Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Re: PSPNG and groupSelectionExpression

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: PSPNG and groupSelectionExpression

Chronological Thread 
  • From: Jeffrey Crawford <>
  • To: "" <>
  • Subject: Re: [grouper-users] Re: PSPNG and groupSelectionExpression
  • Date: Fri, 3 Jun 2016 14:02:05 -0700

Any update on this? running into the same problem


Both pilots and IT professionals require training and currency before charging into clouds!

On Fri, May 27, 2016 at 9:50 AM, Bee-Lindgren, Bert A <> wrote:

It does not sound like you've missed anything. It looks like a regression slipped into pspng 2.3.0 right before (or during) its rearrangement for release.  Other group-selection problems have been observed, and it all needs to be cleaned up.

I've created GRP-1312 to capture your observations. I expect to fix this before Monday.

  Bert Bee-Lindgren

From: <> on behalf of Sean Mason <>
Sent: Friday, May 27, 2016 11:27 AM
Subject: [grouper-users] PSPNG and groupSelectionExpression

Hi All,


I’m attempting to give PSPNG a spin, and am having some difficulty with the default groupSelectionExpression.

The goal is to provision a single security group to an active directory service.  I’m using Grouper 2.3.0, and the matching PSPNG.


If I have no groups or folders assigned the attribute “provision_to”, nothing gets provisioned to the active directory target as expected.

If I have at least one group or folder assigned the “provision_to” attribute with the target name as a value, ALL groups get provisioned to the active directory target.

If I have one group assigned the “provision_to” attribute with target name, and “do_not_provision_to” attribute with target name assigned to all other groups, ALL groups get provisioned to the active directory (including those assigned do_not_provision_to).

Have I missed a step, or mis-understood something?


Somewhat sanitized configuration below:

#### PSPNG Config ####

# Nexus Active Directory Groups

ldap.AD.ldapUrl = ldap://

ldap.AD.bindDn = !!

ldap.AD.bindCredential = XXXXX


changeLog.consumer.pspng_nexus.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_nexus.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.pspng_nexus.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_nexus.ldapPoolName = AD

changeLog.consumer.pspng_nexus.memberAttributeName = member

changeLog.consumer.pspng_nexus.memberAttributeValueFormat = ${ldapUser.getDn()}

changeLog.consumer.pspng_nexus.groupSearchBaseDn = OU=Security Groups,DC=Example,DC=com

changeLog.consumer.pspng_nexus.allGroupsSearchFilter = objectclass=group

changeLog.consumer.pspng_nexus.singleGroupSearchFilter = (&(objectclass=group)(cn=${}))

changeLog.consumer.pspng_nexus.groupCreationLdifTemplate = dn: cn=${}||cn: ${}||objectclass: group

changeLog.consumer.pspng_nexus.userSearchBaseDn = OU=people,DC=example,DC=com

changeLog.consumer.pspng_nexus.userSearchFilter = samAccountName=${}

changeLog.consumer.pspng_nexus.isActiveDirectory = TRUE


changeLog.psp.fullSync.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter

changeLog.psp.fullSync.quartzCron = 0 0 * * * ?

changeLog.psp.fullSync.runAtStartup = true




  • Re: [grouper-users] Re: PSPNG and groupSelectionExpression, Jeffrey Crawford, 06/03/2016

Archive powered by MHonArc 2.6.16.

Top of Page