Grouper Users - Open Discussion List

[Jeffrey Crawford <>]

Any update on this? running into the same problem

Jeffrey

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Fri, May 27, 2016 at 9:50 AM, Bee-Lindgren, Bert A <> wrote:

It does not sound like you've missed anything. It looks like a regression slipped into pspng 2.3.0 right before (or during) its rearrangement for release.  Other group-selection problems have been observed, and it all needs to be cleaned up.

I've created GRP-1312 to capture your observations. I expect to fix this before Monday.

https://bugs.internet2.edu/jira/browse/GRP-1312

Sincerely,

  Bert Bee-Lindgren

---

From: <> on behalf of Sean Mason <>
Sent: Friday, May 27, 2016 11:27 AM
To:
Subject: [grouper-users] PSPNG and groupSelectionExpression

 

Hi All,

 

I’m attempting to give PSPNG a spin, and am having some difficulty with the default groupSelectionExpression.

The goal is to provision a single security group to an active directory service.  I’m using Grouper 2.3.0, and the matching PSPNG.

 

If I have no groups or folders assigned the attribute “provision_to”, nothing gets provisioned to the active directory target as expected.

If I have at least one group or folder assigned the “provision_to” attribute with the target name as a value, ALL groups get provisioned to the active directory target.

If I have one group assigned the “provision_to” attribute with target name, and “do_not_provision_to” attribute with target name assigned to all other groups, ALL groups get provisioned to the active directory (including those assigned do_not_provision_to).

Have I missed a step, or mis-understood something?

 

Somewhat sanitized configuration below:

#### PSPNG Config ####

# Nexus Active Directory Groups

ldap.AD.ldapUrl = ldap://example.com:389

ldap.AD.bindDn = !!

ldap.AD.bindCredential = XXXXX

 

changeLog.consumer.pspng_nexus.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_nexus.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.pspng_nexus.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_nexus.ldapPoolName = AD

changeLog.consumer.pspng_nexus.memberAttributeName = member

changeLog.consumer.pspng_nexus.memberAttributeValueFormat = ${ldapUser.getDn()}

changeLog.consumer.pspng_nexus.groupSearchBaseDn = OU=Security Groups,DC=Example,DC=com

changeLog.consumer.pspng_nexus.allGroupsSearchFilter = objectclass=group

changeLog.consumer.pspng_nexus.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name}))

changeLog.consumer.pspng_nexus.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group

changeLog.consumer.pspng_nexus.userSearchBaseDn = OU=people,DC=example,DC=com

changeLog.consumer.pspng_nexus.userSearchFilter = samAccountName=${subject.id}

changeLog.consumer.pspng_nexus.isActiveDirectory = TRUE

 

changeLog.psp.fullSync.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter

changeLog.psp.fullSync.quartzCron = 0 0 * * * ?

changeLog.psp.fullSync.runAtStartup = true

 

Thanks,

Sean.