grouper-users - Re: [grouper-users] PSP-AD group membership structure
Subject: Grouper Users - Open Discussion List
List archive
- From: Shilen Patel <>
- To: Gagné Sébastien <>, "Tom Zeller" <>
- Cc: "" <>
- Subject: Re: [grouper-users] PSP-AD group membership structure
- Date: Mon, 13 Aug 2012 18:23:52 +0000
- Accept-language: en-US
By default, immediate memberships are not added to the change log.
Flattened memberships are though. I'm not sure if the PSP change log
consumer distinguishes between the two when both are present, but I think
you would need to at least update the following in
grouper-loader.properties:
changeLog.includeNonFlattenedMemberships = true
.. and depending on how the PSP consumer works, potentially disable the
following:
changeLog.includeFlattenedMemberships = false
Thanks!
-- Shilen
On 8/13/12 2:05 PM, "Gagné Sébastien"
<>
wrote:
>Further testing showed inconsistencies in PSP provisionning, maybe it's a
>bug or I'm missing another configuration. In the psp resolver I added
>":immediate" to these DataConnector and AttributeDefinition like you
>previously said :
>
><resolver:DataConnector
> id="GroupDataConnector"
> xsi:type="grouper:GroupDataConnector">
> [...]
> <!-- The "members" attribute values are equivalent to
>group.getMembers(). -->
> <grouper:Attribute id="members:immediate" />
> <!-- The "groups" attribute values are equivalent to
>group.getGroups(). -->
> <grouper:Attribute id="groups:immediate" />
> </resolver:DataConnector>
>
><resolver:AttributeDefinition
> id="membersLdap" xsi:type="grouper:Member"
>sourceAttributeID="members:immediate">
> <resolver:Dependency ref="GroupDataConnector" />
> <!-- The values of the "id" attribute are the identifiers of subjects
>whose source id is "ldap". -->
> <grouper:Attribute id="id" source="ldap" />
> </resolver:AttributeDefinition>
>
> <!-- The values of the "membersGsa" attribute are the names of group
>members which are grouper groups. -->
> <resolver:AttributeDefinition
> id="membersGsa" xsi:type="grouper:Member"
>sourceAttributeID="members:immediate">
> <resolver:Dependency ref="GroupDataConnector" />
> <!-- The values of the "name" attribute are the names of groups whose
>source is "g:gsa". -->
> <grouper:Attribute id="name" source="g:gsa" />
> </resolver:AttributeDefinition>
>
>
>In grouper, I create the groups and add members in this order :
>GroupA
>- Members = UserA
>GroupB
>- Members = UserB
>GroupAB
>- Members = GroupA, GroupB
>
>The changelogPSP detects each change and provision each them. If I go in
>AD, I see the 3 groups, but GroupAB has "everything" as members , i.e.
>GroupAB
>- Members = GroupA, GroupB, UserA, UserB
>
>Without any change in grouper, I run : $GROUPER_HOME/api/bin/gsh.sh -psp
>-bulkSync
>
>And the group in AD is fixed, i.e GroupAB only has GroupA and GroupB as
>members
>
>From what I can gather in psp-resolver.xml, the changeLog sync and
>bulkSync uses different data connectors, perhaps a modification of the
>"AddMembershipChangeLogDataConnector" is required ? Or is there already a
>filter for it ? I tried adding "immediate" to "membership", but now
>userAdd aren't provisioned, I only see the groups in AD
>
> <!-- Returns change log attributes representing a membership addition.
>-->
> <resolver:DataConnector
> id="AddMembershipChangeLogDataConnector"
> xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
> <!-- The ChangeLogEntry filter matches change log entries with the
>given category and action. -->
> <grouper:Filter
> xsi:type="psp-grouper-changelog:ChangeLogEntry"
> category="membership:immediate"
> action="addMembership" />
> </resolver:DataConnector>
>
>
>Thanks
>
>
>
>-----Message d'origine-----
>De : Tom Zeller
>[mailto:]
>Envoyé : 9 août 2012 11:19
>À : Gagné Sébastien
>Cc :
>
>Objet : Re: [grouper-users] PSP-AD group membership structure
>
>If I understand correctly, try
>
> <grouper:Attribute id="members:immediate" />
>
>instead of
>
> <grouper:Attribute id="members" />
>
>in the group data connector configuration in psp-resolver.xml.
>
>Some documentation is here :
>
>
>https://spaces.internet2.edu/display/Grouper/Grouper+Shibboleth+Integratio
>n
>
>And some examples are here in the "testAll" data connector at the top :
>
>http://anonsvn.internet2.edu/viewvc/viewvc.py/i2mi/tags/GROUPER_2_1_0/ldap
>pcng/grouper-shib/src/test/resources/test/GroupDataConnectorTest-resolver.
>xml?revision=8210&view=co
>
>On Tue, Aug 7, 2012 at 9:38 AM, Gagné Sébastien
><>
> wrote:
>> Hi,
>>
>> I just figured that our PSP configuration is provisionning
>> "everything" in the group's member attribute (when a group is a
>> member) instead of "immediate" memberships (see
>> https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning#Grou
>> perProvisioning-RealTimeProvisioningBetaTesting%3AMembershipStructure
>> )
>>
>>
>>
>> Where is the configuration for that ? the wiki page didn't help much,
>> is it configurable ?
>>
>>
>>
>> I'm using PSP 2.1.0.
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> Sébastien Gagné, | Analyste en informatique
>>
>> 514-343-6111 x33844 | Université de Montréal,
>>
>> | Pavillon Roger-Gaudry, local X-100-11
>>
>>
- [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/07/2012
- Re: [grouper-users] PSP-AD group membership structure, Tom Zeller, 08/09/2012
- RE: [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/09/2012
- RE: [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/13/2012
- Re: [grouper-users] PSP-AD group membership structure, Shilen Patel, 08/13/2012
- RE: [grouper-users] PSP-AD group membership structure, Gagné Sébastien, 08/13/2012
- Re: [grouper-users] PSP-AD group membership structure, Shilen Patel, 08/13/2012
- Re: [grouper-users] PSP-AD group membership structure, Tom Zeller, 08/09/2012
Archive powered by MHonArc 2.6.16.