Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] pspng to AD error

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] pspng to AD error


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Hyzer, Chris" <>
  • To: Jeffrey Williams <>
  • Cc: Grouper-Users <>, "Lee, John C" <>
  • Subject: RE: [grouper-users] pspng to AD error
  • Date: Fri, 12 Jul 2019 15:39:14 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=isc.upenn.edu;dmarc=pass action=none header.from=isc.upenn.edu;dkim=pass header.d=isc.upenn.edu;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SqmLu6q1yWpR0fRpiZ6RmCw5X2W52FSvvYiLNtV57HI=; b=MHcD1/s7Zh6Kklc0olhyOLBFMqPijCwBmN6Wu88SJOnhC1cflfdZW3f0hjFtW0C/YCvWOdksoH25467hztb1ov4wcKTQU4hOXksdQlTGRk0vIcdfKAOLaS2uywxemIo0lJvYkAso0X0evb2M6DQB9zUJNjyMpHH1w4xQdES1D7AeFSdw1yEFL3qHo1mg6WZgfly6Wnvvb1LtIb4glAHZf4TRHS5I1WKz8eyAVxmtZLhbpNfHlHT2jU4lHSRfaWckMb0KOerjeMtGBmoUQQ/y4hEkhZT9/vJwz6M66DbqxFY2gND1iJLrWphvIAOaVyl1mPflX1C4BstPzxJcjboqZQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KoURYZguNADZnnmDF78hSPdpxZBx4ZUg8sQYoHWixdisu7s0QI4mEAlZrhCz96e4YkTutpqkafBJxw+Re+BMNmlX7P/PAkyAhpaG9p4WSFQTOKvWwvrnQ/8PN/omDeQpunVGr0AKZWZs8fy+NvGN/onv9GlJsN1WIeUGL9/hxg4tKR0Y8iHh6xw4de/GQOP0p5wdP8NCbKsrOaqP0z9HNJuVHgo7AVi1B4Q0R5uCQKsks52cw+OY2DVv8P6cnPlvAT+muCNU2kUGjzdUDNa1/W7fMn4dL5I241z13pQOiaJHXoc1RVfs8+nZhmMTrjSFKgA9xRbOhCY61lgF/fMPwg==

Maybe we need an optional group id (extension) check to make sure its less than 64 always…  would just make things easier….

 

 

From: Jeffrey Williams <>
Sent: Friday, July 12, 2019 11:34 AM
To: Hyzer, Chris <>
Cc: Grouper-Users <>; Lee, John C <>
Subject: Re: [grouper-users] pspng to AD error

 

a)  That is the defined length according to MS.  Probably unwise to change it(if possible).

b)  thats what UNCG did about a year ago and the issue has not resurfaced to date.

c) I think that's best from a PSPNG but also

d) One idea: if the folder is set to provision to ad(direct or indirect), when a user goes to define/edit the variable that maps to the cn(id or displayname, I'm guessing for most) UI/WS does a check on cn length and throws an error message(hopefully sharing the logic between UI and WS).

 

Thoughts?

 

 

 

On Fri, Jul 12, 2019, 11:19 AM Hyzer, Chris <> wrote:

Couple questions:

 

We get this error in AD.   problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130.   The CN has length 66.  Which is more than 64.  I assume that is why we get an error.

  1. Does everyone have max CN of 64 in AD?  (ive read its not wise to increase it)
  2. Should I switch to bushy provisioning?  So the group extension is more likely to be less than 64?
  3. If the PSPNG hits a limit (e.g. configured to 64 for CN) should it log it, not provision, and move on, and not get stuck?
  4. Other resolution?

 

 

Thanks

Chris

 

 

 

 

The grouper user in AD has: ReadProperty, GenericExecute, ExtendedRight, ListObject, GenericRead, GenericWrite”,“Allow

 

 

 

Type: CHANGE_LOG, host: fastprod-medium-a-02, deleteCount: 0, insertCount: 0, updateCount: 0, totalCount: 4, millisGetData: null, millisLoadData: null, threadId: 31, elapsed: 26 ms

2019-07-12 10:54:14,666: logType: overallLog, overallId: T8AHTXLA, startTime: Fri Jul 12 10:54:00 EDT 2019, jobName: CHANGE_LOG_consumer_pspng_activedirectory, dryRun: false, quartzCron: 0 * * * * ?, st\

atus: ERROR, jobType: CHANGE_LOG, host: fastprod-medium-a-02, jobMessage: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed: LDAP problem creating object: javax.naming.direct\

ory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-03151817, #1:

        0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130

^@]; remaining name 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'

        at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)

        at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)

        at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)

        at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)

        at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)

        at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)

        at org.quartz.core.JobRunShell.run(JobRunShell.java:202)

        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-0315181\

7, #1:

        0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130

^@]; remaining name 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'

        at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:392)

        at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:881)

        at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:380)

        at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:42)

        at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:1010)

        at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:628)

        at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1788)

        ... 7 more

Did not get all the way through the batch! -1 != 60413179java.lang.RuntimeException: Error in loader job: null, check logs: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed:\

LDAP problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-03151817, #1:

        0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130

^@]; remaining name 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'

        at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)

        at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)

        at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)

        at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)

        at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)

        at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)

        at org.quartz.core.JobRunShell.run(JobRunShell.java:202)

        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-0315181\

7, #1:

        0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), , threadId: 23, elapsed: 14521 ms


Archive powered by MHonArc 2.6.19.

Top of Page