Grouper Developers Forum

[Emily Eisbruch <>]

Grouper WG  at 2011 SMM – Monday, April 18, 2011
[60 in attendance]

Slides are linked from http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001766&event=1035

Note: Thank you to Dean Woodbeck for preparing these minutes.

Agenda

Questions/topics
 - Update on LDAPPC NG  evolution
Grouper v 2.0 time frame/highlights

• point-in-time audit demo

• member sort/search

• attribute UI

• upgrading to 2.0

• invite external users

• syncing groups between Groupers

• Atlassian connector

LDAP provisioning

What's New with Grouper -  Shilen Patel 

Member searching and sorting

• Problems: Grouper has limited info on subjects. Unable to effectively sort members of a group without performance hit. Unable to quickly/easily search for people in a group.

• Solution: Grouper 2.0 allows up to 5 attributes for sorting and 5 attributes for searching for each subject. Sort/search attributes are updated when subjects are resolved in Grouper.

• Security – each sort and search field can be configured to restrict access based on a group. Useful if attributes contain private info.

• Fixes the performance issues sorting/searching.

• Can put multiple items in the search column

Point in time auditing

• Query the state of Grouper at a specific point in time

• Memberships: Was person X a member of group Y on a given date? Who were all the members of a group on date X or between date X and date Y?

     • Permissions: Did person X have read permission on resource Y at a given date?

     • Attributes: What attributes were assigned to a group in the past and what were the attribute values?

Demo of member search/sort in UI

• Shilen did a demo of the search/sort

Demo of point in time auditing using web services

• Shilen did a demo of the point in time auditing – looked at queries that show whether or not someone is a member of a certain group

• Can specify a “from” date or a “to” date or both on whether someone in a group

What’s New with Grouper - Chris Hyzer 

• Attribute framework UI. Ajax UI. Creates, edits, assigns attributes. For Grouper 2.0.

• Attributes and actions

• Attribute privileges

• Attribute names

• Groups and roles

• Attribute assignments (to do)

• Permission assignments (to do) 

• Upgrade from Grouper 1.6

• March 2011 -- Penn upgraded from Grouper 1.6 to 1.7

• Grouper 1.7 was an internal Grouper release with point-in-time, rules, external subjects

• upgrade took five hours (including testing)

• performed upgrade on a Friday night at 5 pm.

• No significant downtime required for read-only services

• Disabled Nagios monitoring on WS

• Set UI/WS to read-only mode

• Turn off daemons, LDAP sync

• Backup membership lite view to a table

• Backup DB schema

• See details on Penn's upgrade at https://spaces.internet2.edu/display/Grouper/Upgrade+notes+from+Grouper+1.6+to+1.7

• Penn’s Secure Space – to support external users

• Secure Space is built on Grouper – three groups per space – admins, users, readonly

• Grouper client/WS caches the list of groups for the user

• uses InCommon for single sign-on

• EPPN required for external users

• External users self-register their name, email, institution

• Installed Shib Discovery Service, customized:

                          -Support channel
                          -Easy for Penn users
                          -Recommend Protect Network for users who don't have an InCommon account which releases EPPN.

• Chris did a demo of the Penn Secure Space system

   Q:  Have you thought about adding Google or OpenID – users are more familiar with this than Protect Network? 

                   A: At Penn we are starting with Protect Network.

• Group sync to another Grouper

• map the folder/group from one Grouper to the folder/group in another Grouper

• only one side needs to make configurations

• Three types of syncing – push, pull , push_incrementaion

• Uses Grouper web services

• Only external members are synced

• Example on Grouper demo server. See https://spaces.internet2.edu/display/Grouper/Grouper+demo+site

• Atlassian – Grouper connector

• Map a root folder for Confluence or Jira

• Create/delete groups from Atlassian, although sometimes there are issues

• XMPP messaging from Grouper to Atlassian for real time updates

 LDAPPC NG - Lynn Garrison 

LDAP Provisioning

• Group Mgmt 

     • 62 standing groups – provisioned once, incremental update daily

     • course groups – 18746 for spring– provisioned once, incremental update daily

     • delegate – 9700 – managed with web application (depts. Use for listservs, secure space)

     • hybrid/nested – 2000

• Architecture team looks at environment and recommends to production team what to use.

        • Current environment:

     • Linux (CentOS) – Oracle express database, LDAP subject source using software from U-Wash, Shib attribute resolver

     • AIX (version 6.1 POWER7) - LDAP

• Requirements  from Penn State

    • Performance

                       -Groups – 18 minutes to create group of 31000 members. 45 min to provision to LDAP (just do that once). Native LDAP – 40 min to provision to LDAP
                       -Need real-time provisioning
                       -Incremental provisioning 
                       -Creation of groups from existing LDAP

LDAPPC NG -- Tom Zeller

• want speed – turns out caching is key

• need to tune cache – making it larger is a good thing

• if want cache smaller, need to have ways for people to cache easily

               •  When tried to identify areas to improve speed, looked at identifiers – both ends (input to Grouper – out from LDAPPC NG). 

               •  Maybe should get rid of API and draw from IdP?

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook