Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] pspng to AD error

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] pspng to AD error


Chronological Thread 
  • From: "Eszes, Gabor" <>
  • To: "Gettes, Michael" <>, "Bee-Lindgren, Bert" <>
  • Cc: Chris Hyzer <>, Jeffrey Williams <>, Grouper-Users <>, "Lee, John C" <>
  • Subject: Re: [grouper-users] pspng to AD error
  • Date: Fri, 12 Jul 2019 16:42:47 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=odu.edu;dmarc=pass action=none header.from=odu.edu;dkim=pass header.d=odu.edu;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DolLhfWGXtLicWM5/2p233hgpbqPMrJQzA61NZMuKuA=; b=fIzcXMjQw4KOSdYe3cLKOQx2GMyIOZuyJWITwwIriLhIliSHNmU6nHiOjFcIkOMMWnRkruRa6H9RqxhZg8UQdlKh26pCs0yEsh564ne6YxaLGGLt1kcg656BU93qTQQVh0B0npr/sGtb18MPIWxE4iX9RpQ3JKveZz0RA7kBCLcxKK2W7tgdDZt+T0bHV01rS0Ep9W7U9jVEQRSu3Mva94BHv9QBTH3NAn0xmwv196JGdHfLF/7QItHHOY7kzwtH9P1EA8bvVbsN+kGc5aENLsPy0482K/l+QlKskmBCPxGaYOsZGoPDw8xqnr3owJuEa9iH6e+NiSOfsL8zPhcc4A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HbWCfiqKpfbuEiH5gfSFn9vNGJgDoy0v6YJwYpaypUp2ccARGmFdCjOVWVoJinB01947mBZZNu59HLyHsSlSlBgAG19g3F5RHTKPR6xjhdAsPDTsqMMTL1k+Qbq08JN1nccO9Z8ZCOf+z3XR/TDdxxB7MHGXZZY++MOYbFNF5ekga+OaH+wBPJouupWbL0/LUTipHvojWm7C1Zo3eme7vjwajpuPAlyl8RU6jOqj1XcobjzMOimaOIoP/4iyRTlGOnCBYw9AOvaVsg+bplZjHcpDy/DJzbfmO22Ae4p5UnjgBRg0kD3PtgLmRUL6d3sk5gO+Z6LGshymFaoH+OB6pg==

We use a similar trick. After considering all the requirements (length limit,
maintaining human readability, content-based deterministic output, avoiding
dependence on stateful counter), other solutions fall away and the hash
suffix remains. It'd be worth including a util function that can generate
names of this variety, with some sensible defaults, and configurability for
those who need it. Params for max length, separator char, suffix length,
possibly params for hash and hash encoding.

________________________________________
From:
<> on behalf of Bee-Lindgren, Bert
<>
Sent: Friday, July 12, 2019 12:22:15 PM
To: Gettes, Michael
Cc: Chris Hyzer; Jeffrey Williams; Grouper-Users; Lee, John C
Subject: Re: [grouper-users] pspng to AD error

Seeking consensus of something goofy we do with our AD groups at GT...

If the CN exceeds 64 characters, we make the cn the first 59 chapters
followed by a dash and then a few characters of the hex hash the entire
value. In the last 12 years, no one has complained because the first 59
characters is generally enough [1] to tell what the group is and the
description is complete.

[1] - We reverse the group path in the cn so the most important parts are
first.


I haven’t standardized this in PSPNG because it is so kludgey, but I can
create a util function easily enough.

What do people think?

> On Jul 12, 2019, at 12:10 PM, Gettes, Michael <> wrote:
>
> If you are doing bushy with the utils.bushyDN as described at
> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspaces.at.internet2.edu%2Fdisplay%2FGrouper%2FGrouper%2BProvisioning%3A%2BPSPNG%23GrouperProvisioning%3APSPNG-BushyDNs&amp;data=02%7C01%7Cgeszes%40odu.edu%7Ce8507518dd0f427ff7fa08d706e525ff%7C48bf86e811a24b8a8cb368d8be2227f3%7C0%7C0%7C636985453582616031&amp;sdata=gpN%2FzRHpEG3nByDqDaAidgKXLAmMJ3%2B%2Bgs%2B7CFmUjoU%3D&amp;reserved=0
> then you still need to worry about each component in the bushyDN not
> exceeding 64.
>
> Years ago someone at MS mis-read an aspect of the PKI specification and
> decided it was necessary to limit CN (and I believe any DN component)
> within AD to 64 since a DN could be used in a cert. That’s at least some
> of the “why” behind this limitation. I think a few of you can imagine my
> exasperation when we learned about this and then trying to get MS to fix
> it. The dent above my right eye is from banging my head on the desk that
> time.
>
> /mrg
>
>> On Jul 12, 2019, at 11:39 AM, Hyzer, Chris <> wrote:
>>
>> Maybe we need an optional group id (extension) check to make sure its less
>> than 64 always… would just make things easier….
>>
>>
>> From: Jeffrey Williams <>
>> Sent: Friday, July 12, 2019 11:34 AM
>> To: Hyzer, Chris <>
>> Cc: Grouper-Users <>; Lee, John C
>> <>
>> Subject: Re: [grouper-users] pspng to AD error
>>
>> a) That is the defined length according to MS. Probably unwise to change
>> it(if possible).
>> b) thats what UNCG did about a year ago and the issue has not resurfaced
>> to date.
>> c) I think that's best from a PSPNG but also
>> d) One idea: if the folder is set to provision to ad(direct or indirect),
>> when a user goes to define/edit the variable that maps to the cn(id or
>> displayname, I'm guessing for most) UI/WS does a check on cn length and
>> throws an error message(hopefully sharing the logic between UI and WS).
>>
>> Thoughts?
>>
>>
>>
>>
>> On Fri, Jul 12, 2019, 11:19 AM Hyzer, Chris <> wrote:
>> Couple questions:
>>
>> We get this error in AD. problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att
>> 3 (cn):len 130. The CN has length 66. Which is more than 64. I assume
>> that is why we get an error.
>> • Does everyone have max CN of 64 in AD? (ive read its not wise to
>> increase it)
>> • Should I switch to bushy provisioning? So the group extension is
>> more likely to be less than 64?
>> • If the PSPNG hits a limit (e.g. configured to 64 for CN) should
>> it log it, not provision, and move on, and not get stuck?
>> • Other resolution?
>>
>>
>> Thanks
>> Chris
>>
>>
>>
>>
>> The grouper user in AD has: ReadProperty, GenericExecute, ExtendedRight,
>> ListObject, GenericRead, GenericWrite”,“Allow
>>
>>
>>
>> Type: CHANGE_LOG, host: fastprod-medium-a-02, deleteCount: 0, insertCount:
>> 0, updateCount: 0, totalCount: 4, millisGetData: null, millisLoadData:
>> null, threadId: 31, elapsed: 26 ms
>> 2019-07-12 10:54:14,666: logType: overallLog, overallId: T8AHTXLA,
>> startTime: Fri Jul 12 10:54:00 EDT 2019, jobName:
>> CHANGE_LOG_consumer_pspng_activedirectory, dryRun: false, quartzCron: 0 *
>> * * * ?, st\
>> atus: ERROR, jobType: CHANGE_LOG, host: fastprod-medium-a-02, jobMessage:
>> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
>> failed: LDAP problem creating object: javax.naming.direct\
>> ory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082:
>> AtrErr: DSID-03151817, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>> 0, Att 3 (cn):len 130
>> ^@]; remaining name
>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>> at
>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>> at
>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
>> problem creating object:
>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>> 19 - 00002082: AtrErr: DSID-0315181\
>> 7, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>> 0, Att 3 (cn):len 130
>> ^@]; remaining name
>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at
>> edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:392)
>> at
>> edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:881)
>> at
>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:380)
>> at
>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:42)
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:1010)
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:628)
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1788)
>> ... 7 more
>> Did not get all the way through the batch! -1 !=
>> 60413179java.lang.RuntimeException: Error in loader job: null, check logs:
>> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
>> failed:\
>> LDAP problem creating object:
>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>> 19 - 00002082: AtrErr: DSID-03151817, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>> 0, Att 3 (cn):len 130
>> ^@]; remaining name
>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at
>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>> at
>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>> at
>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>> at
>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
>> problem creating object:
>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>> 19 - 00002082: AtrErr: DSID-0315181\
>> 7, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), ,
>> threadId: 23, elapsed: 14521 ms
>



Archive powered by MHonArc 2.6.19.

Top of Page