Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] AD Provisioning not working on delete

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] AD Provisioning not working on delete


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Hyzer, Chris" <>
  • To: Oliver Trieu <>, "" <>
  • Subject: RE: [grouper-users] AD Provisioning not working on delete
  • Date: Mon, 21 Oct 2019 15:28:58 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2aFDfGChxpwkuy2uH4o6JEj/PgBtw3sc8SG5RFlSe70=; b=YtUXezVl/BaqgjGQLY8ZH32ux1/CqMcycE+pMSnvzAUCz/tldUTiRovcvz/M35amBYaAlkP/SSo/EH9ojoFQpSMuEprzeNn3Mz0W8gy1d2Xj1+LLRjgh+JxRnDALtmhidjqp0KZspAOn0NkUyAl9OAqzKEP4iXa8IMqSQyGE3Yjd4/u7p/f9gQwhAq0gn8zau5Lbqk4RdC+Axy8uFgo1rL9Re2VXyKVvn3qsdP1QDNcymaPC05fSC/s0Uxea2llJa9CoU5/U7skSSV0b8zLtvWWHJ4VngtmKyt2CV+ShY59hWnQgf02bjv8Wdqy+aRprksonrcNlQYAlazSalBFOXA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h9/+ydSREMQbiKEJqWAFfew+VV3iLpuPFW/Zy9ycMDEgA17Ud50S5TfZBM8SzE9ir6IHgeGdH+DLP9yJ0G518v7QCUHmt3X9uk+CpL/WothdKq/0QzOx/qyTCRLPC9subFpUnLltHsGWowmvV+VsQBu9JVkDUSsKFpoAZgFjlenLc7YNlwl+9oCsRvtRSaKIyOQpceKT/UNuFsDCMeByyJRdv+vir7UWEV7uw/2+2uzTnLlZ5Xw89exXULeYTcugmez/+oR3t6YQkuDQreTDTJi49wvwVZVHMafRcUi0JYLQ84q21MvLgc466Rm9foYRpmmy8itfB1NhF1NiJ24oNQ==
Can you please confirm which patches you have installed?

-----Original Message-----
From:
<> On Behalf Of Oliver Trieu
Sent: Thursday, October 17, 2019 4:13 AM
To:
Subject: [grouper-users] AD Provisioning not working on delete

Hi fellow Grouper Users,


i have the grouper 2.4.0 up and running provisioning into our Microsoft
AD server.

The provisioning of new Groups works just fine, but when i delete the
new group it does NOT get deleted in the AD.

Somehow grouper thinks it did not provision the group and thus does not
delete it.

What could be the cause of this issue?

Here is the log-snippet to show the problem:

2019-10-16 11:31:00 INFO  Starting provisioning batch of 1 items
2019-10-16 11:31:00 INFO  Information cached before
2019-10-16T11:30:04.881+02:00 will be ignored
2019-10-16 11:31:00 INFO  LDAP search returned 0 entries
2019-10-16 11:31:00 INFO  Creating LDAP group for GrouperGroup:
...:NEW_GROUP/#12110(Existing)
2019-10-16 11:31:00 INFO  pspng_activedirectory: Creating LDAP object:
cn=NEW_GROUP,ou=...
2019-10-16 11:31:00 INFO  pspng_activedirectory: Checking for (and
creating) missing OUs in DN: cn=NEW_GROUP,ou=... (wholeDnIsOu=false)
2019-10-16 11:31:00 INFO  active_directory: Creating LDAP object Entry
Summary: dn=cn=NEW_GROUP,ou=...|1 cn values|2 objectclass values|
2019-10-16 11:31:00 INFO  LDAP search returned 1 entries
2019-10-16 11:31:00 INFO  Work item handled:
ProvisioningWorkItem[done=true,successful=true,msg=Group
...l:NEW_GROUP/#12110(Existing) already exists,clog=clog #2071223 /
ChangeLog type: group: addGroup,group=..:NEW_GROUP]

2019-10-16 11:31:00 INFO  Provisioning batch summary: 3 successes/0
failures. Duration=00.788s

Now it is provisioned but when i delete the same object:

2019-10-16 11:40:00 INFO  pspng_activedirectory: +processChangeLogEntries(1)
2019-10-16 11:40:00 WARN  Unable to refresh object from database,
probably because it has been deleted:
Group[name=...:NEW_GROUP,uuid=3221ae657f2b4666b008e40086d8350d]
2019-10-16 11:40:00 WARN  Work item handled:
ProvisioningWorkItem[done=true,successful=true,msg=Ignoring work item
because (deleted) group was not provisioned before it was
deleted,clog=clog #2071225 / ChangeLog type: group:
deleteGroup,group=...:NEW_GROUP]
2019-10-16 11:40:00 INFO  pspng_activedirectory: 0 work items need to be
processed further
2019-10-16 11:40:00 INFO  Starting provisioning batch of 0 items
2019-10-16 11:40:00 INFO  Information cached before null will be ignored
2019-10-16 11:40:00 INFO  Provisioning batch summary: 1 successes/0
failures. Duration=00.005s

Grouper decides to not delete it!


I have a similar issue with Folders where grouper will only provision
the folder if i create a group in that folder and deleting the folder
will not provision the delete to the AD.

A full sync however will bring the groups in sync but not the folders ...


Kind Regards


Oliver


PS: here is my grouper-loader config for the AD Provisioner:

changeLog.consumer.pspng_activedirectory.class =
edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_activedirectory.type =
edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_activedirectory.ldapPoolName = active_directory
changeLog.consumer.pspng_activedirectory.isActiveDirectory = true
changeLog.consumer.pspng_activedirectory.grouperIsAuthoritative = true
changeLog.consumer.pspng_activedirectory.memberAttributeName = member
changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat =
${ldapUser.getDn()}
changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = ou=...
changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter =
objectclass=group
changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter =
(&(objectclass=group)(cn=${grouperUtil.extensionFromName(group.name)}))
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn:
${utils.bushyDn(group.name, "cn", "ou")}||cn:
${grouperUtil.extensionFromName(group.name)}||objectclass:
group||objectclass: top
changeLog.consumer.pspng_activedirectory.userSearchBaseDn = ou=...
changeLog.consumer.pspng_activedirectory.userSearchFilter =
samAccountName=${subject.id}


--
Oliver Trieu
Managed Services
Server and Data Management

Universität Wien
Zentraler Informatikdienst
Universitätsstrasse 7, 1010 Wien

T +43-1-4277-14161
M: +43-664-60277-14161

zid.univie.ac.at


Archive powered by MHonArc 2.6.19.

Top of Page