Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] PSP incremental provisioning

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] PSP incremental provisioning


Chronological Thread 
  • From: Dave Churchley <>
  • To: Chris Hyzer <>, "" <>
  • Subject: RE: [grouper-users] PSP incremental provisioning
  • Date: Wed, 16 Dec 2015 11:28:47 +0000
  • Accept-language: en-GB, en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

One more thing, when the real time psp doesn't work (as described below)
we've found that running -psp -sync on the group does update the membership
in AD. This leads us to think that this issue is definitely on the
incremental provisioning side.

We've tried changing this property from false to true
changeLog.includeNonFlattenedMemberships = true

This now puts an entry into the change log but the changes are still not
reflected in AD. The change log entry refers to the immediate membership but
not the inherited memberships.

Thanks
Dave

>-----Original Message-----
>From: Dave Churchley
>Sent: 16 December 2015 10:26
>To: Chris Hyzer
><>;
>
>
>Subject: Re: [grouper-users] PSP incremental provisioning
>
>Yeah, that's how it was set up, and there was no backlog, but sometimes
>things were going out of the temp table but not making into the change log
>table.
>
>We've investigated this more this morning and it seems like it's working if
>we
>add/remove a member from a provisioned group and if we add/remove a
>group from a provisioned group.
>
>It's not working when we add/remove a member from a group which is a
>member of a provisioned group. For example, we might have a group
>representing staff in a certain department which isn't provisioned to the AD.
>That group then might be a member of another group which is provisioned to
>the AD. If someone leaves the first group, they are automatically removed
>from the second group in Grouper but they are not being taken out of the AD
>group. In those circumstances, we see an entry in the temp table which then
>disappears but nothing goes into the change log table.
>
>Thanks
>Dave
>
>________________________________________
>From: Chris Hyzer
><>
>Sent: 15 December 2015 22:38
>To: Dave Churchley;
>
>Subject: RE: [grouper-users] PSP incremental provisioning
>
>You have to make sure the grouper loader is running, and there isn't a
>backlog
>of things in the temp table. The cron in the grouper loader properties move
>things from temp to change log, and kicks off loader jobs. Not sure exactly
>how the PSP takes it from there, but that is the first step :)
>
>Thanks,
>Chris
>
>-----Original Message-----
>From: Dave Churchley
>[mailto:]
>Sent: Tuesday, December 15, 2015 4:59 PM
>To: Chris Hyzer;
>
>Subject: Re: [grouper-users] PSP incremental provisioning
>
>Hi Chris
>
>When it works, I see an entry in the change log temp table move to the
>change log table and get provisioned to AD.
>
>When it doesn't work, I've seen entries in change log temp which haven't
>made it to the change log table (but have still gone from the temp table).
>I've
>also seen changes not appear in either table, although I can't be completely
>certain that this wasn't just that I was too slow looking in the temp table
>and
>they'd already moved out.
>
>On the occasions when the changes haven't made it into the change log table,
>I've not seen anything in the logs.
>
>Thanks
>Dave
>
>________________________________________
>From: Chris Hyzer
><>
>Sent: 15 December 2015 21:01
>To: Dave Churchley;
>
>Subject: RE: [grouper-users] PSP incremental provisioning
>
>When you make changes, do you see the entries in the change log temp table
>move to the change log table? Are there debug logs in the PSP process that
>show anything?
>
>Thanks,
>Chris
>
>-----Original Message-----
>From:
>
> [
>]
> On Behalf Of Dave Churchley
>Sent: Tuesday, December 15, 2015 2:56 PM
>To:
>
>Subject: [grouper-users] PSP incremental provisioning
>
>Hello
>
>We've had a bad couple of days with PSP provisioning to AD. Following on
>from the bulkSync issues I posted about yesterday, we're now seeing some
>unexpected behaviour with the incremental provisioning. It works sometimes
>but other times changes made through the Grouper UI don't make it into the
>change log and so are not reflected in the AD.
>
>Is there an obvious reason for this? Am I missing something?
>
>Thanks
>Dave Churchley
>Newcastle University



Archive powered by MHonArc 2.6.16.

Top of Page