Grouper Users - Open Discussion List

[Wallaert-Taquet Brigitte <>]

Hello,

Thanks for your responses on this problem...

I have carefully reviewed it and do some more tests...

I don't know if I am in the same problem that Jeffrey (perhaps with more informations on config, I could compare ?) but I understand that :

if I modify my config like that :

        1- for the AttributeDefinition referenced by allSourceIdentifiersRef : I change the data connector : "AllGroupNamesConnector" instead of "GroupDataConnector" then I have all the groups concerned :
"2015-10-23 12:06:30,098: [main] DEBUG AllGroupNamesDataConnector.getAllGroupNames(111) -  - All group names data connector 'AllGroupNamesConnector' - Get all group names found 218."
with GroupDataConnector :
2015-10-23 10:06:31,065: [main] DEBUG GroupDataConnector$1.callback(97) -  - Group data connector 'GroupPSPConnector' - Resolve principal 'edu.internet2.middleware.psp.spml.request.BulkProvisioningRequest' unable to find group.
      But I have always this :
2015-10-23 10:06:31,068: [main] WARN  Psp.getAllSourceIdentifiers(1596) -  - PSP 'psp' - Unable to resolve attribute 'groupCnLdap'

Note : the sync with one group is always ok, I think thanks to the identifier (in psp.xml)/AttributeDefinition (in psp-resolver) groupDn that define a sourceAttributeID="cn-ldap"

        2- I try to declare in the AttributeDefinition my specific attribute to publish as cn ldap of my groups, like for the sync :
        <resolver:AttributeDefinition  id="groupCnLdap"
                sourceAttributeID="cn-ldap"     <------------------------
                xsi:type="ad:Simple">
             <resolver:Dependency ref="AllGroupNamesConnector" />                
         </resolver:AttributeDefinition>

but it seems that psp ignore this sourceAttributeID because I have the same behavior : Unable to resolve attribute 'groupCnLdap'

When I install ldappcng in grouper 1.6.3, I have also use an attribute specific and sync+bulkSync were ok. PSP is less configurable ?

I have to make a script with a loop on sync ?

Thanks for all more response !
Brigitte

Le 26/11/2014 02:46, David Langenberg says :
I'm sure not only would people like it in the list archive, but it'd also be handy if you would also add a configuration example sub-page linked from the PSP documentation.

https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning#GrouperProvisioning-ConfigurationExample%3AGroupertoLDAP

Dave

Le 20/10/2015 21:17, Jeffrey Crawford a écrit :

I had a similar problem that was caused by me doing fancy things, not sure if its the same problem you have but look here
https://lists.internet2.edu/sympa/arc/grouper-users/2014-11/msg00093.html

Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Mon, Oct 19, 2015 at 8:07 AM, Wallaert-Taquet Brigitte <> wrote:

Hello,

I test psp with a ldap test server and I probably forgot something...

The psp -sync with a specific group is ok but not the bulkSync.

For example, this is ok :
./gsh.sh -psp -sync mes-groupes:appli:nuxeo-admin -entityName group

I obtain that :
<psp:syncResponse xmlns:psp='http://grouper.internet2.edu/psp' status='success' requestID='2015/10/19-16:45:02.104'>
  <addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success' requestID='2015/10/19-16:45:03.321'>
    <pso entityName='group'>
      <psoID ID='cn=appli:nuxeo-admin,ou=groups,dc=univ-lille1,dc=fr' targetID='ldap'/>
      <data>
        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='objectClass'>
          <dsml:value>groupOfNames</dsml:value>
          <dsml:value>ustlPrivGroupe</dsml:value>
        </dsml:attr>
      </data>
      <capabilityData mustUnderstand='true' capabilityURI='urn:oasis:names:tc:SPML:2:0:reference'>
        <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0' xmlns:spmlref='urn:oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
          <spmlref:toPsoID ID='uid=user1,ou=people,dc=univ-lille1,dc=fr' targetID='ldap'/>
        </spmlref:reference>
        <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0' xmlns:spmlref='urn:oasis:names:tc:SPML:2:0:reference' typeOfReference='member'>
          <spmlref:toPsoID ID='uid=user2,ou=people,dc=univ-lille1,dc=fr' targetID='ldap'/>
        </spmlref:reference>
      </capabilityData>
    </pso>
  </addResponse>
  <psp:id ID='mes-groupes:appli:nuxeo-admin'/>
</psp:syncResponse>


But when I try that :
./gsh.sh -psp -bulkSync -entityName group

 I obtain this error :
2015-10-19 16:39:24,073: [main] DEBUG Psp.getAllSourceIdentifiers(1582) -  - PSP 'psp' - Calc BulkCalcRequest[id2015-10-19 16:39:24,073: [main] DEBUG Psp.getAllSourceIdentifiers(1582) -  - PSP 'psp' - Calc BulkCalcRequest[id=edu.internet2.middleware.psp.spml.request.BulkProvisioningRequest,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=<null>,entityName=group,isContainer=false], Resolved attributes '[groupCnLdap]'.=edu.internet2.middleware.psp.spml.request.BulkProvisioningRequest,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=<null>,entityName=group,isContainer=false], Resolved attributes '[groupCnLdap]'.

When I pass authoritative to true, the bulkSync delete all the groups with objectClass=groupOfNames in the ldap but don't publish Grouper's groups in the ldap...

Here is my configuration :

a part of my psp.xml :
<pso
    id="group"
    authoritative="true"
    allSourceIdentifiersRef="groupCnLdap">

    <!-- The ldap group DN. -->
    <identifier
      ref="groupDn"
      targetId="ldap"
      containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

    <!-- Identifies ldap group objects which exist on the target by objectClass attribute value. -->
    <identifyingAttribute
      name="objectClass"
      value="${edu.internet2.middleware.psp.groupObjectClass}" />

    <attribute name="objectClass" />

 <!-- The ldap group "member" attribute. -->
    <references name="member">

      <reference
        ref="membersLdap"
        toObject="member" />
      <reference
        ref="membersGsa"
        toObject="group" />
    </references>
  </pso>

a part of my psp-resolver.xml :
  <resolver:DataConnector   id="GroupPSPConnector"
    xsi:type="grouper:GroupDataConnector">
   <grouper:Filter xsi:type="grouper:GroupExactAttribute" name="psp-publication" value="true" />
    <grouper:Attribute id="members" />
    <grouper:Attribute id="groups" />
  </resolver:DataConnector>

  <resolver:AttributeDefinition
    id="groupCnLdap"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="GroupPSPConnector" />
  </resolver:AttributeDefinition>

  <resolver:AttributeDefinition
    id="groupDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="cn-ldap"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    rdnAttributeName="cn" >
    <resolver:Dependency ref="GroupPSPConnector" />
    <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" />
    <resolver:Dependency ref="UpdateGroupDescriptionChangeLogDataConnector" />
  </resolver:AttributeDefinition>

a part of my ldap.properties :
edu.internet2.middleware.psp.groupsBaseDn=ou=groups,dc=univ-lille1,dc=fr
edu.internet2.middleware.psp.groupObjectClass=groupOfNames
edu.internet2.middleware.psp.structure=flat

I have several groups with a psp-publication=true (see screen.jpg).

Any idea for help ?

Thanks a lot !

--


Brigitte WALLAERT TAQUET
Cheffe de projet GED Nuxeo
Experte Grouper d'Internet2

Université de Lille - Sciences et Technologies
| www.univ-lille1.fr
Service: CRI Bât. M4 - Bureau 34 59655 Villeneuve d'Ascq
Tél. +33 (0)3 20 33 71 65

--


Brigitte WALLAERT TAQUET
Cheffe de projet GED Nuxeo
Experte Grouper d'Internet2

Université de Lille - Sciences et Technologies
| www.univ-lille1.fr
Service: CRI Bât. M4 - Bureau 34 59655 Villeneuve d'Ascq
Tél. +33 (0)3 20 33 71 65