Grouper Users - Open Discussion List

[David Langenberg <>]

At the end of the day, the PSP needs to translate what it gets from Grouper (SubjectID) into the DN of the individual in AD.  If it can easily do this via the subject API, then everything works like magic.  If, however, it doesn't, then your job is to mangle the attribute-resolver such that what pops out is the user's DN in AD.  At some places I've assisted, this requirement has resulted in having to create intermediate attributes/dataconnectors whose function is to perform searches by subjectID against various databases ( sometimes LDAP, sometimes something completely different) in order to yank out something like the value stored in sAMAccountName which can then be fed to the appropriate resolvers to get back the DN.  It's definitely not fun and will take awhile to get right, but that's the mark you're shooting for -- translating SubjectID into DN.

Hope this helps.

Dave

-- 
David Langenberg
Identity & Access Management Architect

University of Chicago

On April 4, 2016 at 3:05:52 PM, Jared Hoffman () wrote:

I'm having the same problem deploying grouper. I'm able to pull users into Grouper from AD and write groups back to AD. Members will not populate. Any members I manually add on AD are removed during the full sync as non-matching.

I'm trying to figure out how the PSP identifies the members. Does the member have to be from the same data source or just have the same subject ID?

in sources.xml I have AD connected as <id>Kenyon</id> but the PSP is looking for <id>ldap</id>. If I try to configure both the same way, PSP doesn't recognize them as the same set of users. The ldap entry uses  

Jared

On Mon, Mar 14, 2016 at 3:24 PM, Bee-Lindgren, Bert A <> wrote:

Hello,

I'm not sure what is causing the missing linkage is between PSP and your database subjects. Can you sanitize and share your configuration so I can duplicate and help address the behavior?

Also, did you consider the Grouper-to-AD example? I don't know yet if it might fix the unknown problem, but it might provide insights while I work from your setup.

Cheers,

  Bert

---

From: <> on behalf of Kasa, Nubli <>
Sent: Monday, March 14, 2016 3:06 PM
To:
Subject: [grouper-users] PSP Question

 

Hi grouper users,

 

We are setting up PSP for grouper at the moment and having difficulties with it. We are hoping you see something we are missing.

 

Currently, we are primarily pulling in subjects from a source (a database view with subjectid, loginid and such). We add these subjects into Grouper groups and would like to sync them out to AD via PSP.

 

We are using psp-example-grouper-ldap sample files as a starting point. After we sync these out, we only get groups with no members in them in AD. What could go wrong here?

 

We had to add an "ldap" source in sources.xml or otherwise Grouper would complain (eventhough we don't think we need it). The only way to get member synced out to AD is by adding members from an "ldap" source into Grouper groups. Anyone from the database source will not be added eventhough the groups were created fine.

 

Appreciate any help anyone can provide.

 

-Nubli

 

--

Jared Hoffman • Associate Director for Enterprise Infrastructure

Kenyon College LBIS •  • 740.427.5948