Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] pspng to AD error

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] pspng to AD error


Chronological Thread 
  • From: "Bee-Lindgren, Bert" <>
  • To: "Gettes, Michael" <>
  • Cc: Chris Hyzer <>, Jeffrey Williams <>, Grouper-Users <>, "Lee, John C" <>
  • Subject: Re: [grouper-users] pspng to AD error
  • Date: Fri, 12 Jul 2019 16:22:15 +0000

Seeking consensus of something goofy we do with our AD groups at GT...

If the CN exceeds 64 characters, we make the cn the first 59 chapters
followed by a dash and then a few characters of the hex hash the entire
value. In the last 12 years, no one has complained because the first 59
characters is generally enough [1] to tell what the group is and the
description is complete.

[1] - We reverse the group path in the cn so the most important parts are
first.


I haven’t standardized this in PSPNG because it is so kludgey, but I can
create a util function easily enough.

What do people think?

> On Jul 12, 2019, at 12:10 PM, Gettes, Michael <> wrote:
>
> If you are doing bushy with the utils.bushyDN as described at
> https://spaces.at.internet2.edu/display/Grouper/Grouper+Provisioning:+PSPNG#GrouperProvisioning:PSPNG-BushyDNs
> then you still need to worry about each component in the bushyDN not
> exceeding 64.
>
> Years ago someone at MS mis-read an aspect of the PKI specification and
> decided it was necessary to limit CN (and I believe any DN component)
> within AD to 64 since a DN could be used in a cert. That’s at least some
> of the “why” behind this limitation. I think a few of you can imagine my
> exasperation when we learned about this and then trying to get MS to fix
> it. The dent above my right eye is from banging my head on the desk that
> time.
>
> /mrg
>
>> On Jul 12, 2019, at 11:39 AM, Hyzer, Chris <> wrote:
>>
>> Maybe we need an optional group id (extension) check to make sure its less
>> than 64 always… would just make things easier….
>>
>>
>> From: Jeffrey Williams <>
>> Sent: Friday, July 12, 2019 11:34 AM
>> To: Hyzer, Chris <>
>> Cc: Grouper-Users <>; Lee, John C
>> <>
>> Subject: Re: [grouper-users] pspng to AD error
>>
>> a) That is the defined length according to MS. Probably unwise to change
>> it(if possible).
>> b) thats what UNCG did about a year ago and the issue has not resurfaced
>> to date.
>> c) I think that's best from a PSPNG but also
>> d) One idea: if the folder is set to provision to ad(direct or indirect),
>> when a user goes to define/edit the variable that maps to the cn(id or
>> displayname, I'm guessing for most) UI/WS does a check on cn length and
>> throws an error message(hopefully sharing the logic between UI and WS).
>>
>> Thoughts?
>>
>>
>>
>>
>> On Fri, Jul 12, 2019, 11:19 AM Hyzer, Chris <> wrote:
>> Couple questions:
>>
>> We get this error in AD. problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att
>> 3 (cn):len 130. The CN has length 66. Which is more than 64. I assume
>> that is why we get an error.
>> • Does everyone have max CN of 64 in AD? (ive read its not wise to
>> increase it)
>> • Should I switch to bushy provisioning? So the group extension is
>> more likely to be less than 64?
>> • If the PSPNG hits a limit (e.g. configured to 64 for CN) should
>> it log it, not provision, and move on, and not get stuck?
>> • Other resolution?
>>
>>
>> Thanks
>> Chris
>>
>>
>>
>>
>> The grouper user in AD has: ReadProperty, GenericExecute, ExtendedRight,
>> ListObject, GenericRead, GenericWrite”,“Allow
>>
>>
>>
>> Type: CHANGE_LOG, host: fastprod-medium-a-02, deleteCount: 0, insertCount:
>> 0, updateCount: 0, totalCount: 4, millisGetData: null, millisLoadData:
>> null, threadId: 31, elapsed: 26 ms
>> 2019-07-12 10:54:14,666: logType: overallLog, overallId: T8AHTXLA,
>> startTime: Fri Jul 12 10:54:00 EDT 2019, jobName:
>> CHANGE_LOG_consumer_pspng_activedirectory, dryRun: false, quartzCron: 0 *
>> * * * ?, st\
>> atus: ERROR, jobType: CHANGE_LOG, host: fastprod-medium-a-02, jobMessage:
>> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
>> failed: LDAP problem creating object: javax.naming.direct\
>> ory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082:
>> AtrErr: DSID-03151817, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>> 0, Att 3 (cn):len 130
>> ^@]; remaining name
>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>> at
>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>> at
>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
>> problem creating object:
>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>> 19 - 00002082: AtrErr: DSID-0315181\
>> 7, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>> 0, Att 3 (cn):len 130
>> ^@]; remaining name
>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at
>> edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:392)
>> at
>> edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:881)
>> at
>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:380)
>> at
>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:42)
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:1010)
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:628)
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1788)
>> ... 7 more
>> Did not get all the way through the batch! -1 !=
>> 60413179java.lang.RuntimeException: Error in loader job: null, check logs:
>> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
>> failed:\
>> LDAP problem creating object:
>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>> 19 - 00002082: AtrErr: DSID-03151817, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>> 0, Att 3 (cn):len 130
>> ^@]; remaining name
>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>> at
>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>> at
>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
>> problem creating object:
>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>> 19 - 00002082: AtrErr: DSID-0315181\
>> 7, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), ,
>> threadId: 23, elapsed: 14521 ms
>



Archive powered by MHonArc 2.6.19.

Top of Page