Grouper Users - Open Discussion List

["Black, Carey M." <>]

All,

AD has lots of confusing rules about “attribute values”.  ( Most "LDAP 
servers" have no idea about what a "unique index" is....)
And the “effective rules” depends on how “backwards compatible” you need to 
be for your AD versions as well.

All from memory... and I am not an AD admin... not trying to play one on this 
mailing list... :) [ please correct me if I am wrong. :) ]

a) Does everyone have max CN of 64 in AD?  (I've read its not wise to 
increase it)
        I think the AD attribute is always defined as “longer than that”. ( 
But it may depend on the AD version too.)
        However, there are also logical length issue that is really the 
problem. And the exact numbers depends on the AD compatibility you need to 
support.
                Things like something else is limited to 255 and it is 
constructed with the CN and the something else. And the "something else" is 
limited to 200? So sometimes 64 is still to long?
                Strange rules lie in wait for you in the land of AD.

        Functionally… if you stick to all of these rules then you should be 
OK under most ( I am not brave enough to claim all ) 
condition/combination/versions.

        1) CN should match samAccountName
        2) samAccountname is limited to 20 characters.
        3) samAccountname needs to be UNIQUE ACROSS ALL samAccountname values 
in the domain.

        NOTE #1: The samAccountName attribute has been deprecated for years. 
And it is still actively used as a constraint (rules #2 and #3) in all 
versions of AD that I have ever used.
        NOTE #2: The samAccountName attribute is still DISPLAYED as the 
“normal name” for User objects in even the newest AD tools ( powershell 
based). Despite it being deprecated.
        NOTE #3: IN later AD versions you can actually not supply a 
samAccountname value and AD will create a value that supports rules #2 and #3 
( be mindful of note #2 )

b) Should I switch to bushy provisioning?  So the group extension is more 
likely to be less than 64?

        Due to the additional constraints on the value, a shorter name is 
only part of the problem.

c) If the PSPNG hits a limit (e.g. configured to 64 for CN) should it log it, 
not provision, and move on, and not get stuck?
                
        I know this is a “one off thing for AD”… but.. it is AD after all….
        I would rather have a way to have grouper create “unique value(s)” 
during provisioning.
        Then stuff the values back into grouper as attribute on the 
group/member object.
                And more generally support the option of “unique values”, for 
an attributeName. :)  Maybe via a meta assignment to the AttributeDef that 
identifies a List of attributeNames in that def that 
“attributeNamesRequireUniqueValues”

        Yes, "don’t' get stuck"... send email ( or some other "flair" to an 
"error group") and move on. ( and have a way to mark the problem to be 
skipped the next time and allow the "error group" to  say "ok.. try again..." 
)


d) Other resolution?

        Just use shorter names that you "know are unique across your whole 
AD" ?
        Get the values from attributes on the group? ( That you 
create/maintain with some process outside of grouper. ← sad.. but you could 
do that too….)


-- 
Carey Matthew 

-----Original Message-----
From:  
<> On Behalf Of Gettes, Michael
Sent: Friday, July 12, 2019 12:47 PM
To: Eszes, Gabor <>
Cc: Bert Lindgren <>; Chris Hyzer 
<>; Jeffrey Williams <>; Grouper-Users 
<>; Lee, John C <>
Subject: Re: [grouper-users] pspng to AD error

And the kludge gets complicated… ain't it funny how these patterns repeat?

Gabor - not saying what you suggest is wrong.  just observing.

/mrg

> On Jul 12, 2019, at 12:42 PM, Eszes, Gabor <> wrote:
> 
> We use a similar trick. After considering all the requirements (length 
> limit, maintaining human readability, content-based deterministic output, 
> avoiding dependence on stateful counter), other solutions fall away and the 
> hash suffix remains. It'd be worth including a util function that can 
> generate names of this variety, with some sensible defaults, and 
> configurability for those who need it. Params for max length, separator 
> char, suffix length, possibly params for hash and hash encoding.
> 
> ________________________________________
> From:  
> <> on behalf of Bee-Lindgren, Bert 
> <>
> Sent: Friday, July 12, 2019 12:22:15 PM
> To: Gettes, Michael
> Cc: Chris Hyzer; Jeffrey Williams; Grouper-Users; Lee, John C
> Subject: Re: [grouper-users] pspng to AD error
> 
> Seeking consensus of something goofy we do with our AD groups at GT...
> 
> If the CN exceeds 64 characters, we make the cn the first 59 chapters 
> followed by a dash and then a few characters of the hex hash the entire 
> value. In the last 12 years, no one has complained because the first 59 
> characters is generally enough [1] to tell what the group is and the 
> description is complete.
> 
> [1] - We reverse the group path in the cn so the most important parts are 
> first.
> 
> 
> I haven’t standardized this in PSPNG because it is so kludgey, but I can 
> create a util function easily enough.
> 
> What do people think?
> 
>> On Jul 12, 2019, at 12:10 PM, Gettes, Michael <> wrote:
>> 
>> If you are doing bushy with the utils.bushyDN as described at 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fspaces.at.internet2.edu-252Fdisplay-252FGrouper-252FGrouper-252BProvisioning-253A-252BPSPNG-2523GrouperProvisioning-253APSPNG-2DBushyDNs-26amp-3Bdata-3D02-257C01-257Cgeszes-2540odu.edu-257Ce8507518dd0f427ff7fa08d706e525ff-257C48bf86e811a24b8a8cb368d8be2227f3-257C0-257C0-257C636985453582616031-26amp-3Bsdata-3DgpN-252FzRHpEG3nByDqDaAidgKXLAmMJ3-252B-252Bgs-252B7CFmUjoU-253D-26amp-3Breserved-3D0&d=DwIF-g&c=sJ6xIWYx-zLMB3EPkvcnVg&r=wEQWI9G4vDvpfmhpuO6yww&m=s3RAWRneAAORCcQgNbyoEP7gBhPtRR4HxCtSu6PGhKw&s=jotShnaC9eYUmYvBzimgIEcOfsE2xbEboHdqPpfTllc&e=
>>   then you still need to worry about each component in the bushyDN not 
>> exceeding 64.
>> 
>> Years ago someone at MS mis-read an aspect of the PKI specification and 
>> decided it was necessary to limit CN (and I believe any DN component) 
>> within AD to 64 since a DN could be used in a cert.  That’s at least some 
>> of the “why” behind this limitation.  I think a few of you can imagine my 
>> exasperation when we learned about this and then trying to get MS to fix 
>> it.  The dent above my right eye is from banging my head on the desk that 
>> time.
>> 
>> /mrg
>> 
>>> On Jul 12, 2019, at 11:39 AM, Hyzer, Chris <> wrote:
>>> 
>>> Maybe we need an optional group id (extension) check to make sure its 
>>> less than 64 always…  would just make things easier….
>>> 
>>> 
>>> From: Jeffrey Williams <>
>>> Sent: Friday, July 12, 2019 11:34 AM
>>> To: Hyzer, Chris <>
>>> Cc: Grouper-Users <>; Lee, John C 
>>> <>
>>> Subject: Re: [grouper-users] pspng to AD error
>>> 
>>> a)  That is the defined length according to MS.  Probably unwise to 
>>> change it(if possible).
>>> b)  thats what UNCG did about a year ago and the issue has not resurfaced 
>>> to date.
>>> c) I think that's best from a PSPNG but also
>>> d) One idea: if the folder is set to provision to ad(direct or indirect), 
>>> when a user goes to define/edit the variable that maps to the cn(id or 
>>> displayname, I'm guessing for most) UI/WS does a check on cn length and 
>>> throws an error message(hopefully sharing the logic between UI and WS).
>>> 
>>> Thoughts?
>>> 
>>> 
>>> 
>>> 
>>> On Fri, Jul 12, 2019, 11:19 AM Hyzer, Chris <> wrote:
>>> Couple questions:
>>> 
>>> We get this error in AD.   problem 1005 (CONSTRAINT_ATT_TYPE), data 0, 
>>> Att 3 (cn):len 130.   The CN has length 66.  Which is more than 64.  I 
>>> assume that is why we get an error.
>>>       • Does everyone have max CN of 64 in AD?  (ive read its not wise to 
>>> increase it)
>>>       • Should I switch to bushy provisioning?  So the group extension is 
>>> more likely to be less than 64?
>>>       • If the PSPNG hits a limit (e.g. configured to 64 for CN) should 
>>> it log it, not provision, and move on, and not get stuck?
>>>       • Other resolution?
>>> 
>>> 
>>> Thanks
>>> Chris
>>> 
>>> 
>>> 
>>> 
>>> The grouper user in AD has: ReadProperty, GenericExecute, ExtendedRight, 
>>> ListObject, GenericRead, GenericWrite”,“Allow
>>> 
>>> 
>>> 
>>> Type: CHANGE_LOG, host: fastprod-medium-a-02, deleteCount: 0, 
>>> insertCount: 0, updateCount: 0, totalCount: 4, millisGetData: null, 
>>> millisLoadData: null, threadId: 31, elapsed: 26 ms
>>> 2019-07-12 10:54:14,666: logType: overallLog, overallId: T8AHTXLA, 
>>> startTime: Fri Jul 12 10:54:00 EDT 2019, jobName: 
>>> CHANGE_LOG_consumer_pspng_activedirectory, dryRun: false, quartzCron: 0 * 
>>> * * * ?, st\
>>> atus: ERROR, jobType: CHANGE_LOG, host: fastprod-medium-a-02, jobMessage: 
>>> Error: java.lang.RuntimeException: No entries provisioned. Batch-Start 
>>> failed: LDAP problem creating object: javax.naming.direct\
>>> ory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: 
>>> AtrErr: DSID-03151817, #1:
>>>      0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 
>>> 0, Att 3 (cn):len 130
>>> ^@]; remaining name 
>>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>>>      at 
>>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>>>      at 
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>>>      at 
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>>>      at 
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>>>      at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>>      at 
>>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP 
>>> problem creating object: 
>>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 
>>> 19 - 00002082: AtrErr: DSID-0315181\
>>> 7, #1:
>>>      0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 
>>> 0, Att 3 (cn):len 130
>>> ^@]; remaining name 
>>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:392)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:881)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:380)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:42)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:1010)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:628)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1788)
>>>      ... 7 more
>>> Did not get all the way through the batch! -1 != 
>>> 60413179java.lang.RuntimeException: Error in loader job: null, check 
>>> logs: Error: java.lang.RuntimeException: No entries provisioned. 
>>> Batch-Start failed:\
>>> LDAP problem creating object: 
>>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 
>>> 19 - 00002082: AtrErr: DSID-03151817, #1:
>>>      0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 
>>> 0, Att 3 (cn):len 130
>>> ^@]; remaining name 
>>> 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>>>      at 
>>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>>>      at 
>>> edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>>>      at 
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>>>      at 
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>>>      at 
>>> edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>>>      at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>>      at 
>>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP 
>>> problem creating object: 
>>> javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 
>>> 19 - 00002082: AtrErr: DSID-0315181\
>>> 7, #1:
>>>      0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), , 
>>> threadId: 23, elapsed: 14521 ms
>>