grouper-users - [grouper-users] AD Provisioning not working on delete

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] AD Provisioning not working on delete

From: Oliver Trieu <>
To:
Subject: [grouper-users] AD Provisioning not working on delete
Date: Thu, 17 Oct 2019 10:12:55 +0200
Organization: University of Vienna

Hi fellow Grouper Users,

i have the grouper 2.4.0 up and running provisioning into our Microsoft AD server.

The provisioning of new Groups works just fine, but when i delete the new group it does NOT get deleted in the AD.

Somehow grouper thinks it did not provision the group and thus does not delete it.

What could be the cause of this issue?

Here is the log-snippet to show the problem:

2019-10-16 11:31:00 INFO Starting provisioning batch of 1 items
2019-10-16 11:31:00 INFO Information cached before 2019-10-16T11:30:04.881+02:00 will be ignored
2019-10-16 11:31:00 INFO LDAP search returned 0 entries
2019-10-16 11:31:00 INFO Creating LDAP group for GrouperGroup: ...:NEW_GROUP/#12110(Existing)
2019-10-16 11:31:00 INFO pspng_activedirectory: Creating LDAP object: cn=NEW_GROUP,ou=...
2019-10-16 11:31:00 INFO pspng_activedirectory: Checking for (and creating) missing OUs in DN: cn=NEW_GROUP,ou=... (wholeDnIsOu=false)
2019-10-16 11:31:00 INFO active_directory: Creating LDAP object Entry Summary: dn=cn=NEW_GROUP,ou=...|1 cn values|2 objectclass values|
2019-10-16 11:31:00 INFO LDAP search returned 1 entries
2019-10-16 11:31:00 INFO Work item handled: ProvisioningWorkItem[done=true,successful=true,msg=Group ...l:NEW_GROUP/#12110(Existing) already exists,clog=clog #2071223 / ChangeLog type: group: addGroup,group=..:NEW_GROUP]

2019-10-16 11:31:00 INFO Provisioning batch summary: 3 successes/0 failures. Duration=00.788s

Now it is provisioned but when i delete the same object:

2019-10-16 11:40:00 INFO pspng_activedirectory: +processChangeLogEntries(1)
2019-10-16 11:40:00 WARN Unable to refresh object from database, probably because it has been deleted: Group[name=...:NEW_GROUP,uuid=3221ae657f2b4666b008e40086d8350d]
2019-10-16 11:40:00 WARN Work item handled: ProvisioningWorkItem[done=true,successful=true,msg=Ignoring work item because (deleted) group was not provisioned before it was deleted,clog=clog #2071225 / ChangeLog type: group: deleteGroup,group=...:NEW_GROUP]
2019-10-16 11:40:00 INFO pspng_activedirectory: 0 work items need to be processed further
2019-10-16 11:40:00 INFO Starting provisioning batch of 0 items
2019-10-16 11:40:00 INFO Information cached before null will be ignored
2019-10-16 11:40:00 INFO Provisioning batch summary: 1 successes/0 failures. Duration=00.005s

Grouper decides to not delete it!

I have a similar issue with Folders where grouper will only provision the folder if i create a group in that folder and deleting the folder will not provision the delete to the AD.

A full sync however will bring the groups in sync but not the folders ...

Kind Regards

Oliver

PS: here is my grouper-loader config for the AD Provisioner:

changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_activedirectory.ldapPoolName = active_directory
changeLog.consumer.pspng_activedirectory.isActiveDirectory = true
changeLog.consumer.pspng_activedirectory.grouperIsAuthoritative = true
changeLog.consumer.pspng_activedirectory.memberAttributeName = member
changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = ou=...
changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group
changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${grouperUtil.extensionFromName(group.name)}))
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${grouperUtil.extensionFromName(group.name)}||objectclass: group||objectclass: top
changeLog.consumer.pspng_activedirectory.userSearchBaseDn = ou=...
changeLog.consumer.pspng_activedirectory.userSearchFilter = samAccountName=${subject.id}

--
Oliver Trieu
Managed Services
Server and Data Management

Universität Wien
Zentraler Informatikdienst
Universitätsstrasse 7, 1010 Wien

T +43-1-4277-14161
M: +43-664-60277-14161

zid.univie.ac.at

[grouper-users] AD Provisioning not working on delete, Oliver Trieu, 10/17/2019
- RE: [grouper-users] AD Provisioning not working on delete, Hyzer, Chris, 10/21/2019
  - Re: [grouper-users] AD Provisioning not working on delete, Oliver Trieu, 10/22/2019
    - Re: [grouper-users] AD Provisioning not working on delete, Jeffrey Williams, 10/22/2019
      - Re: [grouper-users] AD Provisioning not working on delete, Oliver Trieu, 10/23/2019
        
        Re: [grouper-users] AD Provisioning not working on delete, Jeffrey Williams, 10/24/2019

List archive

[grouper-users] AD Provisioning not working on delete