grouper-users - Re: [grouper-users] AD Provisioning not working on delete
Subject: Grouper Users - Open Discussion List
List archive
- From: Jeffrey Williams <>
- To: Oliver Trieu <>
- Cc: "Hyzer, Chris" <>, Grouper-Users <>
- Subject: Re: [grouper-users] AD Provisioning not working on delete
- Date: Tue, 10 Dec 2019 11:37:22 -0600
Dear Grouper Users,
To solve my problem I download the grouper source-code and attached a remote debugger to my grouper instance to see where the problem is.
Here are my findings:
In the class "edu.internet2.middleware.grouper.pspng.Provisioner" the variable "selectedGroups" contains all groups selected for provisioning and on each action,
before they are sent to the actual LDAP-Provisioner a check is being made if your group is in the "selectedGroups".
If it isnt in the selectedGroups you get the famous message "Ignoring work item because (deleted) group was not provisioned before it was deleted"
Here is the code snippet (function filterWorkItems):
if ( group.hasGroupBeenDeleted() && !selectedGroups.get().contains(group) ) {
workItem.markAsSkippedAndWarn("Ignoring work item because (deleted) group was not provisioned before it was deleted");
continue;
}As you can see a deleted group will be skipped if it is not contained in the selectedGroups set.
The function "processAnyChangesInGroupSelection" is used to update this group-cache in the "selectedGroups".
However this method is not called when a new group is created, even if it should be in the "selectedGroups" (because it is actually provisioned as you can see in my log snippets from my previous message).
I dont see any check for this in the code.
The function "provisionItem" will check for this:
if ( workItem.matchesChangelogType(ChangelogHandlingConfig.changelogTypesThatAreHandledIncrementally) ) {
processIncrementalSyncEvent(workItem);
return;
}
if ( workItemMightChangeGroupSelection(workItem) ) {
processAnyChangesInGroupSelection(workItem);
}
Incremental handling is used for the following types:
ChangeLogTypeBuiltin.GROUP_ADD,
ChangeLogTypeBuiltin.GROUP_DELETE,
ChangeLogTypeBuiltin.MEMBERSHIP_ADD,
ChangeLogTypeBuiltin.MEMBERSHIP_DELETE)
So Group-Add and Group-Delete will only trigger an incremental sync not updating the seletedGroups cache (which thus does not yet contain our newly created or deleted group...).
I also found out why it sometimes works!
If you alter any attribute the cache is rebuilt. Also a restart will rebuild the cache and then the delete will work too.
The following change log types will trigger a rebuild of the selectedGroups Set:
ChangeLogTypeBuiltin.ATTRIBUTE_ASSIGN_ADD,
ChangeLogTypeBuiltin.ATTRIBUTE_ASSIGN_DELETE,
ChangeLogTypeBuiltin.ATTRIBUTE_ASSIGN_VALUE_ADD,
ChangeLogTypeBuiltin.ATTRIBUTE_ASSIGN_VALUE_DELETE,
ChangeLogTypeBuiltin.GROUP_UPDATE,
ChangeLogTypeBuiltin.STEM_UPDATE
How is that supposed to work or am i missing an important point here?
Kind Regards
Oliver
On 10/24/19 3:08 AM, Jeffrey Williams wrote:
Hi Oliver,
That is all good information you've provided, including that it is not consistently having the issue. I'm still looking at your logs and wanted to ask about the URL that Grouper uses to point to AD. If it's not pointed to a single DC or a pool that balanced active/standby, can you point it to a single DC and see if the error continues?
I don't believe that this will resolve the issue, I wanted to make a side note: Searching by CN and objectClass is fine if you're provisioning flat and CN: ${group.name}. However, I would not use CN=${group.extension} to search a bushy OU structure. Bushy OU's can hold multiple groups with the same name extension as their CN. In those cases, this will cause your queries to return multiple objects, which neither PSPNG nor you will like :). For bushy provisioning in AD, I've found using gidNumber=${group.idIndex} works well because it's not influenced by the end user and won't cause AD to create a new AD object when all that was required was to update the name of the old one. You can also use DN, but be warned that AD will create a new object each time the group extension or its location(i.e. its DN) changes.
On Wed, Oct 23, 2019 at 5:40 AM Oliver Trieu <> wrote:
Hi Jeffrey,
thank you for your time, of course i can.
I created a new Group using the grouper-gui (GROUP2).
I waited until it was provisioned to AD and then deleted it in grouper.
The attached log file shows the creation and deletion of the group (not_working.txt).
I should add that oddly enough on my first try it actually worked!
It seems to be kind of random as i did the exact same thing (created group, waited for provisioning, then deleted).
I also attached this logfile (worked_strange.txt).
I did not change any settings between these tries...
Kind Regards
Oliver
On 10/22/19 11:41 PM, Jeffrey Williams wrote:
Hi Oliver,
Can you turn up the logging on your provisioner to DEBUG and delete a group?
On Tue, Oct 22, 2019, 1:21 AM Oliver Trieu <> wrote:
Dear Chris,
thank you for your fast response!
Here is the information you asked for:
grouperPatchStatus read from: /opt/grouper.apiBinary-2.4.0/grouperPatchStatus.properties
api patches installed: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74 pspng patches installed: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
Kind Regards
Oliver
Am 21.10.2019 um 17:28 schrieb Hyzer, Chris:
Can you please confirm which patches you have installed? -----Original Message----- From: On Behalf Of Oliver Trieu Sent: Thursday, October 17, 2019 4:13 AM To: Subject: [grouper-users] AD Provisioning not working on delete Hi fellow Grouper Users, i have the grouper 2.4.0 up and running provisioning into our Microsoft AD server. The provisioning of new Groups works just fine, but when i delete the new group it does NOT get deleted in the AD. Somehow grouper thinks it did not provision the group and thus does not delete it. What could be the cause of this issue? Here is the log-snippet to show the problem: 2019-10-16 11:31:00 INFO Starting provisioning batch of 1 items 2019-10-16 11:31:00 INFO Information cached before 2019-10-16T11:30:04.881+02:00 will be ignored 2019-10-16 11:31:00 INFO LDAP search returned 0 entries 2019-10-16 11:31:00 INFO Creating LDAP group for GrouperGroup: ...:NEW_GROUP/#12110(Existing) 2019-10-16 11:31:00 INFO pspng_activedirectory: Creating LDAP object: cn=NEW_GROUP,ou=... 2019-10-16 11:31:00 INFO pspng_activedirectory: Checking for (and creating) missing OUs in DN: cn=NEW_GROUP,ou=... (wholeDnIsOu=false) 2019-10-16 11:31:00 INFO active_directory: Creating LDAP object Entry Summary: dn=cn=NEW_GROUP,ou=...|1 cn values|2 objectclass values| 2019-10-16 11:31:00 INFO LDAP search returned 1 entries 2019-10-16 11:31:00 INFO Work item handled: ProvisioningWorkItem[done=true,successful=true,msg=Group ...l:NEW_GROUP/#12110(Existing) already exists,clog=clog #2071223 / ChangeLog type: group: addGroup,group=..:NEW_GROUP] 2019-10-16 11:31:00 INFO Provisioning batch summary: 3 successes/0 failures. Duration=00.788s Now it is provisioned but when i delete the same object: 2019-10-16 11:40:00 INFO pspng_activedirectory: +processChangeLogEntries(1) 2019-10-16 11:40:00 WARN Unable to refresh object from database, probably because it has been deleted: Group[name=...:NEW_GROUP,uuid=3221ae657f2b4666b008e40086d8350d] 2019-10-16 11:40:00 WARN Work item handled: ProvisioningWorkItem[done=true,successful=true,msg=Ignoring work item because (deleted) group was not provisioned before it was deleted,clog=clog #2071225 / ChangeLog type: group: deleteGroup,group=...:NEW_GROUP] 2019-10-16 11:40:00 INFO pspng_activedirectory: 0 work items need to be processed further 2019-10-16 11:40:00 INFO Starting provisioning batch of 0 items 2019-10-16 11:40:00 INFO Information cached before null will be ignored 2019-10-16 11:40:00 INFO Provisioning batch summary: 1 successes/0 failures. Duration=00.005s Grouper decides to not delete it! I have a similar issue with Folders where grouper will only provision the folder if i create a group in that folder and deleting the folder will not provision the delete to the AD. A full sync however will bring the groups in sync but not the folders ... Kind Regards Oliver PS: here is my grouper-loader config for the AD Provisioner: changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ? changeLog.consumer.pspng_activedirectory.ldapPoolName = active_directory changeLog.consumer.pspng_activedirectory.isActiveDirectory = true changeLog.consumer.pspng_activedirectory.grouperIsAuthoritative = true changeLog.consumer.pspng_activedirectory.memberAttributeName = member changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()} changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = ou=... changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${grouperUtil.extensionFromName(group.name)})) changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${grouperUtil.extensionFromName(group.name)}||objectclass: group||objectclass: top changeLog.consumer.pspng_activedirectory.userSearchBaseDn = ou=... changeLog.consumer.pspng_activedirectory.userSearchFilter = samAccountName=${subject.id}-- Oliver Trieu Managed Services Server and Data Management Universität Wien Zentraler Informatikdienst Universitätsstrasse 7, 1010 Wien T +43-1-4277-14161 M: +43-664-60277-14161 zid.univie.ac.at
--
-- Oliver Trieu Managed Services Server and Data Management Universität Wien Zentraler Informatikdienst Universitätsstrasse 7, 1010 Wien T +43-1-4277-14161 M: +43-664-60277-14161 zid.univie.ac.at
- Re: [grouper-users] AD Provisioning not working on delete, Oliver Trieu, 12/03/2019
- Re: [grouper-users] AD Provisioning not working on delete, Jeffrey Williams, 12/10/2019
Archive powered by MHonArc 2.6.19.