Grouper Users - Open Discussion List

[Sean Mason <>]

Hi There,

 

To add a little more to this, what I have noticed in the logs is that, when running on an “even” event, where the active directory group is to be deleted, I see:

[DefaultQuartzScheduler_Worker-9] WARN  Psp.getAllSourceIdentifiers(1610) -  - PSP 'psp' - Unable to resolve attribute 'stemNames'

 

In the logs.  On “odd” numbered events, when the group is created, I do not see this entry…

 

From: [mailto:] On Behalf Of Sean Mason
Sent: Thursday, June 09, 2016 10:18 AM
To:
Subject: [grouper-users] Troubles with Grouper PSP

 

Hi There,

 

This is the second part to issues I’ve been having with Grouper 2.3.0.  This part is related to provisioning the single group to an active directory security group.  I started with an attempt at using “PSPNG”, and fell back to using the “PSP”.   I managed to get “PSP” working, but with a configuration that was confusing enough to me that I am not yet ready to trust the solution until I have a better understanding.  I’m hoping someone can shed some light.

 

I’m running Grouper 2.3.0, on RHEL 7, Oracle JDK 1.8.0_91.  The repository is Postgres 9.2.14.

I’m using Oracle JDK 1.7.0_79 for the PSP, so I didn’t have to work around the delivered scripts in the psp-resolver.xml

 

The target is a single group in Active Directory, over which Grouper will have full control.

I started with psp-example-grouper-to-active-directory as a base at first, editing only ldap.properties, selecting ‘flat’ structure, which resulted in issues I was unable to resolve:

1)      Add worked fine, but any modification resulted in the PSP wanting to delete the attributes “CN”, and “sAMAccountName”, which resulted in an active directory “unwilling to perform” error

2)      sAMAccountName was provisioned as the object GUID, rather than the object name

 

I moved to psp-example-grouper-to-openldap-multiple as a base, editing psp.xml, and psp-services.xml, and psp-resolver.xml to include a single source.  I will attach sanitized samples along with this note.  With this base, I had more success, except, every other bulkSync resulted in the removal of the desired group entirely.  The next “bulkSync” would add the group back, then remove, and so on.

 

However, if I changed the  ‘authoritative’ attribute to ‘false’ in the group PSO object, that behavior was resolved.  Resolution is a good thing, but I really do not understand why assigning grouper ‘authority’ over groups results in their removal for every other run.  I want it to have authority to remove rogue groups in the OU it has control over.  Can someone shed some light?

 

Thanks,

Sean.