Grouper Users - Open Discussion List

[Scott Koranda <>]

Thanks. It helps us plan if we know that AD/LDAP provisioning support
out of the box is non-optional.

Cheers,

Scott K for LIGO

On Thu, Oct 2, 2014 at 12:44 PM, David Langenberg 
<>
 wrote:
>  disagree with 1.
>
> https://spaces.internet2.edu/display/Grouper/Post+PSP+Provisioning#PostPSPProvisioning-FirstImplementations
> mentions that we'll first implement an AD and and LDAP provisioner.  AD/LDAP
> provisioning support out of the box is non-optional from my point of view.
> Now, that said, the PSP is maddeningly complex to configure, so there will
> be a few trades made to favor easier configuration / deployment.   This
> means if you have use-cases that are closer to the edge, you may need to
> write some code to do the AD/LDAP provisioning.
>
> As for 2, that's still up in the air.  On the last dev call where we
> discussed provisioning it was decided that a strong desire (not quite to the
> level of requirement, but EXTREMELY close) would be to support wiring this
> all together directly somehow so that deployers who do not want to also
> deploy a message broker / or rent one from Amazon wouldn't have to.
>
> Dave
>
>
> On Thu, Oct 2, 2014 at 11:29 AM, Scott Koranda 
> <>
>  wrote:
>>
>> Hi David,
>>
>> Based on what I read on that wiki page, is this a fair statement:
>>
>> The Grouper team may release a version of Grouper in the future that
>> will not provision to LDAP without a deployer having to take one of
>> these two actions: (1) Writing Java code, or (2) deploying a message
>> queue/broker.
>>
>> Thanks,
>>
>> Scott K for LIGO
>>
>>
>> On Thu, Oct 2, 2014 at 12:19 PM, David Langenberg 
>> <>
>> wrote:
>> > Hi Dave,
>> >
>> > The plans for the post-PSP world are being written/discussed/firmed up
>> > here:
>> >
>> > https://spaces.internet2.edu/display/Grouper/Post+PSP+Provisioning
>> >
>> > I welcome any comments, criticisms, suggestions, etc.
>> >
>> > Dave
>> >
>> >
>> > On Thu, Oct 2, 2014 at 10:59 AM, David Vezzani 
>> > <>
>> > wrote:
>> >>
>> >> Dave,
>> >>
>> >> Thanks for your response.  I think it is important to know that there
>> >> are
>> >> plans for retiring the PSP tool.  In creating our group management
>> >> solution,
>> >> we are hoping to use as much code that is supported and is planned to
>> >> be
>> >> supported in the future.
>> >>
>> >> Your suggestions for how to better understand PSP are much appreciated.
>> >>
>> >> That being said, what would take the place of PSP as the suggested tool
>> >> for provisioning groups to target LDAPs?
>> >>
>> >> Dave
>> >>
>> >> David Vezzani
>> >> (c) 209-756-9688
>> >> (o) 209-228-4516
>> >> 
>> >>
>> >>
>> >>
>> >> On Oct 2, 2014, at 9:48 AM, David Langenberg 
>> >> <>
>> >> wrote:
>> >>
>> >> Probably the best way to understand what that psp-resolver.xml is
>> >> controlling is to first understand Shibboleth and how its
>> >> attribute-resolver
>> >> works. The PSP is using the Shibboleth Attribute Resolver to handle
>> >> looking
>> >> up the provisioned information, group source information and also
>> >> perform
>> >> necessary transformations to make the two systems (grouper and target)
>> >> comparable.
>> >>
>> >> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttribute
>> >>
>> >> I really wouldn't try to generate SPML & feed it directly to the PSPs
>> >> LDAP
>> >> Target class, though in theory it could work.  As for the source for
>> >> OpenSPML, the OpenSPML library upon which the PSP relies is no longer
>> >> maintained.  I managed to grab a copy of the source at one time and
>> >> keep a
>> >> fork of it here:
>> >>
>> >> https://github.com/langedb/openspml
>> >>
>> >> This is yet another reason why the PSP is going to be retired soon.
>> >>
>> >> Dave
>> >>
>> >> On Thu, Oct 2, 2014 at 10:25 AM, David Vezzani 
>> >> <>
>> >> wrote:
>> >>>
>> >>> I’m still trying to understand what the PSP does exactly.  I’m running
>> >>> through the video tutorials and I’m not getting the same end result as
>> >>> Patel.  I figure I would be able to resolve the issue with some slight
>> >>> modifications to the PSP configuration files.  I admit that
>> >>> https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning has
>> >>> definitely helped me get a better understanding of how PSP works, but
>> >>> I’m
>> >>> not finding the detail I need to understand with enough depth so that
>> >>> I
>> >>> actually know what I’m doing when I make changes to the PSP
>> >>> configuration.
>> >>>
>> >>> To start, I want to make sure I understand the big picture.
>> >>>
>> >>> PSP is used to provision groups with assigned members by generating
>> >>> SPML2
>> >>> xml packets that somehow get converted to LDIF which is presented to
>> >>> the
>> >>> target LDAP.  Is this a fair statement?
>> >>>
>> >>> I am currently looking for a SPML2 client I can use to test SPML2
>> >>> packets
>> >>> with my target LDAP.  I see that Grouper comes packaged with a JAR
>> >>> that
>> >>> provides org.openspml.v2.client.Spml2Client , but I haven’t found the
>> >>> source
>> >>> or documentation yet on how to use it.  I already verified it is
>> >>> different
>> >>> from a SpmlClient class I found on Oracle’s site.  I am hoping that
>> >>> being
>> >>> somewhat familiar with SPML2 will increase my knowledge base so I can
>> >>> better
>> >>> understand the PSP configuration files, especially the
>> >>> psp-resolver.xml
>> >>> file.
>> >>>
>> >>> David Vezzani
>> >>> (c) 209-756-9688
>> >>> (o) 209-228-4516
>> >>> 
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> David Langenberg
>> >> Identity & Access Management
>> >> The University of Chicago
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > David Langenberg
>> > Identity & Access Management
>> > The University of Chicago
>
>
>
>
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago