISTING, okToUseHibernate: true, readonlyMode: false, parentSessionExists: true, newHibernateSession: false, hibernateSession: HibernateSession (4eb175a4): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (7da056b2)

2018-06-04 10:11:29,494: [main] DEBUG LdapSession.callbackLdapSession(234) -  - post-checkout: ldap id: pspng_activedirectory, pool active: 1, available: 0

2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(290) -  - Paginated search with the following parameters:

2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(291) -  -   dn = OU=WSU Accounts,dc=tempad,dc=wsu,dc=edu

2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(292) -  -   filter = (cn=guenther)

2018-06-04 10:11:29,494: [main] DEBUG AbstractLdap.pagedSearch(293) -  -   filterArgs = []

 

 

Here is the ldaps bind:

 

2018-06-04 10:49:20,719: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.test(504) -  - LDAP Url: ldaps://somehost.wsu.edu:636/dc=tempad,dc=wsu,dc=edu

2018-06-04 10:49:20,719: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.test(510) -  - Testing SSL before the LDAP test

2018-06-04 10:49:20,719: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.test(530) -  -   Making SSL connection to somehost.wsu.edu:636

2018-06-04 10:49:20,886: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.test(544) -  - Successfully connected

2018-06-04 10:49:20,887: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.buildLdapConnectionPool(89) -  - pspng_activedirectory: Creating LDAP Pool

2018-06-04 10:49:20,940: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.performTestLdapRead(178) -  - Performing test read of directory root

2018-06-04 10:49:21,083: [DefaultQuartzScheduler_Worker-1] INFO  LdapSystem.performTestLdapRead(198) -  - Search success: 

2018-06-04 10:49:21,088: [DefaultQuartzScheduler_Worker-4] DEBUG LdapSystem.buildLdapConnectionPool(154) -  - pspng_activedirectory: Using default onCheckOut ldap-connection validation

2018-06-04 10:49:21,362: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.performTestLdapRead(178) -  - Performing test read of directory root

2018-06-04 10:49:21,368: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.test(553) -  - Success: Ldap pool built

2018-06-04 10:49:21,381: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.test(556) -  - Success: Test ldap read

 

And this is what I have configured:

 

ldap.pspng_activedirectory.url = "ldaps://somehost.wsu.edu:636/dc=tempad,dc=wsu,dc=edu

ldap.pspng_activedirectory.user = cn=grouper.writer,ou=service accounts ,dc=tempad,dc=wsu,dc=edu

ldap.pspng_activedirectory.pass = *******************

ldap.pspng_activedirectory.pagedResultsSize = 1000

ldap.pspng_activedirectory.referral = follow

ldap.pspng_activedirectory.searchResultHandlers=edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler,edu.vt.middleware.ldap.handler.BinarySearchResultHandler,edu.internet2.middleware.grouper.ldap.handler.RangeSearchResultHandler

changeLog.consumer.pspng_activedirectory.provisionerName = pspng_activedirectory

changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.pspng_activedirectory.quartzCron = 15 * * * * ?

changeLog.consumer.pspng_activedirectory.ldapPoolName = pspng_activedirectory

changeLog.consumer.pspng_activedirectory.isActiveDirectory = true

changeLog.consumer.pspng_activedirectory.memberAttributeName = member

changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}

changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = ou=grouper groups,ou=provisioned groups,ou=enterprise groups,ou=wsu authorization groups,dc=tempad,dc=wsu,dc=edu

changeLog.consumer.pspng_activedirectory.groupSearchAttributes = cn,samAccountName,objectclass

changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group

changeLog.consumer.pspng_activedirectory.singleGroupSearchFIlter = (&(objectclass=group)(cn=${group.name}))

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group

 

What do I look at next to figure out my problem with loader trying to fetch info from AD? thanks -- Dean

 

 

Dean Guenther                          
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager

 




Archive powered by MHonArc 2.6.19.

Top of Page