Grouper Users - Open Discussion List

[Tom Zeller <>]

Yes, provisioning isMemberOf is part of a bulk sync.

By default, most of the psp-example-grouper-to-* projects provision
the isMemberOf attribute for group members via bulk sync as well as
via the change log. The Active Directory and OpenLDAP-memberof-overlay
examples do not, because those DSAs handle referential integrity for
us.

The configuration is, well, improvable. 2.1.0 was the initial release,
2.1.1 has performance improvements, and I am open to suggestions.

There are 4 objects in the psp configuration, psp.xml, to provision 
isMemberOf.

The first is for members provisioned via [bulk]sync :

 <!-- Provision memberOf attributes for members which are ldap persons. -->
 <psp id="member">
    <attribute name="isMemberOf" ... />

the second is for groups provisioned via [bulk]sync :

  <!-- Provision a grouper group as an ldap group. -->
  <pso id="group" >
    <attribute name="isMemberOf" ... />

the third is for members added to a group, provisioned via the grouper
change log :

  <!-- Provision a member's membership triggered by the grouper change log. 
-->
  <psp id="memberMembership">
    <attribute name="isMemberOf" ... />

and the fourth is for groups added to a group as a member, provisioned
via the grouper change log :

  <!-- Provision a group's membership triggered by the grouper change log. -->
  <psp id="groupMembership">
    <attribute name="isMemberOf" .../>

On Mon, Jun 25, 2012 at 2:11 PM, Klug, Lawrence 
<>
 wrote:
> Tom,
>
> Okay, I tested it in this way and it worked fine.    This provisioning 
> process would be a part of bulk sync, right?
>
> (BTW, I'm using 2.0, so the command is ldappcng - we are hoping to upgrade 
> when 2.1.1 comes out.)
>
> Thanks,
>
> Lawrence
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom Zeller
> Sent: Friday, June 22, 2012 1:33 PM
> To: Klug, Lawrence
> Cc: 
> 
> Subject: Re: [grouper-users] LDAPPCNG - isMemberOf attribute
>
> Turn up logging to debug or trace in grouper/conf/log4j.properties :
>
>  # Provisioning : PSP (version 2.1+)
>  log4j.logger.edu.internet2.middleware.psp = TRACE
>
>  # Provisioning : vt-ldap
>  log4j.logger.edu.vt.middleware.ldap = DEBUG
>
>  # Provisioning : Grouper plugin to Shibboleth attribute resolver  
> log4j.logger.edu.internet2.middleware.grouper.shibboleth = TRACE
>
> then try to calc a person who should have isMemberOf provisioned :
>
>  bin/gsh.sh -psp -calc <subject id of member who should have isMemberOf>
>
> and take a look at the log output in logs/grouper_error.log, which if you 
> can post somewhere, I will read.
>
> TomZ
>
> On Fri, Jun 22, 2012 at 1:30 PM, Klug, Lawrence 
> <>
>  wrote:
>> We're running LDAPCNG v2.0 and for some reason the isMemberOf
>> attribute is no longer being populated into Person records.   What
>> should I be looking for configuration-wise?  We want to use isMemberOf
>> Shib header attribute for authorization.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Lawrence