Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-3637

PSPNG not full-syncing AD groups with memberships above a certain number

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Blocker
    • None
    • None
    • daemon
    • None
    • Grouper 2.4 and newer(at least)

    Description

      PSPNG is encountering an issue during full-sync where groups whose membership requires paging to retrieve are not getting properly synced.  The issue occurs:

      1. if an existing group's membership is of a sufficient size that it requires paging
      2. There are existing members in the target population that are not members in the source population(i.e. Grouper)

      LdapGroupProvisioner.doFullSync()'s initial LDAP lookup in results in the Actual values being 0.  This results in the function believing it only has an add to an empty group and will attempt to add existing members to the group, which will throw an AD Error ENTRY_ALREADY_EXISTS.  LdapSystem.performLdapModify will attempt to retry the mod and will re-read the object from AD again(using Ldap RangeEntryHandler), this time getting the correct membership.  However, rather than recalculate the delta between current and actual to determine the type of operation to perform, it calculates the delta of the group assuming the prior type of operation from the initial ldap read.  So if there's no additional members to add, the delta will be 0 and PSPNG assumes there's nothing more to be done.

       

      PSPNG will compare the size of the memberships afterwards and see that the counts are still not correct.  It will then re-run the sync 2 more times before issuing the warning:

      2021-09-21 06:01:21,906: [FullSyncer(pspng_campusOrgLdap)-Thread] WARN  FullSyncProvisioner.processQueueItem(466) -  - pspng_campusOrgLdap: FullSync of uncg:org:DEPT-ITS-23101:org:UNCG_Students_LMS_All/#113507(Existing) was done 3 times looking for stability, but the final one still required changes. There is a small possibility that realtime changes have been provisioned incorrectly and will be addressed during a future full sync.

      PSPNG is aware that it's not syncing correctly and it reporting it as such, but with the correct logic, it should be able to resolve this on its own.
      Attached is an example log detailing the issue.  Issue has been observed on multiple groups in multiple deployments.
      grouper_error.log

       

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            jeffrey.williams@at.internet2.edu Jeffrey Williams (uncg.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: