grouper-users - RE: [grouper-users] PSP-AD group membership structure
Subject: Grouper Users - Open Discussion List
List archive
- From: Gagné Sébastien <>
- To: "Tom Zeller" <>
- Cc: <>
- Subject: RE: [grouper-users] PSP-AD group membership structure
- Date: Mon, 13 Aug 2012 14:05:09 -0400
Further testing showed inconsistencies in PSP provisionning, maybe it's a bug
or I'm missing another configuration. In the psp resolver I added
":immediate" to these DataConnector and AttributeDefinition like you
previously said :
<resolver:DataConnector
id="GroupDataConnector"
xsi:type="grouper:GroupDataConnector">
[...]
<!-- The "members" attribute values are equivalent to group.getMembers().
-->
<grouper:Attribute id="members:immediate" />
<!-- The "groups" attribute values are equivalent to group.getGroups().
-->
<grouper:Attribute id="groups:immediate" />
</resolver:DataConnector>
<resolver:AttributeDefinition
id="membersLdap" xsi:type="grouper:Member"
sourceAttributeID="members:immediate">
<resolver:Dependency ref="GroupDataConnector" />
<!-- The values of the "id" attribute are the identifiers of subjects
whose source id is "ldap". -->
<grouper:Attribute id="id" source="ldap" />
</resolver:AttributeDefinition>
<!-- The values of the "membersGsa" attribute are the names of group
members which are grouper groups. -->
<resolver:AttributeDefinition
id="membersGsa" xsi:type="grouper:Member"
sourceAttributeID="members:immediate">
<resolver:Dependency ref="GroupDataConnector" />
<!-- The values of the "name" attribute are the names of groups whose
source is "g:gsa". -->
<grouper:Attribute id="name" source="g:gsa" />
</resolver:AttributeDefinition>
In grouper, I create the groups and add members in this order :
GroupA
- Members = UserA
GroupB
- Members = UserB
GroupAB
- Members = GroupA, GroupB
The changelogPSP detects each change and provision each them. If I go in AD,
I see the 3 groups, but GroupAB has "everything" as members , i.e.
GroupAB
- Members = GroupA, GroupB, UserA, UserB
Without any change in grouper, I run : $GROUPER_HOME/api/bin/gsh.sh -psp
-bulkSync
And the group in AD is fixed, i.e GroupAB only has GroupA and GroupB as
members
From what I can gather in psp-resolver.xml, the changeLog sync and bulkSync
uses different data connectors, perhaps a modification of the
"AddMembershipChangeLogDataConnector" is required ? Or is there already a
filter for it ? I tried adding "immediate" to "membership", but now userAdd
aren't provisioned, I only see the groups in AD
<!-- Returns change log attributes representing a membership addition. -->
<resolver:DataConnector
id="AddMembershipChangeLogDataConnector"
xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
<!-- The ChangeLogEntry filter matches change log entries with the given
category and action. -->
<grouper:Filter
xsi:type="psp-grouper-changelog:ChangeLogEntry"
category="membership:immediate"
action="addMembership" />
</resolver:DataConnector>
Thanks
-----Message d'origine-----
De : Tom Zeller
[mailto:]
Envoyé : 9 août 2012 11:19
À : Gagné Sébastien
Cc :
Objet : Re: [grouper-users] PSP-AD group membership structure
If I understand correctly, try
<grouper:Attribute id="members:immediate" />
instead of
<grouper:Attribute id="members" />
in the group data connector configuration in psp-resolver.xml.
Some documentation is here :
https://spaces.internet2.edu/display/Grouper/Grouper+Shibboleth+Integration
And some examples are here in the "testAll" data connector at the top :
http://anonsvn.internet2.edu/viewvc/viewvc.py/i2mi/tags/GROUPER_2_1_0/ldappcng/grouper-shib/src/test/resources/test/GroupDataConnectorTest-resolver.xml?revision=8210&view=co
On Tue, Aug 7, 2012 at 9:38 AM, Gagné Sébastien
<>
wrote:
> Hi,
>
> I just figured that our PSP configuration is provisionning
> "everything" in the group's member attribute (when a group is a
> member) instead of "immediate" memberships (see
> https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning#Grou
> perProvisioning-RealTimeProvisioningBetaTesting%3AMembershipStructure
> )
>
>
>
> Where is the configuration for that ? the wiki page didn't help much,
> is it configurable ?
>
>
>
> I'm using PSP 2.1.0.
>
>
>
> Thanks
>
>
>
>
>
> Sébastien Gagné, | Analyste en informatique
>
> 514-343-6111 x33844 | Université de Montréal,
>
> | Pavillon Roger-Gaudry, local X-100-11
>
>
- [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/07/2012
- Re: [grouper-users] PSP-AD group membership structure, Tom Zeller, 08/09/2012
- RE: [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/09/2012
- RE: [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/13/2012
- Re: [grouper-users] PSP-AD group membership structure, Shilen Patel, 08/13/2012
- RE: [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/13/2012
- Re: [grouper-users] PSP-AD group membership structure, Shilen Patel, 08/13/2012
- Re: [grouper-users] PSP-AD group membership structure, Tom Zeller, 08/09/2012
Archive powered by MHonArc 2.6.16.