grouper-users - Re: [grouper-users] pspng to AD error
Subject: Grouper Users - Open Discussion List
List archive
- From: Jeffrey Williams <>
- To: "Hyzer, Chris" <>
- Cc: "Bee-Lindgren, Bert" <>, "Gettes, Michael" <>, Grouper-Users <>, "Lee, John C" <>
- Subject: Re: [grouper-users] pspng to AD error
- Date: Tue, 16 Jul 2019 13:24:04 -0400
That's what I figured. At least not without problems.
On Tue, Jul 16, 2019, 12:01 PM Hyzer, Chris <> wrote:
I think I have bushy AD PSPNG working:
https://spaces.at.internet2.edu/display/Grouper/PSPNG+bushy+at+Penn
Its different than the configuration wiki. Also, I don’t see how the configuration wiki could work anyways... when you do bushy, you generally want the cn to be the extension right?
That's been my experience.
FROM:
changeLog.consumer.<provisioner-name>.groupCreationLdifTemplate = dn: cn=${group.name},${utils.bushyDn(group.name, "cn", "ou")},dc=example,dc=edu
TO:
changeLog.consumer.pspng_activedirectoryFull.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${group.extension}||objectclass: group||sAMAccountName: ${group.id}
######################
Also, the samaccountname needs to be the uuid right?
changeLog.consumer.pspng_activedirectoryFull.singleGroupSearchFilter = (&(objectclass=group)(sAMAccountName=${group.id}))
Maybe we should add another example of bushy on the doc page (using extension?) or am I doing something wrong?
I ran into an issue updating the CN of a group if I defined samAccountName to be a static value. AD has gidNumber(as well as Grouper), so I used that, instead. I also left samAccountName undefined and let AD pick some random value for it(you could try setting it to the same value as what you have in CN, ymmv). I've also found that AD will auto-populate/update CN based on the DN value itself, so I don't worry about it in my template.
I found following config seem to give me the best flexibility in setting/updating attributes without causing AD to unnecessarily create new group objects(new SID's, which orphans group memberships in AD):
At minimum, I think you can get away with:
changeLog.consumer.pspng_campusBushyLdap.singleGroupSearchFilter = (&(objectclass=group)(gidNumber=${idIndex}))
changeLog.consumer.pspng_campusBushyLdap.groupCreationLdifTemplate = dn:${utils.bushyDn(group.name,"CN","OU")}||objectclass:group||gidNumber: ${group.idIndex}
changeLog.consumer.pspng_campusBushyLdap.groupCreationLdifTemplate = dn:${utils.bushyDn(group.name,"CN","OU")}||objectclass:group||gidNumber: ${group.idIndex}
But I go ahead and provision all the values a user can input:
changeLog.consumer.pspng_campusBushyLdap.singleGroupSearchFilter = (&(objectclass=group)(gidNumber=${idIndex}))
changeLog.consumer.pspng_campusBushyLdap.groupCreationLdifTemplate = dn:${utils.bushyDn(group.name,"CN","OU")}||objectclass:group||description:${group.description}||displayName:${group.displayName.replace(group.parentStemName.toString()+":","")}||gidNumber: ${group.idIndex}
changeLog.consumer.pspng_campusBushyLdap.groupCreationLdifTemplate = dn:${utils.bushyDn(group.name,"CN","OU")}||objectclass:group||description:${group.description}||displayName:${group.displayName.replace(group.parentStemName.toString()+":","")}||gidNumber: ${group.idIndex}
(displayName is ugly and if someone has a better way to get the 'extension-like' version of a display name, please let me know)
This allows groups to be made, moved, and deleted in AD without AD recreating the object and breaking permissions. It also reflects what I think are the changes that users will make to a group via the UI (membership, description, displayName, and ID in order of liklihood).
This is what I'd propose as a template model for bushy provisioning(with the addition of samAccountName=${group.Extension} if people want it and it tests out), since it'll show the user all the ways they can influence a group object from the UI(again, if someone knows a better way to pull an extension-like displayName out, let's hear it!)
Is "bushy" a grouper term? Maybe we need to more clearly define it...
I think it'd be good to give a description of both structures and the pros and cons of each.
Thanks
Chris
-----Original Message-----
From: <> On Behalf Of Hyzer, Chris
Sent: Friday, July 12, 2019 1:40 PM
To: Bee-Lindgren, Bert <>; Gettes, Michael <>
Cc: Jeffrey Williams <>; Grouper-Users <>; Lee, John C <>
Subject: RE: [grouper-users] pspng to AD error
Is that what you do to get the uuid into the samaccountname?
Im all for this as an option. Also it should not get stuck if not using that option and if the name is too long, right?
-----Original Message-----
From: Bee-Lindgren, Bert <>
Sent: Friday, July 12, 2019 12:22 PM
To: Gettes, Michael <>
Cc: Hyzer, Chris <>; Jeffrey Williams <>; Grouper-Users <>; Lee, John C <>
Subject: Re: [grouper-users] pspng to AD error
Seeking consensus of something goofy we do with our AD groups at GT...
If the CN exceeds 64 characters, we make the cn the first 59 chapters followed by a dash and then a few characters of the hex hash the entire value. In the last 12 years, no one has complained because the first 59 characters is generally enough [1] to tell what the group is and the description is complete.
[1] - We reverse the group path in the cn so the most important parts are first.
I haven’t standardized this in PSPNG because it is so kludgey, but I can create a util function easily enough.
What do people think?
> On Jul 12, 2019, at 12:10 PM, Gettes, Michael <> wrote:
>
> If you are doing bushy with the utils.bushyDN as described at https://spaces.at.internet2.edu/display/Grouper/Grouper+Provisioning:+PSPNG#GrouperProvisioning:PSPNG-BushyDNs then you still need to worry about each component in the bushyDN not exceeding 64.
>
> Years ago someone at MS mis-read an aspect of the PKI specification and decided it was necessary to limit CN (and I believe any DN component) within AD to 64 since a DN could be used in a cert. That’s at least some of the “why” behind this limitation. I think a few of you can imagine my exasperation when we learned about this and then trying to get MS to fix it. The dent above my right eye is from banging my head on the desk that time.
>
> /mrg
>
>> On Jul 12, 2019, at 11:39 AM, Hyzer, Chris <> wrote:
>>
>> Maybe we need an optional group id (extension) check to make sure its less than 64 always… would just make things easier….
>>
>>
>> From: Jeffrey Williams <>
>> Sent: Friday, July 12, 2019 11:34 AM
>> To: Hyzer, Chris <>
>> Cc: Grouper-Users <>; Lee, John C <>
>> Subject: Re: [grouper-users] pspng to AD error
>>
>> a) That is the defined length according to MS. Probably unwise to change it(if possible).
>> b) thats what UNCG did about a year ago and the issue has not resurfaced to date.
>> c) I think that's best from a PSPNG but also
>> d) One idea: if the folder is set to provision to ad(direct or indirect), when a user goes to define/edit the variable that maps to the cn(id or displayname, I'm guessing for most) UI/WS does a check on cn length and throws an error message(hopefully sharing the logic between UI and WS).
>>
>> Thoughts?
>>
>>
>>
>>
>> On Fri, Jul 12, 2019, 11:19 AM Hyzer, Chris <> wrote:
>> Couple questions:
>>
>> We get this error in AD. problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130. The CN has length 66. Which is more than 64. I assume that is why we get an error.
>> • Does everyone have max CN of 64 in AD? (ive read its not wise to increase it)
>> • Should I switch to bushy provisioning? So the group extension is more likely to be less than 64?
>> • If the PSPNG hits a limit (e.g. configured to 64 for CN) should it log it, not provision, and move on, and not get stuck?
>> • Other resolution?
>>
>>
>> Thanks
>> Chris
>>
>>
>>
>>
>> The grouper user in AD has: ReadProperty, GenericExecute, ExtendedRight, ListObject, GenericRead, GenericWrite”,“Allow
>>
>>
>>
>> Type: CHANGE_LOG, host: fastprod-medium-a-02, deleteCount: 0, insertCount: 0, updateCount: 0, totalCount: 4, millisGetData: null, millisLoadData: null, threadId: 31, elapsed: 26 ms
>> 2019-07-12 10:54:14,666: logType: overallLog, overallId: T8AHTXLA, startTime: Fri Jul 12 10:54:00 EDT 2019, jobName: CHANGE_LOG_consumer_pspng_activedirectory, dryRun: false, quartzCron: 0 * * * * ?, st\
>> atus: ERROR, jobType: CHANGE_LOG, host: fastprod-medium-a-02, jobMessage: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed: LDAP problem creating object: javax.naming.direct\
>> ory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-03151817, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130
>> ^@]; remaining name 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>> at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>> at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>> at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>> at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>> at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-0315181\
>> 7, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130
>> ^@]; remaining name 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at edu.internet2.middleware.grouper.pspng.LdapSystem.performLdapAdd(LdapSystem.java:392)
>> at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:881)
>> at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:380)
>> at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:42)
>> at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:1010)
>> at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:628)
>> at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1788)
>> ... 7 more
>> Did not get all the way through the batch! -1 != 60413179java.lang.RuntimeException: Error in loader job: null, check logs: Error: java.lang.RuntimeException: No entries provisioned. Batch-Start failed:\
>> LDAP problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-03151817, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130
>> ^@]; remaining name 'cn=penn:isc:ait:apps:atlassian:groupsConfluence:pcom11g_contributors,OU=Grouper,OU=LocalAuth,DC=kite,DC=upenn,DC=edu'
>> at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1792)
>> at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:74)
>> at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)
>> at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:638)
>> at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465)
>> at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
>> Caused by: edu.internet2.middleware.grouper.pspng.PspException: LDAP problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00002082: AtrErr: DSID-0315181\
>> 7, #1:
>> 0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), , threadId: 23, elapsed: 14521 ms
>
- Re: [grouper-users] pspng to AD error, (continued)
- Re: [grouper-users] pspng to AD error, Gettes, Michael, 07/12/2019
- Re: [grouper-users] pspng to AD error, Bee-Lindgren, Bert, 07/12/2019
- Re: [grouper-users] pspng to AD error, Gettes, Michael, 07/12/2019
- Re: [grouper-users] pspng to AD error, Eszes, Gabor, 07/12/2019
- Re: [grouper-users] pspng to AD error, Gettes, Michael, 07/12/2019
- RE: [grouper-users] pspng to AD error, Black, Carey M., 07/12/2019
- RE: [grouper-users] pspng to AD error, Redman, Chad, 07/12/2019
- Re: [grouper-users] pspng to AD error, Jeffrey Williams, 07/12/2019
- Re: [grouper-users] pspng to AD error, Gettes, Michael, 07/12/2019
- RE: [grouper-users] pspng to AD error, Hyzer, Chris, 07/12/2019
- RE: [grouper-users] pspng to AD error, Hyzer, Chris, 07/16/2019
- Re: [grouper-users] pspng to AD error, Jeffrey Williams, 07/16/2019
- RE: [grouper-users] pspng to AD error, Hyzer, Chris, 07/16/2019
- Re: [grouper-users] pspng to AD error, Bee-Lindgren, Bert, 07/12/2019
- Re: [grouper-users] pspng to AD error, Gettes, Michael, 07/12/2019
Archive powered by MHonArc 2.6.19.