Grouper Users - Open Discussion List

[Gagné Sébastien <>]

Thanks, it seems to work now.

I'm a little confused by those configs, isn't one or the other (flattened or 
non-flattened) ? I guess you could want None of them, but the interaction 
between the two is vague; If I include flattenedMembers, does it include 
immediate one (I guess so); what happens if I put both of them true, would it 
be added twice (don't think so); is it stored in two list (you seem to say 
that everything is at the same place).



-----Message d'origine-----
De : Shilen Patel 
[mailto:]
 
Envoyé : 13 août 2012 14:24
À : Gagné Sébastien; Tom Zeller
Cc : 

Objet : Re: [grouper-users] PSP-AD group membership structure

By default, immediate memberships are not added to the change log.
Flattened memberships are though.  I'm not sure if the PSP change log 
consumer distinguishes between the two when both are present, but I think you 
would need to at least update the following in
grouper-loader.properties:

changeLog.includeNonFlattenedMemberships = true

.. and depending on how the PSP consumer works, potentially disable the
following:

changeLog.includeFlattenedMemberships = false

Thanks!

-- Shilen


On 8/13/12 2:05 PM, "Gagné Sébastien" 
<>
wrote:

>Further testing showed inconsistencies in PSP provisionning, maybe it's 
>a bug or I'm missing another configuration. In the psp resolver I added 
>":immediate" to these DataConnector and AttributeDefinition like you 
>previously said :
>
><resolver:DataConnector
>    id="GroupDataConnector"
>    xsi:type="grouper:GroupDataConnector">
>      [...]
>    <!-- The "members" attribute values are equivalent to 
>group.getMembers(). -->
>    <grouper:Attribute id="members:immediate" />
>    <!-- The "groups" attribute values are equivalent to 
>group.getGroups(). -->
>    <grouper:Attribute id="groups:immediate" />
>  </resolver:DataConnector>
>
><resolver:AttributeDefinition
>    id="membersLdap"     xsi:type="grouper:Member"
>sourceAttributeID="members:immediate">
>    <resolver:Dependency ref="GroupDataConnector" />
>    <!-- The values of the "id" attribute are the identifiers of 
>subjects whose source id is "ldap". -->
>    <grouper:Attribute       id="id"       source="ldap" />
>  </resolver:AttributeDefinition>
>
>  <!-- The values of the "membersGsa" attribute are the names of group 
>members which are grouper groups. -->
>  <resolver:AttributeDefinition
>    id="membersGsa"     xsi:type="grouper:Member"
>sourceAttributeID="members:immediate">
>    <resolver:Dependency ref="GroupDataConnector" />
>    <!-- The values of the "name" attribute are the names of groups 
>whose source is "g:gsa". -->
>    <grouper:Attribute       id="name"       source="g:gsa" />
>  </resolver:AttributeDefinition>
>
>
>In grouper, I create the groups and add members in this order :
>GroupA
>- Members = UserA
>GroupB
>- Members = UserB
>GroupAB
>- Members = GroupA, GroupB
>
>The changelogPSP detects each change and provision each them. If I go 
>in AD, I see the 3 groups, but GroupAB has "everything" as members , i.e.
>GroupAB
>- Members = GroupA, GroupB, UserA, UserB
>
>Without any change in grouper, I run :  $GROUPER_HOME/api/bin/gsh.sh 
>-psp -bulkSync
>
>And the group in AD is fixed, i.e GroupAB only has GroupA and GroupB as 
>members
>
>From what I can gather in psp-resolver.xml, the changeLog sync and 
>bulkSync uses different data connectors, perhaps a modification of the 
>"AddMembershipChangeLogDataConnector" is required ? Or is there already 
>a filter for it ? I tried adding "immediate" to "membership", but now 
>userAdd aren't provisioned, I only see the groups in AD
>
>  <!-- Returns change log attributes representing a membership addition.
>-->
>  <resolver:DataConnector
>    id="AddMembershipChangeLogDataConnector"
>    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
>    <!-- The ChangeLogEntry filter matches change log entries with the 
>given category and action. -->
>    <grouper:Filter
>      xsi:type="psp-grouper-changelog:ChangeLogEntry"
>      category="membership:immediate"
>      action="addMembership" />
>  </resolver:DataConnector>
>
>
>Thanks
>
>
>
>-----Message d'origine-----
>De : Tom Zeller 
>[mailto:]
> Envoyé : 9 août 2012 
>11:19 À : Gagné Sébastien Cc : 
>
> Objet : Re: 
>[grouper-users] PSP-AD group membership structure
>
>If I understand correctly, try
>
> <grouper:Attribute id="members:immediate" />
>
>instead of
>
> <grouper:Attribute id="members" />
>
>in the group data connector configuration in psp-resolver.xml.
>
>Some documentation is here :
>
> 
>https://spaces.internet2.edu/display/Grouper/Grouper+Shibboleth+Integra
>tio
>n
>
>And some examples are here in the "testAll" data connector at the top :
>
>http://anonsvn.internet2.edu/viewvc/viewvc.py/i2mi/tags/GROUPER_2_1_0/l
>dap 
>pcng/grouper-shib/src/test/resources/test/GroupDataConnectorTest-resolver.
>xml?revision=8210&view=co
>
>On Tue, Aug 7, 2012 at 9:38 AM, Gagné Sébastien 
><>
> wrote:
>> Hi,
>>
>> I just figured that our PSP configuration is provisionning 
>> "everything" in the group's member attribute (when a group is a
>> member) instead of "immediate" memberships (see 
>> https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning#Gro
>> u 
>> perProvisioning-RealTimeProvisioningBetaTesting%3AMembershipStructure
>> )
>>
>>
>>
>> Where is the configuration for that ? the wiki page didn't help much, 
>> is it configurable ?
>>
>>
>>
>> I'm using PSP 2.1.0.
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> Sébastien Gagné,     | Analyste en informatique
>>
>> 514-343-6111 x33844  | Université de Montréal,
>>
>>                      | Pavillon Roger-Gaudry, local X-100-11
>>
>>