Grouper Users - Open Discussion List

[Shilen Patel <>]

My example was using an LDAP – maxPageSize is supported there.   Though I noticed a possible problem but perhaps not the problem you’re seeing.

 

When using LDAP with a maxPageSize (in subject.properties) of 10 and I search for “joh”, three queries are sent to my LDAP server. 

 

The first is a findById, which would be based on the query you have configured for subjectApi.source.example.search.searchSubject.param.filter.value.  But the UI appends an asterisk to the query (joh*) and doesn’t use a size limit here.  So the LDAP server may return everyone with a NetID starting with “joh”, which could be more than the page size.  However, since a findById isn’t supposed to return multiple results, an exception is thrown and the results are basically ignored. 

 

The second is a findPage, which does set the size limit correctly and only returns maxPage + 1 results.  And this is what appears in the search results in the UI.  And for me, this part is working correctly.  But it sounds like you’re saying that you’re getting all 14k results here instead of 100?  Do you have access to your ldap logs in case that explains what is happening there?  And looking at a sanitized copy of subject.properties might help too.  I’m assuming you’ve also verified that your subject.properties is the same between gsh, ui, etc.

 

Thanks!

 

- Shilen

 

From: "Crawford, Jeffrey" <>
Date: Wednesday, September 4, 2019 at 10:41 AM
To: Shilen Patel <>
Cc: Daniel Burtenshaw <>, Grouper-Users <>, Jeffrey Williams <>, Greg Haverkamp <>
Subject: Re: [grouper-users] [Ext] Re: pspng ldapSearchResultPagingSize doesn't seem to do anything

 

I’m pretty much getting the entire list back, something like 14k when I search for “lee”. However this is on the LDAP config, I’m noticing the two elements only show up on the JDBC config and not on the LDAP config example, is it just not supported there?

 

Jeffrey C.

 

From: Shilen Patel <>
Date: Wednesday, September 4, 2019 at 6:14 AM
To: "Crawford, Jeffrey" <>
Cc: Daniel Burtenshaw <>, Grouper Users <>, Jeffrey Williams <>, Greg Haverkamp <>
Subject: Re: [grouper-users] [Ext] Re: pspng ldapSearchResultPagingSize doesn't seem to do anything

 

In my subject.properties, I set the following:

 

subjectApi.source.example.param.maxPageSize.value = 10

 

(my source id was “example”)

 

Then when I go to the UI and click on Add Members and type in a value (e.g. “joh”), it would typically return hundreds of results but the search box only shows 11 (1 more than the page size).

 

The ldap logs show this as well.

 

[04/Sep/2019:09:05:14 -0400] conn=32305 op=10 RESULT err=4 tag=101 nentries=11 etime=0

 

I’m curious what you’re seeing?

 

Thanks!

 

- Shilen

 

 

From: <> on behalf of "Crawford, Jeffrey" <>
Reply-To: "Crawford, Jeffrey" <>
Date: Tuesday, September 3, 2019 at 6:15 PM
To: Greg Haverkamp <>
Cc: Daniel Burtenshaw <>, Grouper-Users <>, Jeffrey Williams <>
Subject: Re: [grouper-users] [Ext] Re: pspng ldapSearchResultPagingSize doesn't seem to do anything

 

I’ve gotten further, but there seems to be multiple places to configure these things. I got the main paging setup in grouper-loader.properties by using:

ldap.personLdap.pagedResultsSize = 1000

 

However I want to limit the search to < 1000 entries in the search box, I’ve tried the following in the subject.properties file but it’s not working:

subjectApi.source.ldap.param.maxResults.value = 1000

subjectApi.source.ldap.param.maxPageSize.value = 100

 

Should the above work?

Jeffrey C.

 

From: <> on behalf of "Crawford, Jeffrey" <>
Reply-To: "Crawford, Jeffrey" <>
Date: Friday, August 30, 2019 at 4:57 PM
To: Greg Haverkamp <>
Cc: Daniel Burtenshaw <>, Grouper Users <>, Jeffrey Williams <>
Subject: Re: [grouper-users] [Ext] Re: pspng ldapSearchResultPagingSize doesn't seem to do anything

 

So this is what I’ve done now, but still paging only 100. The LDAP loader isn’t paging at all. I also tried “batchSize” since it was one of the examples but that didn’t work either.

 

ldap.personLdap.url = ldaps://ldap.iam.ucla.edu:636

ldap.personLdap.user = uid=svcacct, ou=edimi consumers, dc=edtest, dc=ucla, dc=edu

ldap.personLdap.pass = /path/to/encryptedLDAP.pass

ldap.personLdap.tls = false

ldap.personLdap.searchResultPagingEnabled = true

ldap.personLdap.searchResultPagingSize = 1000

 

 

 

From: Greg Haverkamp <>
Date: Thursday, August 29, 2019 at 1:18 PM
To: "Crawford, Jeffrey" <>
Cc: Daniel Burtenshaw <>, Grouper Users <>, Jeffrey Williams <>
Subject: Re: [Ext] Re: [grouper-users] pspng ldapSearchResultPagingSize doesn't seem to do anything

 

I assume when you put it in your personLdap you changed it from ldapSearchResultPagingSize to just searchResultPagingSize?

 

The former, as I noted, appears nowhere in the code. (You can go to GitHub and search to confirm.) The latter does, with the code I quoted sending what should be read from your ldap config, or sending the default if it’s not there.

 

I think the documentation is simply wrong.  If you find that you can make it work, you might correct it.  :)

 

Greg

 

On Thu, Aug 29, 2019 at 1:13 PM Crawford, Jeffrey <> wrote:

Humm, I tried that too, seems to have been ignored by pspng, also on this page it’s listed as an option:

https://spaces.at.internet2.edu/display/Grouper/Grouper+Provisioning:+PSPNG

 

but it seems to have a default so I wonder if the code is “resetting” it.

 

From: Daniel Burtenshaw <>
Date: Thursday, August 29, 2019 at 1:06 PM
To: Greg Haverkamp <>, "Crawford, Jeffrey" <>
Cc: Grouper Users <>, Jeffrey Williams <>
Subject: RE: [Ext] Re: [grouper-users] pspng ldapSearchResultPagingSize doesn't seem to do anything

 

I think that Greg is correct, I’ve used it with success in the ldap connection settings rather than the changelog.consumer settings, so something like:

 

                ldap.personLdap.pagedResultsSize = 1000

 

should work.

 

From: <> On Behalf Of Greg Haverkamp
Sent: Thursday, August 29, 2019 1:48 PM
To: Crawford, Jeffrey <>
Cc: Grouper-Users <>; Jeffrey Williams <>
Subject: [Ext] Re: [grouper-users] pspng ldapSearchResultPagingSize doesn't seem to do anything

 

WARNING: Stop. Think. Read. This is an external email.

I think you want it in your personLdap configuration.  Unless I botched the search, “ldapSearchResultPagingSize” doesn’t exist anywhere in the Grouper repo (in master).

 

However, it does appear to pull the searchResultPagingSize in LdapSystem.java:

  public int getSearchResultPagingSize() {

    Object searchResultPagingSize = getLdaptiveProperties().get("org.ldaptive.searchResultPagingSize");

    return GrouperUtil.intValue(searchResultPagingSize, searchResultPagingSize_default_value);

  }

 

And getLdaptiveProperties should pull that in from your ldap.personLdap.* properties.

 

Greg

 

 

On Thu, Aug 29, 2019 at 11:42 AM Crawford, Jeffrey <> wrote:

The following is what we have, but it’s pretty simple:

 

ldap.personLdap.url = "ldaps://ldap.iam.ucla.edu:636

ldap.personLdap.user = uid=ldappc, dc=some, dc=path

ldap.personLdap.pass = /opt/grpr/grouper.apiBinary/conf/encryptedLDAP.pass

ldap.personLdap.tls = false

ldap.personLdap.countLimit = 1000

ldap.personLdap.timeLimit = 5000

 

From: Jeffrey Williams <>
Date: Thursday, August 29, 2019 at 9:51 AM
To: "Crawford, Jeffrey" <>
Cc: Grouper Users <>
Subject: Re: [grouper-users] pspng ldapSearchResultPagingSize doesn't seem to do anything

 

Can we see your personLdap config?

On Thu, Aug 29, 2019, 11:59 AM Crawford, Jeffrey <> wrote:

I have the following entry in our pspng config, I noticed that on FullSyncer it pages at 100 elements, our system performs better at 1000 so I tried setting the page size, but the LDAP logs still show that it’s paging at 100.

 

Am I using the parameter correctly?

 

changeLog.consumer.pspng_entitlement.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_entitlement.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_entitlement.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_entitlement.retryOnError = true

changeLog.consumer.pspng_entitlement.ldapPoolName = personLdap

changeLog.consumer.pspng_entitlement.provisionedAttributeName = eduPersonEntitlement

changeLog.consumer.pspng_entitlement.provisionedAttributeValueFormat = urn:mace:ucla.edu:entitlement${group.name.replaceAll("^ucla(?::org)?(.*:)app:(.*)$", "$1$2").replaceFirst(":entitlement:",":")}

changeLog.consumer.pspng_entitlement.userSearchBaseDn = ou=people,dc=ucla,dc=edu

changeLog.consumer.pspng_entitlement.userSearchFilter = uclaPPID=${subject.id}

changeLog.consumer.pspng_entitlement.ldapSearchResultPagingSize = 1000

changeLog.consumer.pspng_entitlement.userSearchAttributes = dn,cn,uid,mail,samAccountName,uidNumber,objectClass,uclaPPID

 

Thanks

Jeffrey Crawford