grouper-users - RE: [grouper-users] Error when provisioning to AD
Subject: Grouper Users - Open Discussion List
List archive
- From: "Coleman, Erik C" <>
- To: "Poddar, Amit" <>, "Hyzer, Chris" <>, "" <>
- Subject: RE: [grouper-users] Error when provisioning to AD
- Date: Tue, 20 Aug 2019 14:06:22 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=illinois.edu; dmarc=pass action=none header.from=illinois.edu; dkim=pass header.d=illinois.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TXKeuDrMTdvm2xyp7cgKlR8i0yHoBp4+6p9blURz8lM=; b=P2I9mzk23fXOZKwQaT5bKv35IS5UAqJeOvMc68SJrQ6D8Wc0y3BEc5aiRnkprPrxcdgDbeHpPNR8PVJUJVh9oZQrvvOlcJWuuBM50qAdpL9Cyb9L1Vd/xZO3IyiO6Iv1/CbeYEo7LiSROYkdrfTEBc+pAb9fGxghzYd81+Gw6Dm6p7eNDz0IyXQsOlApVIhS7wmrVSR3OyqOkjSAa1+ptPx2Hs74kwPO5jr9o3ENJRg7gbUOuYRzf/7hmw7xtwzXrOFdQ7K5z1Dvu5xUZOO4ZcWIrY8AaDzXR0oBy4UYOwn2kaXGIa1lRP2LzEKUORo54wE88cKu6XT7AlQpGc4CJg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Exv399WmNRVI97VClEABcgLB1SIVNYcn+3iMfqZzyYJAODyFqn+1QJM449gyoM03dHd02AL/bOjkejY4d06eCNMxlvklIwBWUFvHooyr+SGXGoWRDU9ma23IDZf8MKLg4ZImm2/Xp1sd0QAV5Ku+l8yLkdAZmAeHwvLaZtzBa5fs8qny7efJM5JN/RFnVXEesUIfjwD0lbQ4kKF0L2xRzo1XOjpqseZzvjRf6JHWeK5qFImwse595AMWT3NSSlIPpno33V2QgvWl+zVoRsAJTfp1gba+Ho7Txfue8+F4uLkrGhFDR23RNzCCY4orQDt2R6IT5Yjxcx8REGvdLsqu1Q==
|
Chris H.,
I will need a Docker image containing patch 9. We just updated the image in our test environment that includes up to pspng patch 8, so I am going to at least test patch 8 this week too.
-Erik
From: Poddar, Amit <>
I will test it over next few days From: Hyzer, Chris <>
grouper_v2_4_0_pspng_patch_9 is released. Any chance someone can see if it addresses the issue? Do you need this in docker before trying? Its not quite there:
GRP-2272: Fix when PSPNG logs errors about FullSync messages GRP-2275: NullPointerException in LdapProvisioner GRP-2274: JEXL Variables: add groupId and make more consistent
There will be one more API patch that fixes 2273 too
Thanks Chris
From: <>
On Behalf Of Poddar, Amit
Erik,
Was this ever resolved? so far I have rolled back to PSPNG patch 3 and probably cannot apply any PSPNG patch till this is resolved.
Thanks, Amit From: Poddar, Amit <>
Hi,
Its PSPNG 2.4 patch 4 that breaks the provisioning From: Coleman, Erik C <>
I’m building Grouper in Docker containers. After scouring build logs, I have narrowed down (slightly) the patch revision differences between when it was working and not working:
2.4.0-a32-u15-w5-p3-20190314-rc1 (working) 2.4.0-a32-u23-w5-p6-20190501-rc1 (not working)
I did not deploy any docker image revisions in between these two. So it seems like PSPNG patches 4, 5 or 6 may be suspect. Bert, can you speak to these patch revisions and this particular issue?
Thanks, Erik
From: Poddar, Amit <>
From: Coleman, Erik C <>
Yes, this was working in 2.4, and it has since stopped working.
-Erik
From: Poddar, Amit <>
You had the erorrs in 2.4 also?
Amit From: Coleman, Erik C <>
Exact same error I was reporting a couple days ago! (See “JEXL syntax with PSPNG filters”) Glad it’s not just me! 😊
However, in your case, you are using the attribute value “Netid”, I’m assuming that this is configured in your subject.properties as a user attribute? I’m doing the same thing, but happen to keep its name “sAMAccountName” in my subject config. But it looks like we are hitting the same JEXL error.
-Erik
From: <>
On Behalf Of Poddar, Amit
Hi,
After upgrading from Grouper 2.3 to Grouper 2.4 with all the latest patches, PSPNG provisioning to AD has started failing. The error message in the log file is.
2019-07-14 18:06:01,138: [TSUserFetcher-pspng_activedirectory-full-1] ERROR Provisioner.evaluateJexlExpression(746) - - Jexl _expression_ UserSearchFilter 'sAMAccountName=${subject.getAttributeValue("Netid")}' could not be evaluated for subject ''11452412'/'person'/'sourceId'/null' and group 'null/null' which used variableMap '{userSearchBaseDn=dc=yu,dc=yale,dc=net, provisionerType=LdapGroupProvisioner, groupCreationBaseDn=OU=Test,OU=YaleGroups,DC=yu,DC=yale,DC=net, , subject='11452412'/'person'/'sourceId', provisionerName=pspng_activedirectory, groupSearchBaseDn=OU=Test,OU=YaleGroups,DC=yu,DC=yale,DC=net}' java.lang.RuntimeException: Error substituting string: '${subject.getAttributeValue("Netid")}' at edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguage(GrouperUtil.java:9483) at edu.internet2.middleware.grouper.pspng.Provisioner.evaluateJexlExpression(Provisioner.java:702) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.getUserLdapFilter(LdapProvisioner.java:283) at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:211) at edu.internet2.middleware.grouper.pspng.Provisioner.fetchTargetSystemUser(Provisioner.java:1135) at edu.internet2.middleware.grouper.pspng.Provisioner$2.call(Provisioner.java:855) at edu.internet2.middleware.grouper.pspng.Provisioner$2.call(Provisioner.java:841) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.commons.jexl2.JexlException: ]: 'subject.getAttributeValue('Netid');' method invocation error at org.apache.commons.jexl2.Interpreter.call(Interpreter.java:1076) at org.apache.commons.jexl2.Interpreter.visit(Interpreter.java:1100) at org.apache.commons.jexl2.parser.ASTMethodNode.jjtAccept(ASTMethodNode.java:18) at org.apache.commons.jexl2.Interpreter.visit(Interpreter.java:1317) at org.apache.commons.jexl2.parser.ASTReference.jjtAccept(ASTReference.java:18) at org.apache.commons.jexl2.Interpreter.interpret(Interpreter.java:232) at org.apache.commons.jexl2.ExpressionImpl.evaluate(ExpressionImpl.java:65) at edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguage(GrouperUtil.java:9434) ... 10 more Caused by: java.lang.IllegalStateException: There is no open GrouperSession detected. Make sure to start a grouper session (e.g. GrouperSession.startRootSession() if you want to use a root session ) before calling this method at edu.internet2.middleware.grouper.GrouperSession.staticGrouperSession(GrouperSession.java:1150) at edu.internet2.middleware.grouper.GrouperSession.staticGrouperSession(GrouperSession.java:1098) at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.find(SourcesXmlResolver.java:316) at edu.internet2.middleware.grouper.subj.CachingResolver.find(CachingResolver.java:143) at edu.internet2.middleware.grouper.subj.ValidatingResolver.find(ValidatingResolver.java:105) at edu.internet2.middleware.grouper.SubjectFinder.findByIdAndSource(SubjectFinder.java:504) at edu.internet2.middleware.grouper.subj.LazySubject.getSubject(LazySubject.java:215) at edu.internet2.middleware.grouper.subj.LazySubject.getAttributeValue(LazySubject.java:139)
Any help would be greatly appreciated, since this is the only issue holding us up before production upgrade.
Thanks, Amit |
- Re: [grouper-users] Error when provisioning to AD, Poddar, Amit, 08/18/2019
- RE: [grouper-users] Error when provisioning to AD, Hyzer, Chris, 08/19/2019
- Re: [grouper-users] Error when provisioning to AD, Poddar, Amit, 08/19/2019
- RE: [grouper-users] Error when provisioning to AD, Coleman, Erik C, 08/20/2019
- Re: [grouper-users] Error when provisioning to AD, Poddar, Amit, 08/20/2019
- RE: [grouper-users] Error when provisioning to AD, Hyzer, Chris, 08/20/2019
- Re: [grouper-users] Error when provisioning to AD, Poddar, Amit, 08/19/2019
- RE: [grouper-users] Error when provisioning to AD, Hyzer, Chris, 08/19/2019
Archive powered by MHonArc 2.6.19.