Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-2010

PSPNG - Ldap filters with search controls

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Won't Fix
    • Minor
    • None
    • None
    • provisioning
    • None

    Description

      Validate or enable ldap search controls for subject/group searches...

       

      From grouper-users:

      Hello,

       

      For some grouper members I have two accounts in AD one Active and one Disabled. I need to only provision and add the group member’s active account to its corresponding AD group using PSPNG. I tried to add the UserAccountControl criteria to the user Search filter in grouper-loader.properties , but the users don’t get added and the logs show the error below. Is it possible that the grouper AD provisioner does not handle complex search filters?

       

      user Search filter in grouper-loader.properties:

      changeLog.consumer.pspng_activedirectory.userSearchFilter = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=${subject.id}))

       

      Logs error

      2018-03-19 10:20:00,202: [DefaultQuartzScheduler_Worker-6] ERROR LdapObject.matchesLdapFilter(261) -  - Problem checking ldap filter in memory: [org.ldaptive.SearchFilter@aaaa::*filter=(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=xxx)),* parameters=\{}]

      LDAPException(resultCode=92 (not supported), errorMessage='Extensible matching is not supported when attempting to determine whether a given entry matches a search filter.')

                      at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3287)

                      at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3205)

                      at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3187)

                      at com.unboundid.ldap.sdk.Filter.matchesEntry(Filter.java:3152)

                      at edu.internet2.middleware.grouper.pspng.LdapObject.matchesLdapFilter(LdapObject.java:257)

                      at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:172)

                      at edu.internet2.middleware.grouper.pspng.Provisioner.prepareUserCache(Provisioner.java:640)

                      at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:476)

                      at edu.internet2.middleware.grouper.pspng.Provisioner.provisionBatchOfItems(Provisioner.java:1373)

                      at edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim.processChangeLogEntries(PspChangelogConsumerShim.java:71)

                      at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:245)

                      at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:717)

                      at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:423)

                      at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:323)

                      at org.quartz.core.JobRunShell.run(JobRunShell.java:202)

                      at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

       

       

       
      Thank you so much,

      Best Reagrds,

       

      Mona Z Sawyer M.Sc.

      Programmer Intermediate

      Middleware and Identity Services

      Information Technology | University of Miami

      1320 S. Dixie Hwy | Suite 1000.49

      Coral Gables, Fl 33146

      305-284-2214

      Attachments

        Activity

          People

            bert.beelindgren@at.internet2.edu Bert Bee-Lindgren (gatech.edu)
            bert.beelindgren@at.internet2.edu Bert Bee-Lindgren (gatech.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: