Grouper Users - Open Discussion List

["Bryan E. Wooten" <>]

Hi all,

 

After much trial and tribulation I CANNOT get the PSP to provision to both AD and OpenDJ. This is a must have requirement. Given this statement from David:

“While it is true the overall movement will eventually be away from the PSP, support for the PSP as it stands will continue for quite awhile.” I have decided to write my own ChangeLogConsumer to provision both AD and LDAP.

 

So I am not sure if I should be directing these questions to this mail list or the dev mail list.

 

Reading here: https://spaces.internet2.edu/display/Grouper/Notifications+(change+log)#Notifications%28changelog%29-consumer

I assume that returning the sequence number is what prevents the change log consumer from processing the same change repeatedly?

 

Thanks,

 

Bryan

 

From: [mailto:] On Behalf Of David Langenberg
Sent: Thursday, September 12, 2013 2:43 PM
To: Gagné Sébastien
Cc:
Subject: Re: [grouper-users] Provisionning to multiple directories

 

Hi Sébastien,

 

I'd recommend sticking with the PSP for this.  While it is true the overall movement will eventually be away from the PSP, support for the PSP as it stands will continue for quite awhile.  As far as how to do this, you could follow the example psp-to-grouper-openldap-multiple.  Just setup additional PSOs in your psp.xml for the new ldap system and any necessary attributes in psp-resolver that are specific to the new LDAP service.

 

If you want to try your other method whereby your run two grouper daemons, all you need to do is ensure the 2nd daemon uses a different name for the ChangeLogConsumerName.  So, in your grouper-loader.properties you'd put

 

changeLog.consumer.pspnewldap.class=edu.internet2.middleware.psp.grouper.PspChangeLogConsumer

 

That would assign your other PSP config a separate pointer from your normal PSP and they'd independently track where they're at.

 

Dave

 

 

 

On Thu, Sep 12, 2013 at 1:45 PM, Gagné Sébastien <> wrote:

Hi,

IIRC I saw two projects where provisioning to multiple LDAP Directories was done using the PSP. Did it work ? We might soon have to do something similar where two root stems will each be sent to different LDAP directories with different configurations (e.g. the current configuration sends groups with members, the second (new) one will only create groups).

 

So I wanted to get some feedback from the team on how I should do it. My current option would be to use the PSP (as my current config does), but it seems this part of the product is being phased out. Will a replacement be available soon (next 2-3 months) or should I still do it with the PSP ?

 

Another option I see could be: Since I have two servers running Grouper (for UI high availability), but only one running the Daemon, would it be possible to run only the PSP on the second one with a completely different configuration to avoid mixing the PSP configurations and have something simpler. I suppose it might create more problem that way, e.g. there’s only one latest changelog number for the PSP in the database, but maybe I could run it only in bulkSync mode.

 

Thanks

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11

 

 

--
David Langenberg

Identity & Access Management

The University of Chicago