grouper-users - Re: [grouper-users] PSPNG problem provisioning only AD active accounts into a group
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] PSPNG problem provisioning only AD active accounts into a group
Chronological Thread
- From: Jeffrey Williams <>
- To:
- Cc: Grouper-Users <>
- Subject: Re: [grouper-users] PSPNG problem provisioning only AD active accounts into a group
- Date: Wed, 18 Jul 2018 15:44:29 -0400
- Ironport-phdr: 9a23:duNhRhb8VZ94wYqqlmP0/QD/LSx+4OfEezUN459isYplN5qZrsq4bnLW6fgltlLVR4KTs6sC17KI9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCa8bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjE2/mHYiMx+gqxYrhy8uRJw35XZYJuJOPdkZK7RYc8WSGhHU81MVyJBGIS8b44XAuQFI+lYoYf9p0EQohq+GAKjBOLvyjtMhn/3x6I61v8hGhzB0QwiEdIPvnXUrNHxNKcTS++417TIzTPfYPNZwzvy9pXHcg04rPyKQLl+f83RyUw1GAPEiFWdsZflPzOU1usWqGeb6O5gWvyzi24nsQ1xpCagxts0honLgYIa0UrE9Th/wIYuJd23Vkp7Ydq+HJtKqiGaMZN6Qtg/Q25zuiY11KEJuYKhcCgL1Zsr3xnfa+Gbc4iM5RLjU+WRLS1ki3JifbKznwy98VSkyuLmTcm0y1dKoTBDktXWrHwCyxvT6s2fRvt4/0euxSyP1wfI6uFDL0A0ibDXJIImwr41jpYcq1jDHivsl0Xtl6+Wd18r+u6y5+v7ZbXmo5mRPJJ3hAHmKqkihM2yDfg6PwULUWiW+v+z2KHm8ED2XLlGkuE5n6zFv5zGJskWo6u0DxFb34o/7Ru0Ei2o384CnXYdKVJIYBKHgJbtO1HJOP34CO2wg1WokDty2vDJJKHtDozCL3TdnrrtYaxx60FbyAo0wtBf44xbBqsdL/L0X0/9rN3YDhknPAyo2+vrFtRw2p8cVG+KDK+UM7jdvUON6+8gP+WAeJMatTPhJPQ55PPjiHo0lUETcKW1xZcXbWq3HvViI0WXe3rshdIBHH8IvgowQu3qiVmCUTpSZ3moRK88+zc7B56pDYvZWI+inaGB0D+hHpJKfmBGFkyMEXDweoWLQfcMbz+SItd/nTweTLShVpQh2g+0tA/h0LdnKuvU+jYEtZL4ytR5/ezTlRcu9TNqFcSd1X+CT31qkm8SWTA5wb1/8gRBzQKG1q5xkdRdFNVW5rVEXhppG4TbyrlYBt78QA/QNuiITFKnS9C9SWUzQM0wx9sPam5gHd6tyB3Pwnz5UPcui7WXCclsoern1H/rKpMlxg==
Active Directory does not fully support extensible match rules (https://msdn.microsoft.com/en-us/library/cc223241.aspx).
Hello,
I am trying to only provision AD active accounts into a group using the PSPNG. I tried to add the UserAccountControl criteria to the user Search filter in grouper-loader.properties , but the users don’t get added and the logs show the error below. Is it possible that the grouper AD provisioner does not handle complex search filters?
user Search filter in grouper-loader.properties:
changeLog.consumer.pspng_activedirectory.userSearchFilter = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=${subject.id}))
Logs error
2018-03-19 10:20:00,202: [DefaultQuartzScheduler_Worker-6] ERROR LdapObject.matchesLdapFilter(261) - - Problem checking ldap filter in memory: [org.ldaptive.SearchFilter@aaaa::filter=(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=xxx)), parameters={}]
LDAPException(resultCode=92 (not supported), errorMessage='Extensible matching is not supported when attempting to determine whether a given entry matches a search filter.')
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3287)
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3205)
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3187)
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3152)
at edu.internet2.middleware.grouper.pspng.LdapObject.matchesLdapFilter(LdapObject.java:257)
at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:172)
at edu.internet2.middleware.grouper.pspng.Provisioner.prepareUserCache(Provisioner.java:640)
at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:476)
at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1373)
at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:717)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:423)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:323)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Thank you so much,
Best Reagrds,
Mona Z Sawyer M.Sc.
Programmer Intermediate
Middleware and Identity Services
Information Technology | University of Miami
1320 S. Dixie Hwy | Suite 1000.49
Coral Gables, Fl 33146
305-284-2214
"At the U, we transform lives through teaching, research and service."
From: Sawyer, Mona Zarei
Sent: Monday, March 19, 2018 11:50 AM
To: 'Hyzer, Chris' <>;
Subject: RE: [grouper-users] How to add only active AD users to a group
Hello Chris,
I could successfully bring only active users to grouper using your advice. However, I now have an issue to provision only active users from grouper into an AD group using PSPNG. I tried to add the same criteria for the UserAccountControl to the user Search filter in grouper-loader.properties , but the users don’t get added and the logs show the error below. Is it possible that the grouper provisioner does not handle complex search filters?
user Search filter in grouper-loader.properties:
changeLog.consumer.pspng_activedirectory.userSearchFilter = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=${subject.id}))
Logs error
2018-03-19 10:20:00,202: [DefaultQuartzScheduler_Worker-6] ERROR LdapObject.matchesLdapFilter(261) - - Problem checking ldap filter in memory: [org.ldaptive.SearchFilter@aaaa::filter=(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=xxx)), parameters={}]
LDAPException(resultCode=92 (not supported), errorMessage='Extensible matching is not supported when attempting to determine whether a given entry matches a search filter.')
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3287)
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3205)
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3187)
at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3152)
at edu.internet2.middleware.grouper.pspng.LdapObject.matchesLdapFilter(LdapObject.java:257)
at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:172)
at edu.internet2.middleware.grouper.pspng.Provisioner.prepareUserCache(Provisioner.java:640)
at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:476)
at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1373)
at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)
at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:717)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:423)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:323)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Thank you so much,
Best Reagrds,
Mona Z Sawyer M.Sc.
Programmer Intermediate
Middleware and Identity Services
Information Technology | University of Miami
1320 S. Dixie Hwy | Suite 1000.49
Coral Gables, Fl 33146
305-284-2214
"At the U, we transform lives through teaching, research and service."
From: Hyzer, Chris []
Sent: Tuesday, March 13, 2018 10:33 PM
To: Sawyer, Mona Zarei <>;
Subject: RE: [grouper-users] How to add only active AD users to a group
I think you have an error message in the logs which says: Caused by: javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis;
I google that and it says to put parens near the exclamation point
This works for me in the subject properties:
subjectApi.source.kite.search.searchSubject.param.filter.value = (& (cn=%TERM%) (objectclass=person) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))
you might need this in the sources.xml (&)
(& (cn=%TERM%) (objectclass=person) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Thanks
Chris
From: Sawyer, Mona Zarei []
Sent: Tuesday, March 13, 2018 12:14 PM
To: Hyzer, Chris <>;
Subject: RE: [grouper-users] How to add only active AD users to a group
Hello Chris,
I updated the filter with the below ldap query. The query works fine in AD Ldap search but in grouper when I search to add a member it gives me a “The value entered is not correct” error.
How can I get grouper to give me the active accounts?
Filter:
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&(sAMAccountName=%TERM%*)(!userAccountControl:1.2.840.113556.1.4.803:=2))
</param-value>
</param>
<param>
AD LDAP seach query: Gives the right result
Grouper UI add members search. Gives the error.
Thank you so much,
Best Reagrds,
Mona Z Sawyer M.Sc.
Programmer Intermediate
Middleware and Identity Services
Information Technology | University of Miami
1320 S. Dixie Hwy | Suite 1000.49
Coral Gables, Fl 33146
305-284-2214
"At the U, we transform lives through teaching, research and service."
From: Sawyer, Mona Zarei
Sent: Monday, March 12, 2018 4:56 PM
To: 'Hyzer, Chris' <>;
Subject: RE: [grouper-users] How to add only active AD users to a group
Hi Chris,
This is the search that I am using in the sources.xml. this way, the grouper searches the AD and brings in the disabled account. Where should I specify for the search to just bring in the Active ones?
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(employeeID=%TERM%*)
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
Searchbase
</param-value>
</param>
</search>
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(sAMAccountName=%TERM%)
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
Searchbase
</param-value>
</param>
</search>
<search>
<searchType>search</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(cn=%TERM%)
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
Searchbase
</param-value>
</param>
</search>
Thank you so much,
Best Reagrds,
Mona Z Sawyer M.Sc.
Programmer Intermediate
Middleware and Identity Services
Information Technology | University of Miami
1320 S. Dixie Hwy | Suite 1000.49
Coral Gables, Fl 33146
305-284-2214
"At the U, we transform lives through teaching, research and service."
From: Hyzer, Chris []
Sent: Monday, March 12, 2018 3:39 PM
To: Sawyer, Mona Zarei <>;
Subject: RE: [grouper-users] How to add only active AD users to a group
Can you add the attribute to the filters for this source? If not, can sanitize and send your sources.xml and tell us which attribute name and value identifies active? J
Thanks
Chris
e.g.
(& (original filter) (| (useraccountcontrol = 512) (useraccountcontrol = 66048)) )
From: [] On Behalf Of Sawyer, Mona Zarei
Sent: Monday, March 12, 2018 1:34 PM
To:
Subject: [grouper-users] How to add only active AD users to a group
Hello,
I have a case that there is a user with two AD accounts. One is Disabled and the other is Active.
what changes should I make to sources.xml to only bring in and add the member’s active account from AD?
Thank you so much,
Best Reagrds,
Mona Z Sawyer M.Sc.
Programmer Intermediate
Middleware and Identity Services
Information Technology | University of Miami
1320 S. Dixie Hwy | Suite 1000.49
Coral Gables, Fl 33146
305-284-2214
"At the U, we transform lives through teaching, research and service."
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)
- [grouper-users] PSPNG problem provisioning only AD active accounts into a group, Sawyer, Mona Zarei, 07/18/2018
- Re: [grouper-users] PSPNG problem provisioning only AD active accounts into a group, Jeffrey Williams, 07/18/2018
Archive powered by MHonArc 2.6.19.