grouper-users - [grouper-users] Re: PSPNG and groupSelectionExpression
Subject: Grouper Users - Open Discussion List
List archive
- From: "Bee-Lindgren, Bert A" <>
- To: Sean Mason <>, "" <>
- Subject: [grouper-users] Re: PSPNG and groupSelectionExpression
- Date: Fri, 27 May 2016 16:50:58 +0000
- Accept-language: en-US
- Authentication-results: uwaterloo.ca; dkim=none (message not signed) header.d=none;uwaterloo.ca; dmarc=none action=none header.from=oit.gatech.edu;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
|
It does not sound like you've missed anything. It looks like a regression slipped into pspng 2.3.0 right before (or during) its rearrangement for release. Other group-selection problems have been observed, and it all needs to be cleaned up.
I've created GRP-1312 to capture your observations. I expect to fix this before Monday. https://bugs.internet2.edu/jira/browse/GRP-1312 Bert Bee-Lindgren
From: <> on behalf of Sean Mason <>
Sent: Friday, May 27, 2016 11:27 AM To: Subject: [grouper-users] PSPNG and groupSelectionExpression Hi All,
I’m attempting to give PSPNG a spin, and am having some difficulty with the default groupSelectionExpression. The goal is to provision a single security group to an active directory service. I’m using Grouper 2.3.0, and the matching PSPNG.
If I have no groups or folders assigned the attribute “provision_to”, nothing gets provisioned to the active directory target as expected. If I have at least one group or folder assigned the “provision_to” attribute with the target name as a value, ALL groups get provisioned to the active directory target. If I have one group assigned the “provision_to” attribute with target name, and “do_not_provision_to” attribute with target name assigned to all other groups, ALL groups get provisioned to the active directory (including those assigned do_not_provision_to). Have I missed a step, or mis-understood something?
Somewhat sanitized configuration below: #### PSPNG Config #### # Nexus Active Directory Groups ldap.AD.ldapUrl = ldap://example.com:389 ldap.AD.bindDn = !! ldap.AD.bindCredential = XXXXX
changeLog.consumer.pspng_nexus.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim changeLog.consumer.pspng_nexus.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner changeLog.consumer.pspng_nexus.quartzCron = 0 * * * * ? changeLog.consumer.pspng_nexus.ldapPoolName = AD changeLog.consumer.pspng_nexus.memberAttributeName = member changeLog.consumer.pspng_nexus.memberAttributeValueFormat = ${ldapUser.getDn()} changeLog.consumer.pspng_nexus.groupSearchBaseDn = OU=Security Groups,DC=Example,DC=com changeLog.consumer.pspng_nexus.allGroupsSearchFilter = objectclass=group changeLog.consumer.pspng_nexus.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name})) changeLog.consumer.pspng_nexus.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group changeLog.consumer.pspng_nexus.userSearchBaseDn = OU=people,DC=example,DC=com changeLog.consumer.pspng_nexus.userSearchFilter = samAccountName=${subject.id} changeLog.consumer.pspng_nexus.isActiveDirectory = TRUE
changeLog.psp.fullSync.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter changeLog.psp.fullSync.quartzCron = 0 0 * * * ? changeLog.psp.fullSync.runAtStartup = true
Thanks, Sean. |
- [grouper-users] PSPNG and groupSelectionExpression, Sean Mason, 05/27/2016
- [grouper-users] Re: PSPNG and groupSelectionExpression, Bee-Lindgren, Bert A, 05/27/2016
Archive powered by MHonArc 2.6.16.