Loading...

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 5.11.3
Affects Version/s: None
Component/s: provisioning
Labels:
None
Environment:
Grouper 5.10.1

Unable to test external LDAP system or Provisioner when a referral is executed on an LDAP query to an AD based LDAP environment.

Specific error:

Caused by: org.ldaptive.LdapException: resultCode=REFERRAL, diagnosticMessage=0000202B: RefErr: DSID-0310079D, data 0, 1 access points ref 1: 'nau.froot-virt.nau.edu'

Complete exception:

Error: Selecting specific entity (elapsed: 0:00:00.586)

java.lang.RuntimeException: Problem with ldap connection: nauADTest,

Error querying ldap server id: nauADTest, searchDn: DC=nau,DC=froot-virt,DC=nau,DC=edu, filter: '(&(cn=rdw4)(objectclass=person)(objectclass=user))', returning attributes: cn, ldap_dn, objectClass

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.callbackLdapSession(LdaptiveSessionImpl.java:181)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.list(LdaptiveSessionImpl.java:301)

	at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDaoForLdap.search(LdapSyncDaoForLdap.java:16)

	at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.retrieveEntities(LdapProvisioningTargetDao.java:1045)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveEntitiesHelper(GrouperProvisionerTargetDaoAdapter.java:2494)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$19.callLogic(GrouperProvisionerTargetDaoAdapter.java:2649)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$19.callLogic(GrouperProvisionerTargetDaoAdapter.java:2641)

	at edu.internet2.middleware.grouper.util.GrouperUtil.executorServiceSubmit(GrouperUtil.java:14433)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveEntities(GrouperProvisionerTargetDaoAdapter.java:2706)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.appendSelectEntityFromTarget(GrouperProvisioningDiagnosticsContainer.java:1675)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.runDiagnostics(GrouperProvisioningDiagnosticsContainer.java:205)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:72)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:78)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:855)

	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:234)

	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:229)

	at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:205)

	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1063)

	at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:202)

	at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:167)

	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)

	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)

	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)

	at java.base/java.lang.Thread.run(Thread.java:840)

Caused by: org.ldaptive.LdapException: resultCode=REFERRAL, diagnosticMessage=0000202B: RefErr: DSID-0310079D, data 0, 1 access points

	ref 1: 'nau.froot-virt.nau.edu'

	at org.ldaptive.handler.ResultPredicate.testAndThrow(ResultPredicate.java:36)

	at org.ldaptive.transport.DefaultOperationHandle.await(DefaultOperationHandle.java:217)

	at org.ldaptive.transport.DefaultSearchOperationHandle.await(DefaultSearchOperationHandle.java:104)

	at org.ldaptive.transport.DefaultSearchOperationHandle.execute(DefaultSearchOperationHandle.java:126)

	at org.ldaptive.SearchOperation.execute(SearchOperation.java:716)

	at org.ldaptive.control.util.PagedResultsClient.executeToCompletion(PagedResultsClient.java:223)

	at org.ldaptive.control.util.PagedResultsClient.executeToCompletion(PagedResultsClient.java:173)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.processSearchRequest(LdaptiveSessionImpl.java:511)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.lambda$list$2(LdaptiveSessionImpl.java:305)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.callbackLdapSession(LdaptiveSessionImpl.java:176)

	... 23 more

This is with or without : REFERRAL set on searchIgnoreResultCodes

...and with referrals being chased, and the endpoint being set as AD in configuration.

With ldaptive logging set to DEBUG we see no errors or work being done after identifying the REFERRAL:

grouper-ui;ldap.log;2024-06-27T09:56:38,437: [ldaptive-ConnectionFactoryTransport-io-5-3] DEBUG NettyConnection$InboundMessageHandler.channelRead0(1578) - [] - Received message org.ldaptive.SearchResponse@1229689377::messageID=2, controls=[], resultCode=SUCCESS, matchedDN=, diagnosticMessage=, referralURLs=[], entries=[], references=[] for handle org.ldaptive.transport.DefaultSearchOperationHandle@2008005987::messageID=2, request=org.ldaptive.SearchRequest@198144555::controls=null, responseTimeout=null, dn=, scope=OBJECT, aliases=NEVER, sizeLimit=0, timeLimit=PT0S, typesOnly=false, filter=org.ldaptive.filter.PresenceFilter@-1302156138::attributeDesc=objectClass, returnAttributes=[1.1], binaryAttributes=null, connection=org.ldaptive.transport.netty.NettyConnection@1816472270::ldapUrl=[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=2024-06-27T16:56:38.426882762Z, connectionConfig=[org.ldaptive.ConnectionConfig@615437426::ldapUrl=ldap://froot-virt.nau.edu, connectTimeout=PT1M, startTLSTimeout=PT1M, responseTimeout=PT1M, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=ONE_RECONNECT_ATTEMPT, autoReplay=false, sslConfig=null, useStartTLS=false, connectionInitializers=[org.ldaptive.BindConnectionInitializer@172732813::bindDn=cn=srv_its_ent_groups,cn=users,dc=froot-virt,dc=nau,dc=edu, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@1557175179::ldapURLSet=[org.ldaptive.LdapURLSet@340358852::active=[[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]], inactive=[]], activateCondition=DEFAULT_ACTIVATE_CONDITION, retryCondition=DEFAULT_RETRY_CONDITION, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0xf3708870, L:/10.0.2.100:40498 - R:froot-virt.nau.edu/10.20.176.243:389], responseTimeout=PT1M, creationTime=2024-06-27T16:56:38.432529439Z, sentTime=2024-06-27T16:56:38.433585128Z, receivedTime=null, consumedMessage=true, result=null, exception=null, onEntry=null, onReference=null, onSearchResult=null

grouper-ui;ldap.log;2024-06-27T09:56:38,437: [https-jsse-nio-0.0.0.0-8443-exec-3] DEBUG LdaptiveSessionImpl.callbackLdapSession(172) - [] - checkout: ldap id: nauADTest, pool active: 0, available: 3

grouper-ui;ldap.log;2024-06-27T09:56:38,438: [https-jsse-nio-0.0.0.0-8443-exec-3] DEBUG NettyConnection.write(912) - [] - Write handle org.ldaptive.transport.DefaultSearchOperationHandle@466129479::messageID=null, request=org.ldaptive.SearchRequest@1496031054::controls=[[org.ldaptive.control.PagedResultsControl@-68066424::criticality=true, size=1000, cookie=null]], responseTimeout=null, dn=dc=nau,dc=froot-virt,dc=nau,dc=edu, scope=SUBTREE, aliases=NEVER, sizeLimit=0, timeLimit=PT0S, typesOnly=false, filter=org.ldaptive.filter.EqualityFilter@-1265339123::filterType=EQUALITY, attributeDesc=cn, assertionValue=rdw4, returnAttributes=[samaccountname], binaryAttributes=[objectSid, objectGUID], connection=org.ldaptive.transport.netty.NettyConnection@1816472270::ldapUrl=[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=2024-06-27T16:56:38.426882762Z, connectionConfig=[org.ldaptive.ConnectionConfig@615437426::ldapUrl=ldap://froot-virt.nau.edu, connectTimeout=PT1M, startTLSTimeout=PT1M, responseTimeout=PT1M, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=ONE_RECONNECT_ATTEMPT, autoReplay=false, sslConfig=null, useStartTLS=false, connectionInitializers=[org.ldaptive.BindConnectionInitializer@172732813::bindDn=cn=srv_its_ent_groups,cn=users,dc=froot-virt,dc=nau,dc=edu, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@1557175179::ldapURLSet=[org.ldaptive.LdapURLSet@340358852::active=[[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]], inactive=[]], activateCondition=DEFAULT_ACTIVATE_CONDITION, retryCondition=DEFAULT_RETRY_CONDITION, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0xf3708870, L:/10.0.2.100:40498 - R:froot-virt.nau.edu/10.20.176.243:389], responseTimeout=PT1M, creationTime=2024-06-27T16:56:38.438722761Z, sentTime=null, receivedTime=null, consumedMessage=false, result=null, exception=null, onEntry=[[org.ldaptive.handler.DnAttributeEntryHandler@-1580910376::dnAttributeName=entryDN, addIfExists=false]], onReference=null, onSearchResult=[edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler@17257, org.ldaptive.referral.FollowSearchReferralHandler@53974be2, org.ldaptive.referral.FollowSearchResultReferenceHandler@61ea43b2] with 0 pending responses

grouper-ui;ldap.log;2024-06-27T09:56:38,442: [ldaptive-ConnectionFactoryTransport-io-5-3] DEBUG NettyConnection$InboundMessageHandler.channelRead0(1578) - [] - Received message org.ldaptive.SearchResponse@-1582285541::messageID=3, controls=[[org.ldaptive.control.PagedResultsControl@-68102810::criticality=false, size=0, cookie=null]], resultCode=REFERRAL, matchedDN=, diagnosticMessage=0000202B: RefErr: DSID-0310079D, data 0, 1 access points

	ref 1: 'nau.froot-virt.nau.edu'

, referralURLs=[ldap://nau.froot-virt.nau.edu/dc=nau,dc=froot-virt,dc=nau,dc=edu], entries=[], references=[] for handle org.ldaptive.transport.DefaultSearchOperationHandle@466129479::messageID=3, request=org.ldaptive.SearchRequest@1496031054::controls=[[org.ldaptive.control.PagedResultsControl@-68066424::criticality=true, size=1000, cookie=null]], responseTimeout=null, dn=dc=nau,dc=froot-virt,dc=nau,dc=edu, scope=SUBTREE, aliases=NEVER, sizeLimit=0, timeLimit=PT0S, typesOnly=false, filter=org.ldaptive.filter.EqualityFilter@-1265339123::filterType=EQUALITY, attributeDesc=cn, assertionValue=rdw4, returnAttributes=[samaccountname], binaryAttributes=[objectSid, objectGUID], connection=org.ldaptive.transport.netty.NettyConnection@1816472270::ldapUrl=[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=2024-06-27T16:56:38.426882762Z, connectionConfig=[org.ldaptive.ConnectionConfig@615437426::ldapUrl=ldap://froot-virt.nau.edu, connectTimeout=PT1M, startTLSTimeout=PT1M, responseTimeout=PT1M, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=ONE_RECONNECT_ATTEMPT, autoReplay=false, sslConfig=null, useStartTLS=false, connectionInitializers=[org.ldaptive.BindConnectionInitializer@172732813::bindDn=cn=srv_its_ent_groups,cn=users,dc=froot-virt,dc=nau,dc=edu, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@1557175179::ldapURLSet=[org.ldaptive.LdapURLSet@340358852::active=[[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]], inactive=[]], activateCondition=DEFAULT_ACTIVATE_CONDITION, retryCondition=DEFAULT_RETRY_CONDITION, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0xf3708870, L:/10.0.2.100:40498 - R:froot-virt.nau.edu/10.20.176.243:389], responseTimeout=PT1M, creationTime=2024-06-27T16:56:38.438722761Z, sentTime=2024-06-27T16:56:38.439702644Z, receivedTime=null, consumedMessage=false, result=null, exception=null, onEntry=[[org.ldaptive.handler.DnAttributeEntryHandler@-1580910376::dnAttributeName=entryDN, addIfExists=false]], onReference=null, onSearchResult=[edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler@17257, org.ldaptive.referral.FollowSearchReferralHandler@53974be2, org.ldaptive.referral.FollowSearchResultReferenceHandler@61ea43b2]

The LDAP server is accessible and LDAP queries which do not return referrals are successful by Grouper. In addition, the same queries are successful with other clients which can chase the referrals.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2024-07-23-13-19-55-983.png
88 kB
23/Jul/24 8:19 PM
NAU_debug_referral.output
73 kB
22/Jul/24 8:03 PM
NAU_debug_referrals.groovy
4 kB
22/Jul/24 5:13 PM
Screenshot 2024-07-23 at 1.16.49 PM.png
85 kB
23/Jul/24 8:19 PM

Details

Description

Attachments

Attachments

Activity

People

Dates