comanage-users - [comanage-users] Comanage grouper provisioner group sync
Subject: COmanage Users List
List archive
- From: Benjeman Meekhof <>
- To:
- Subject: [comanage-users] Comanage grouper provisioner group sync
- Date: Thu, 14 Sep 2017 15:40:48 -0400
- Ironport-phdr: 9a23:xWNB2xbx1JRuviVUrhGbFZT/LSx+4OfEezUN459isYplN5qZoMW8bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA5/m/ZidF+grxHrx+6uxxz35TZbJ2JOPZifK7Qe84RS2pbXsZWUixMGp6xYJUJD+oDI+lYqpPyp10TphW5GwajGuDvyj9Phn/4wKY31P8uEQTY0wM+HNIOsHPUrNvuOacPVOC1zbXHzTXZY/xIxDj99ZHFfxY8qv+CWrJwdNDeyUgpFw7dllWQqZTlMymP2eQRtWWQ8uluVfq3hmI5qgx9vjqiy8IiioTKnY0Z1lXJ+CplzIopOdK1TVJ0bcKkHZZVsiyWKZV6TdgkTmp1oig10KcGtoS+fCUSyJQo2Rrfa/uffoiN+B3jVeKRLS5mhHJmZL6znhmz/Va+xuLnTMW031FKri1KktnIqH8BzQDc6s+CSvdl/0eh3yiA1xzL5+1aIE04iajWJpsvwrMzjZUfrUHOEyDqlEnqkKCbc1kr9vSo5uniZ7jquIGQOJRshgH7KKsum8i/AeoiMggJWmiW4f+z1Lj98kLnQ7VKjvo2kqfCvZDHIMQbp7K2Aw9P3ok99hm/Ei+q0M4EknkfMFJFZBWHgpD1NFHJJfD3F/G/jE6jkDh13vzGI6bhDYvXLnjYi7rhebd961VAyAoo09xT/ZNUCrcdIP3tQE/xssLXDgMnPwCu3enoFch9hcsiXjeEBaqQNqrdvBqV/e81OMGNYpMYojDwN6Jj6vLz3lEjnlpIV6Sv35YSYXbwO/lrIEWebzK4iNIMHGQKuQQWUenrg13EXDJOMSXhF5kg7y02Xdr1RbzIQZqg1eSM
This behavior surprised me, I think it's by design but maybe it
shouldn't be since it messes with what seemed like the most logical
use-case I could come up with. Maybe someone can enlighten me as to a
better way to avoid this issue.
When I update any CO person information it triggers a provision action
to the Grouper provisioner which ultimately ends up calling
provisionCoPerson in CoGrouperProvisionerTarget.php. At the end of
the function the CoPerson is deleted from any Grouper groups which
they do not belong to in Comanage - even groups which do not exist at
all in CoManage.
My expected use was that I'd be able to manage identities in Comanage,
and create no groups in COmanage except the core/automatic CO_COU
groups which are provisioned to Grouper. I then do any further group
management under the COU sub-stems in Grouper. This doesn't exactly
work if Comanage deletes memberships from Grouper groups it isn't
responsible for, and as far as I am concerned that behavior is really
only appropriate when we are deleting a CO person and want their
subject taken out of Grouper groups entirely (but I imagine we could
catch that by deleting unknown subjects from Grouper groups with a gsh
job).
In my case a small workaround in the php code only matches the COU
default groups for this variable which is used later to loop through
and delete group memberships not found in CoManage:
(line 618)
// Filter the returned groups by the stem that this plugin is
configured to control, but only match groups that Comanage is
responsible for.
$grouperGroups = array();
$stem = $coProvisioningTargetData['CoGrouperProvisionerTarget']['stem'];
// change this preg pattern to only match relevant groups
$pattern = "/^" . preg_quote($stem, '/') . ".*" . "CO_COU_.*/";
foreach($allGrouperGroups as $g) {
if (preg_match($pattern, $g)) {
$grouperGroups[] = $g;
}
}
This of course wouldn't work if any other groups are created in
Comanage and not named by the CO:COU convention that default COU
groups use, but I'll never be creating any groups in COmanage except
those 3 it creates automatically for every COU (CO top-level groups
don't seem to make it to Grouper, which is preferable anyways).
thanks,
Ben
- [comanage-users] Comanage grouper provisioner group sync, Benjeman Meekhof, 09/14/2017
- Re: [comanage-users] Comanage grouper provisioner group sync, Scott Koranda, 09/15/2017
Archive powered by MHonArc 2.6.19.