Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Troubles with Grouper PSP

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Troubles with Grouper PSP

Chronological Thread 
  • From: Sean Mason <>
  • To: "" <>
  • Subject: [grouper-users] RE: Troubles with Grouper PSP
  • Date: Thu, 9 Jun 2016 16:49:40 +0000
  • Accept-language: en-CA, en-US

Hi There,


To add a little more to this, what I have noticed in the logs is that, when running on an “even” event, where the active directory group is to be deleted, I see:

[DefaultQuartzScheduler_Worker-9] WARN  Psp.getAllSourceIdentifiers(1610) -  - PSP 'psp' - Unable to resolve attribute 'stemNames'


In the logs.  On “odd” numbered events, when the group is created, I do not see this entry…


From: [mailto:] On Behalf Of Sean Mason
Sent: Thursday, June 09, 2016 10:18 AM
Subject: [grouper-users] Troubles with Grouper PSP


Hi There,


This is the second part to issues I’ve been having with Grouper 2.3.0.  This part is related to provisioning the single group to an active directory security group.  I started with an attempt at using “PSPNG”, and fell back to using the “PSP”.   I managed to get “PSP” working, but with a configuration that was confusing enough to me that I am not yet ready to trust the solution until I have a better understanding.  I’m hoping someone can shed some light.


I’m running Grouper 2.3.0, on RHEL 7, Oracle JDK 1.8.0_91.  The repository is Postgres 9.2.14.

I’m using Oracle JDK 1.7.0_79 for the PSP, so I didn’t have to work around the delivered scripts in the psp-resolver.xml


The target is a single group in Active Directory, over which Grouper will have full control.

I started with psp-example-grouper-to-active-directory as a base at first, editing only, selecting ‘flat’ structure, which resulted in issues I was unable to resolve:

1)      Add worked fine, but any modification resulted in the PSP wanting to delete the attributes “CN”, and “sAMAccountName”, which resulted in an active directory “unwilling to perform” error

2)      sAMAccountName was provisioned as the object GUID, rather than the object name


I moved to psp-example-grouper-to-openldap-multiple as a base, editing psp.xml, and psp-services.xml, and psp-resolver.xml to include a single source.  I will attach sanitized samples along with this note.  With this base, I had more success, except, every other bulkSync resulted in the removal of the desired group entirely.  The next “bulkSync” would add the group back, then remove, and so on.


However, if I changed the  ‘authoritative’ attribute to ‘false’ in the group PSO object, that behavior was resolved.  Resolution is a good thing, but I really do not understand why assigning grouper ‘authority’ over groups results in their removal for every other run.  I want it to have authority to remove rogue groups in the OU it has control over.  Can someone shed some light?









Archive powered by MHonArc 2.6.16.

Top of Page