Loading...

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 5.11.3
Affects Version/s: None
Component/s: provisioning
Labels:
None
Environment:
Grouper 5.10.1

Unable to test external LDAP system or Provisioner when a referral is executed on an LDAP query to an AD based LDAP environment.

Specific error:

Caused by: org.ldaptive.LdapException: resultCode=REFERRAL, diagnosticMessage=0000202B: RefErr: DSID-0310079D, data 0, 1 access points ref 1: 'nau.froot-virt.nau.edu'

Complete exception:

Error: Selecting specific entity (elapsed: 0:00:00.586)

java.lang.RuntimeException: Problem with ldap connection: nauADTest,

Error querying ldap server id: nauADTest, searchDn: DC=nau,DC=froot-virt,DC=nau,DC=edu, filter: '(&(cn=rdw4)(objectclass=person)(objectclass=user))', returning attributes: cn, ldap_dn, objectClass

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.callbackLdapSession(LdaptiveSessionImpl.java:181)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.list(LdaptiveSessionImpl.java:301)

	at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDaoForLdap.search(LdapSyncDaoForLdap.java:16)

	at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.retrieveEntities(LdapProvisioningTargetDao.java:1045)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveEntitiesHelper(GrouperProvisionerTargetDaoAdapter.java:2494)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$19.callLogic(GrouperProvisionerTargetDaoAdapter.java:2649)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$19.callLogic(GrouperProvisionerTargetDaoAdapter.java:2641)

	at edu.internet2.middleware.grouper.util.GrouperUtil.executorServiceSubmit(GrouperUtil.java:14433)

	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveEntities(GrouperProvisionerTargetDaoAdapter.java:2706)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.appendSelectEntityFromTarget(GrouperProvisioningDiagnosticsContainer.java:1675)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.runDiagnostics(GrouperProvisioningDiagnosticsContainer.java:205)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:72)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:78)

	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:855)

	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:234)

	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:229)

	at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:205)

	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1063)

	at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:202)

	at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:167)

	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)

	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)

	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)

	at java.base/java.lang.Thread.run(Thread.java:840)

Caused by: org.ldaptive.LdapException: resultCode=REFERRAL, diagnosticMessage=0000202B: RefErr: DSID-0310079D, data 0, 1 access points

	ref 1: 'nau.froot-virt.nau.edu'

	at org.ldaptive.handler.ResultPredicate.testAndThrow(ResultPredicate.java:36)

	at org.ldaptive.transport.DefaultOperationHandle.await(DefaultOperationHandle.java:217)

	at org.ldaptive.transport.DefaultSearchOperationHandle.await(DefaultSearchOperationHandle.java:104)

	at org.ldaptive.transport.DefaultSearchOperationHandle.execute(DefaultSearchOperationHandle.java:126)

	at org.ldaptive.SearchOperation.execute(SearchOperation.java:716)

	at org.ldaptive.control.util.PagedResultsClient.executeToCompletion(PagedResultsClient.java:223)

	at org.ldaptive.control.util.PagedResultsClient.executeToCompletion(PagedResultsClient.java:173)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.processSearchRequest(LdaptiveSessionImpl.java:511)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.lambda$list$2(LdaptiveSessionImpl.java:305)

	at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.callbackLdapSession(LdaptiveSessionImpl.java:176)

	... 23 more

This is with or without : REFERRAL set on searchIgnoreResultCodes

...and with referrals being chased, and the endpoint being set as AD in configuration.

With ldaptive logging set to DEBUG we see no errors or work being done after identifying the REFERRAL:

grouper-ui;ldap.log;2024-06-27T09:56:38,437: [ldaptive-ConnectionFactoryTransport-io-5-3] DEBUG NettyConnection$InboundMessageHandler.channelRead0(1578) - [] - Received message org.ldaptive.SearchResponse@1229689377::messageID=2, controls=[], resultCode=SUCCESS, matchedDN=, diagnosticMessage=, referralURLs=[], entries=[], references=[] for handle org.ldaptive.transport.DefaultSearchOperationHandle@2008005987::messageID=2, request=org.ldaptive.SearchRequest@198144555::controls=null, responseTimeout=null, dn=, scope=OBJECT, aliases=NEVER, sizeLimit=0, timeLimit=PT0S, typesOnly=false, filter=org.ldaptive.filter.PresenceFilter@-1302156138::attributeDesc=objectClass, returnAttributes=[1.1], binaryAttributes=null, connection=org.ldaptive.transport.netty.NettyConnection@1816472270::ldapUrl=[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=2024-06-27T16:56:38.426882762Z, connectionConfig=[org.ldaptive.ConnectionConfig@615437426::ldapUrl=ldap://froot-virt.nau.edu, connectTimeout=PT1M, startTLSTimeout=PT1M, responseTimeout=PT1M, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=ONE_RECONNECT_ATTEMPT, autoReplay=false, sslConfig=null, useStartTLS=false, connectionInitializers=[org.ldaptive.BindConnectionInitializer@172732813::bindDn=cn=srv_its_ent_groups,cn=users,dc=froot-virt,dc=nau,dc=edu, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@1557175179::ldapURLSet=[org.ldaptive.LdapURLSet@340358852::active=[[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]], inactive=[]], activateCondition=DEFAULT_ACTIVATE_CONDITION, retryCondition=DEFAULT_RETRY_CONDITION, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0xf3708870, L:/10.0.2.100:40498 - R:froot-virt.nau.edu/10.20.176.243:389], responseTimeout=PT1M, creationTime=2024-06-27T16:56:38.432529439Z, sentTime=2024-06-27T16:56:38.433585128Z, receivedTime=null, consumedMessage=true, result=null, exception=null, onEntry=null, onReference=null, onSearchResult=null

grouper-ui;ldap.log;2024-06-27T09:56:38,437: [https-jsse-nio-0.0.0.0-8443-exec-3] DEBUG LdaptiveSessionImpl.callbackLdapSession(172) - [] - checkout: ldap id: nauADTest, pool active: 0, available: 3

grouper-ui;ldap.log;2024-06-27T09:56:38,438: [https-jsse-nio-0.0.0.0-8443-exec-3] DEBUG NettyConnection.write(912) - [] - Write handle org.ldaptive.transport.DefaultSearchOperationHandle@466129479::messageID=null, request=org.ldaptive.SearchRequest@1496031054::controls=[[org.ldaptive.control.PagedResultsControl@-68066424::criticality=true, size=1000, cookie=null]], responseTimeout=null, dn=dc=nau,dc=froot-virt,dc=nau,dc=edu, scope=SUBTREE, aliases=NEVER, sizeLimit=0, timeLimit=PT0S, typesOnly=false, filter=org.ldaptive.filter.EqualityFilter@-1265339123::filterType=EQUALITY, attributeDesc=cn, assertionValue=rdw4, returnAttributes=[samaccountname], binaryAttributes=[objectSid, objectGUID], connection=org.ldaptive.transport.netty.NettyConnection@1816472270::ldapUrl=[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=2024-06-27T16:56:38.426882762Z, connectionConfig=[org.ldaptive.ConnectionConfig@615437426::ldapUrl=ldap://froot-virt.nau.edu, connectTimeout=PT1M, startTLSTimeout=PT1M, responseTimeout=PT1M, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=ONE_RECONNECT_ATTEMPT, autoReplay=false, sslConfig=null, useStartTLS=false, connectionInitializers=[org.ldaptive.BindConnectionInitializer@172732813::bindDn=cn=srv_its_ent_groups,cn=users,dc=froot-virt,dc=nau,dc=edu, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@1557175179::ldapURLSet=[org.ldaptive.LdapURLSet@340358852::active=[[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]], inactive=[]], activateCondition=DEFAULT_ACTIVATE_CONDITION, retryCondition=DEFAULT_RETRY_CONDITION, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0xf3708870, L:/10.0.2.100:40498 - R:froot-virt.nau.edu/10.20.176.243:389], responseTimeout=PT1M, creationTime=2024-06-27T16:56:38.438722761Z, sentTime=null, receivedTime=null, consumedMessage=false, result=null, exception=null, onEntry=[[org.ldaptive.handler.DnAttributeEntryHandler@-1580910376::dnAttributeName=entryDN, addIfExists=false]], onReference=null, onSearchResult=[edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler@17257, org.ldaptive.referral.FollowSearchReferralHandler@53974be2, org.ldaptive.referral.FollowSearchResultReferenceHandler@61ea43b2] with 0 pending responses

grouper-ui;ldap.log;2024-06-27T09:56:38,442: [ldaptive-ConnectionFactoryTransport-io-5-3] DEBUG NettyConnection$InboundMessageHandler.channelRead0(1578) - [] - Received message org.ldaptive.SearchResponse@-1582285541::messageID=3, controls=[[org.ldaptive.control.PagedResultsControl@-68102810::criticality=false, size=0, cookie=null]], resultCode=REFERRAL, matchedDN=, diagnosticMessage=0000202B: RefErr: DSID-0310079D, data 0, 1 access points

	ref 1: 'nau.froot-virt.nau.edu'

, referralURLs=[ldap://nau.froot-virt.nau.edu/dc=nau,dc=froot-virt,dc=nau,dc=edu], entries=[], references=[] for handle org.ldaptive.transport.DefaultSearchOperationHandle@466129479::messageID=3, request=org.ldaptive.SearchRequest@1496031054::controls=[[org.ldaptive.control.PagedResultsControl@-68066424::criticality=true, size=1000, cookie=null]], responseTimeout=null, dn=dc=nau,dc=froot-virt,dc=nau,dc=edu, scope=SUBTREE, aliases=NEVER, sizeLimit=0, timeLimit=PT0S, typesOnly=false, filter=org.ldaptive.filter.EqualityFilter@-1265339123::filterType=EQUALITY, attributeDesc=cn, assertionValue=rdw4, returnAttributes=[samaccountname], binaryAttributes=[objectSid, objectGUID], connection=org.ldaptive.transport.netty.NettyConnection@1816472270::ldapUrl=[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=2024-06-27T16:56:38.426882762Z, connectionConfig=[org.ldaptive.ConnectionConfig@615437426::ldapUrl=ldap://froot-virt.nau.edu, connectTimeout=PT1M, startTLSTimeout=PT1M, responseTimeout=PT1M, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=ONE_RECONNECT_ATTEMPT, autoReplay=false, sslConfig=null, useStartTLS=false, connectionInitializers=[org.ldaptive.BindConnectionInitializer@172732813::bindDn=cn=srv_its_ent_groups,cn=users,dc=froot-virt,dc=nau,dc=edu, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@1557175179::ldapURLSet=[org.ldaptive.LdapURLSet@340358852::active=[[org.ldaptive.LdapURL@-2136466663::scheme=ldap, hostname=froot-virt.nau.edu, port=-1, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]], inactive=[]], activateCondition=DEFAULT_ACTIVATE_CONDITION, retryCondition=DEFAULT_RETRY_CONDITION, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0xf3708870, L:/10.0.2.100:40498 - R:froot-virt.nau.edu/10.20.176.243:389], responseTimeout=PT1M, creationTime=2024-06-27T16:56:38.438722761Z, sentTime=2024-06-27T16:56:38.439702644Z, receivedTime=null, consumedMessage=false, result=null, exception=null, onEntry=[[org.ldaptive.handler.DnAttributeEntryHandler@-1580910376::dnAttributeName=entryDN, addIfExists=false]], onReference=null, onSearchResult=[edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler@17257, org.ldaptive.referral.FollowSearchReferralHandler@53974be2, org.ldaptive.referral.FollowSearchResultReferenceHandler@61ea43b2]

The LDAP server is accessible and LDAP queries which do not return referrals are successful by Grouper. In addition, the same queries are successful with other clients which can chase the referrals.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

NAU_debug_referrals.groovy
22/Jul/24 5:13 PM
4 kB
Chad Redman
NAU_debug_referral.output
22/Jul/24 8:03 PM
73 kB
Raymond Walker
Screenshot 2024-07-23 at 1.16.49 PM.png
23/Jul/24 8:19 PM
85 kB
Raymond Walker
image-2024-07-23-13-19-55-983.png
23/Jul/24 8:19 PM
88 kB
Raymond Walker

Details

Description

Attachments

Attachments

Activity

People

Dates