grouper-users - Re: [grouper-users] PSPNG to AD question....
Subject: Grouper Users - Open Discussion List
List archive
- From: Jeffrey Williams <>
- To: "Black, Carey M." <>
- Cc: Grouper Users <>
- Subject: Re: [grouper-users] PSPNG to AD question....
- Date: Thu, 18 Apr 2019 09:25:15 -0400
I have *started* testing using PSPNG to create/maintain groups in AD.
And I have an odd error condition that I just have not sorted out....
My AD team is using a "least privileges" approach. So we may not have granted enough privs, but at this point I think the error that I am seeing is pointing to a PSPNG config issue more than an AD permission.... but I may be wrong.
Basically PSPNG can create groups and add users to the groups.
However, during the Full sync... it is trying to modify the group and failing.
It is not clear to me why it is trying to modify the group.
What I see is this:
2019-04-17 18:08:27,071: [FullSyncer(xxxTest)-Thread] INFO Provisioner.doFullSync(1393) - - xxxTest-full/xxx:xxx:xxx:GMS:group6: 1 correct member subjects. Sample: ['XXXX'/'person'/'SOURCE']...
2019-04-17 18:08:27,071: [FullSyncer(xxxTest)-Thread] DEBUG LdapGroupProvisioner.updateGroupFromTemplate(258) - - xxxTest-full: Making sure (non-membership) attributes of group are up to date: cn=gms-group6,ou=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxxx,dc=xx
2019-04-17 18:08:27,146: [FullSyncer(xxxTest)-Thread] DEBUG Provisioner.evaluateJexlExpression(644) - - Evaluated GroupTemplate Jexl _expression_: 'cn=GMS-group6'
2019-04-17 18:08:27,147: [FullSyncer(xxxTest)-Thread] DEBUG Provisioner.evaluateJexlExpression(644) - - Evaluated GroupTemplate Jexl _expression_: 'GMS-group6'
2019-04-17 18:08:27,147: [FullSyncer(xxxTest)-Thread] DEBUG Provisioner.evaluateJexlExpression(664) - - Evaluated entire GroupTemplate Jexl _expression_: 'dn: cn=GMS-group6
cn: GMS-group6
objectclass: group'
2019-04-17 18:08:27,147: [FullSyncer(xxxTest)-Thread] INFO LdapProvisioner.ensureLdapOusExist(775) - - xxxTest-full: Checking for (and creating) missing OUs in DN: cn=GMS-group6,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xx (wholeDnIsOu=false)
2019-04-17 18:08:27,148: [FullSyncer(xxxTest)-Thread] DEBUG LdapProvisioner.ensureLdapOusExist(812) - - xxxTest-full: OU is known to exist: OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx,DC=xxx,DC=xx
2019-04-17 18:08:27,148: [FullSyncer(xxxTest)-Thread] INFO LdapSystem.performLdapModify(392) - - xxx: Performing Ldap modification: [org.ldaptive.ModifyRequest@1312181761::modifyDn=cn=GMS-group6,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xx, attrMods=[[org.ldaptive.AttributeModification@1552851056::attrMod=REPLACE, attribute=[objectclass[group]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]
2019-04-17 18:08:27,160: [FullSyncer(xxxTest)-Thread] WARN LdapSystem.performLdapModify(407) - - xxx: Problem while modifying ldap system based on grouper expectations. Starting to perform adaptive modifications based on data already on server: [org.ldaptive.ModifyRequest@1312181761::modifyDn=cn=GMS-group6,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx, attrMods=[[org.ldaptive.AttributeModification@1552851056::attrMod=REPLACE, attribute=[objectclass[group]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]: INSUFFICIENT_ACCESS_RIGHTS
...
at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)
at org.ldaptive.provider.jndi.JndiConnection.modify(JndiConnection.java:425)
at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:397)
at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:379)
at edu.internet2.middleware.grouper.pspng.LdapSystem.makeLdapDataCorrect(LdapSystem.java:785)
at edu.internet2.middleware.grouper.pspng.LdapSystem.makeLdapObjectCorrect(LdapSystem.java:743)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.updateGroupFromTemplate(LdapGroupProvisioner.java:265)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.doFullSync(LdapGroupProvisioner.java:191)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.doFullSync(LdapGroupProvisioner.java:41)
at edu.internet2.middleware.grouper.pspng.Provisioner.doFullSync(Provisioner.java:1399)
at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.fullSyncGroup(FullSyncProvisioner.java:660)
at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:290)
at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:201)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
^@]; remaining name 'cn=GMS-group6,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3162)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at org.ldaptive.provider.jndi.JndiConnection.modify(JndiConnection.java:412)
... 12 more
2019-04-17 18:08:27,169: [FullSyncer(xxxTest)-Thread] ERROR LdapGroupProvisioner.updateGroupFromTemplate(274) - - xxxTest-full: Problem checking and updating group's template attributes
edu.internet2.middleware.grouper.pspng.PspException: LDAP Modification Failed
at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:432)
at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapModify(LdapSystem.java:379)
at edu.internet2.middleware.grouper.pspng.LdapSystem.makeLdapDataCorrect(LdapSystem.java:785)
at edu.internet2.middleware.grouper.pspng.LdapSystem.makeLdapObjectCorrect(LdapSystem.java:743)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.updateGroupFromTemplate(LdapGroupProvisioner.java:265)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.doFullSync(LdapGroupProvisioner.java:191)
at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.doFullSync(LdapGroupProvisioner.java:41)
at edu.internet2.middleware.grouper.pspng.Provisioner.doFullSync(Provisioner.java:1399)
at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.fullSyncGroup(FullSyncProvisioner.java:660)
at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:290)
at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:201)
at java.lang.Thread.run(Thread.java:748)
Oh.. this " Provisioner.doFullSync " starts just after I start the daemon (loader process) and keeps erroring with the above error. And requeuing the full sync... All the time... ( "Pete and repeat were sitting on the fence. Pete fell off and who was left?")
1) The second line of that log appears to show the full DN for the group but it is in all LOWER case. ( The name of the group is mixed case as is shown in on the 1st and 3rd line. )
2) The modify appears to be attempting is to change the objectclass(<--???) to the class that the group is already a part of??
3) Is there a way to turn up the logging on ldaptive to see more details about the LDAP that is being done?
If it helps here is a "scrubbed" copy of the config...
The only thing that is "strange" ( I think ) is what I am doing with the cn value.
I am stripping part of the grouper path up to the folder tagged for the provisioner. And then any folders under it, become "-"(dash) separated values in the CN. ( Well that is the plan, and groups are being created that way...)
changeLog.consumer.xxxTest.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.xxxTest.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.xxxTest.provisionerName = xxxTest
changeLog.consumer.xxxTest.quartzCron = 0 * * * * ?
changeLog.consumer.xxxTest.ldapPoolName = xxx
changeLog.consumer.xxxTest.isActiveDirectory = true
changeLog.consumer.xxxTest.memberAttributeName = member
changeLog.consumer.xxxTest.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.xxxTest.groupSearchBaseDn = OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
changeLog.consumer.xxxTest.groupCreationBaseDn = OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
changeLog.consumer.xxxTest.groupSearchAttributes = cn,objectclass
changeLog.consumer.xxxTest.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name.replaceFirst("xxx:xxx:xxx:","").replaceAll(":","-"),"cn", "ou")}||cn: ${group.name.replaceFirst("xxx:xxx:xxx:","").replaceAll(":","-")}||objectclass: group
changeLog.consumer.xxxTest.groupAttributeName = memberof
changeLog.consumer.xxxTest.allGroupsSearchFilter = objectClass=group
changeLog.consumer.xxxTest.singleGroupSearchFilter = (&(objectClass=group)(cn=${group.name.replaceFirst("xxx:xxx:xxx:","").replaceAll(":","-")}))
changeLog.consumer.xxxTest.userSearchBaseDn = DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
changeLog.consumer.xxxTest.userSearchFilter = cn=${subject.getAttributeValue("customAttributeFromSubjectSource")}
otherJob.xxxTest_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.xxxTest_full.quartzCron = 0 0 0 * * ?
Thanks for any guidance / clue bricks. 😊
--
Carey Matthew
- [grouper-users] PSPNG to AD question...., Black, Carey M., 04/18/2019
- Re: [grouper-users] PSPNG to AD question...., Jeffrey Williams, 04/18/2019
Archive powered by MHonArc 2.6.19.