Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] pspng to AD error

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] pspng to AD error


Chronological Thread 
  • From: "Gettes, Michael" <>
  • To: "Eszes, Gabor" <>
  • Cc: Bert Lindgren <>, Chris Hyzer <>, Jeffrey Williams <>, Grouper-Users <>, "Lee, John C" <>
  • Subject: Re: [grouper-users] pspng to AD error
  • Date: Fri, 12 Jul 2019 16:46:56 +0000

And the kludge gets complicated… ain't it funny how these patterns repeat?

Gabor - not saying what you suggest is wrong. just observing.

/mrg

> On Jul 12, 2019, at 12:42 PM, Eszes, Gabor <> wrote:
>
> We use a similar trick. After considering all the requirements (length
> limit, maintaining human readability, content-based deterministic output,
> avoiding dependence on stateful counter), other solutions fall away and the
> hash suffix remains. It'd be worth including a util function that can
> generate names of this variety, with some sensible defaults, and
> configurability for those who need it. Params for max length, separator
> char, suffix length, possibly params for hash and hash encoding.
>
> ________________________________________
> From:
> <> on behalf of Bee-Lindgren, Bert
> <>
> Sent: Friday, July 12, 2019 12:22:15 PM
> To: Gettes, Michael
> Cc: Chris Hyzer; Jeffrey Williams; Grouper-Users; Lee, John C
> Subject: Re: [grouper-users] pspng to AD error
>
> Seeking consensus of something goofy we do with our AD groups at GT...
>
> If the CN exceeds 64 characters, we make the cn the first 59 chapters
> followed by a dash and then a few characters of the hex hash the entire
> value. In the last 12 years, no one has complained because the first 59
> characters is generally enough [1] to tell what the group is and the
> description is complete.
>
> [1] - We reverse the group path in the cn so the most important parts are
> first.
>
>
> I haven’t standardized this in PSPNG because it is so kludgey, but I can
> create a util function easily enough.
>
> What do people think?
>
>> On Jul 12, 2019, at 12:10 PM, Gettes, Michael <> wrote:
>>
>> If you are doing bushy with the utils.bushyDN as described at
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fspaces.at.internet2.edu-252Fdisplay-252FGrouper-252FGrouper-252BProvisioning-253A-252BPSPNG-2523GrouperProvisioning-253APSPNG-2DBushyDNs-26amp-3Bdata-3D02-257C01-257Cgeszes-2540odu.edu-257Ce8507518dd0f427ff7fa08d706e525ff-257C48bf86e811a24b8a8cb368d8be2227f3-257C0-257C0-257C636985453582616031-26amp-3Bsdata-3DgpN-252FzRHpEG3nByDqDaAidgKXLAmMJ3-252B-252Bgs-252B7CFmUjoU-253D-26amp-3Breserved-3D0&d=DwIF-g&c=sJ6xIWYx-zLMB3EPkvcnVg&r=wEQWI9G4vDvpfmhpuO6yww&m=s3RAWRneAAORCcQgNbyoEP7gBhPtRR4HxCtSu6PGhKw&s=jotShnaC9eYUmYvBzimgIEcOfsE2xbEboHdqPpfTllc&e=
>> then you still need to worry about each component in the bushyDN not
>> exceeding 64.
>>
>> Years ago someone at MS mis-read an aspect of the PKI specification and
>> decided it was necessary to limit CN (and I believe any DN component)
>> within AD to 64 since a DN could be used in a cert. That’s at least some
>> of the “why” behind this limitation. I think a few of you can imagine my
>> exasperation when we learned about this and then trying to get MS to fix
>> it. The dent above my right eye is from banging my head on the desk that
>> time.
>>
>> /mrg
>>
>>> On Jul 12, 2019, at 11:39 AM, Hyzer, Chris <> wrote:
>>>
>>> Maybe we need an optional group id (extension) check to make sure its
>>> less than 64 always… would just make things easier….
>>>
>>>
>>> From: Jeffrey Williams <>
>>> Sent: Friday, July 12, 2019 11:34 AM
>>> To: Hyzer, Chris <>
>>> Cc: Grouper-Users <>; Lee, John C
>>> <>
>>> Subject: Re: [grouper-users] pspng to AD error
>>>
>>> a) That is the defined length according to MS. Probably unwise to
>>> change it(if possible).
>>> b) thats what UNCG did about a year ago and the issue has not resurfaced
>>> to date.
>>> c) I think that's best from a PSPNG but also
>>> d) One idea: if the folder is set to provision to ad(direct or indirect),
>>> when a user goes to define/edit the variable that maps to the cn(id or
>>> displayname, I'm guessing for most) UI/WS does a check on cn length and
>>> throws an error message(hopefully sharing the logic between UI and WS).
>>>
>>> Thoughts?
>>>
>>>
>>>
>>>
>>> On Fri, Jul 12, 2019, 11:19 AM Hyzer, Chris <> wrote:
>>> Couple questions:
>>>
>>> We get this error in AD. problem 1005 (CONSTRAINT_ATT_TYPE), data 0,
>>> Att 3 (cn):len 130. The CN has length 66. Which is more than 64. I
>>> assume that is why we get an error.
>>> • Does everyone have max CN of 64 in AD? (ive read its not wise to
>>> increase it)
>>> • Should I switch to bushy provisioning? So the group extension is
>>> more likely to be less than 64?
>>> • If the PSPNG hits a limit (e.g. configured to 64 for CN) should
>>> it log it, not provision, and move on, and not get stuck?
>>> • Other resolution?
>>>
>>>
>>> Thanks
>>> Chris
>>>
>>>
>>>
>>>
>>> The grouper user in AD has: ReadProperty, GenericExecute, ExtendedRight,
>>> ListObject, GenericRead, GenericWrite”,“Allow
>>>
>>>
>>>
>>> Type: CHANGE_LOG, host: fastprod-medium-a-02, deleteCount: 0,
>>> insertCount: 0, updateCount: 0, totalCount: 4, millisGetData: null,
>>> millisLoadData: null, threadId: 31, elapsed: 26 ms
>>> 2019-07-12 10:54:14,666: logType: overallLog, overallId: T8AHTXLA,
>>> startTime: Fri Jul 12 10:54:00 EDT 2019, jobName:
>>> CHANGE_LOG_consumer_pspng_activedirectory, dryRun: false, quartzCron: 0 *
>>> * * * ?, st\
>>> atus: ERROR, jobType: CHANGE_LOG, host: fastprod-medium-a-02, jobMessage:
>>> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start
>>> failed: LDAP problem creating object: javax.naming.direct\
>>> ory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082:
>>> AtrErr: DSID-03151817, #1:
>>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>>> 0, Att 3 (cn):len 130
>>> ^@]; remaining name
>>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>>> at
>>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>>> at
>>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>>> at
>>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>>> at
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>>> at
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>>> at
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>> at
>>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
>>> problem creating object:
>>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>>> 19 - 00002082: AtrErr: DSID-0315181\
>>> 7, #1:
>>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>>> 0, Att 3 (cn):len 130
>>> ^@]; remaining name
>>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>>> at
>>> edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:392)
>>> at
>>> edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:881)
>>> at
>>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:380)
>>> at
>>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:42)
>>> at
>>> edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:1010)
>>> at
>>> edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:628)
>>> at
>>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1788)
>>> ... 7 more
>>> Did not get all the way through the batch! -1 !=
>>> 60413179java.lang.RuntimeException: Error in loader job: null, check
>>> logs: Error: java.lang.RuntimeException: No entries provisioned.
>>> Batch-Start failed:\
>>> LDAP problem creating object:
>>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>>> 19 - 00002082: AtrErr: DSID-03151817, #1:
>>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data
>>> 0, Att 3 (cn):len 130
>>> ^@]; remaining name
>>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>>> at
>>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>>> at
>>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>>> at
>>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>>> at
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>>> at
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>>> at
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>> at
>>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP
>>> problem creating object:
>>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
>>> 19 - 00002082: AtrErr: DSID-0315181\
>>> 7, #1:
>>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), ,
>>> threadId: 23, elapsed: 14521 ms
>>




Archive powered by MHonArc 2.6.19.

Top of Page