Grouper Users - Open Discussion List

[Shaun Koh <>]

Hi Bert,

Thanks for the ticket, much appreciated.

In the meantime, I'll write a script/rule that triggers the PSPNG in intervals to keep the connection alive. -- or increase the value of MaxConnIdleTime in AD

Regards,

Shaun K.

---

From: Bee-Lindgren, Bert <>
Sent: Friday, August 12, 2016 4:00 PM
To: Shaun Koh; Hyzer, Chris;
Subject: Re: Assistance required with PSPNG installation and patching -- Grouper 2.3.0

 

I think (2) is caused by the connection pool not correctly validating the connections. I'm working on fixing the pooling config and defaults to be more resilient. GRP-1362 captures this problem. 

---

From: <> on behalf of Shaun Koh <>
Sent: Thursday, August 11, 2016 10:14 PM
To: Hyzer, Chris;
Subject: [grouper-users] RE: Assistance required with PSPNG installation and patching -- Grouper 2.3.0

 

Hi Chris,

 

Just updating this thread.

 

I’ve resolved 1) and 3) – the issue was due to an incorrect value of the change log consumer name in the provision_to attribute.

 

Still running into LDAP connection failures due to idling as per 2)

 

Regards,

Shaun K.

 

From: Shaun Koh
Sent: Thursday, 11 August 2016 1:04 p.m.
To: 'Hyzer, Chris'; ''
Subject: RE: Assistance required with PSPNG installation and patching -- Grouper 2.3.0

 

Hi Chris,

 

I’ve managed to install and patch the PSPNG and it seems to be provisioning groups to our AD instance.

 

However, I’ve run into some of the following issues and haven’t had any luck resolving them:

 

1)      Group memberships don’t seem to be provisioned – i.e. empty groups or groups without the ‘member’ attribute being set

a.       I’ve tried variations of the userSearchAttributes and memberAttributeValueFormat changelog consumer config in grouper-loader.properties to no avail

2)      LDAP connections fail after the changelog consumer (or ldap pool?) has been idle for more than the amount of time set in AD’s LDAP policy – i.e. MaxConnIdleTime defaults to 900s / 15 mins

a.       I’ve tried variations of the timeout, validate*, pruneTimerPeriod, expirationTime ldap config in grouper-loader.properties to no avail

3)      Similar to 1), the ‘memberOf’ attribute for user objects are not being set to their respective group memberships in Grouper

 

Here is my current grouper-loader.properties if required:

 

# Active Directory Connection

ldap.active_directory.ldapUrl = *

ldap.active_directory.bindDn = *

ldap.active_directory.bindCredential = *

 

# Active Directory Changelog Consumer -- Group Provisioner

changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_activedirectory.ldapPoolName = active_directory

changeLog.consumer.pspng_activedirectory.memberAttributeName = member

changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getLdapObject().getSingleValueAttribute("distinguishedName").getStringValue()} # ${ldapUser.dn} ${ldapUser.getDn()} ${ldapUser.getLdapObject().getDn()}

changeLog.consumer.pspng_activedirectory.groupAttributeName = memberOf

changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = *

changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group

changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${grouperUtil.extensionFromName(name)}))

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: cn=${grouperUtil.extensionFromName(name)}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group

# dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${group.name}||objectclass: group

changeLog.consumer.pspng_activedirectory.userSearchBaseDn = *

changeLog.consumer.pspng_activedirectory.userSearchFilter = cn=${subject.getAttributeValue("loginid")} # we don’t provision our uid to AD, instead we have a public id

changeLog.consumer.pspng_activedirectory.userSearchAttributes = cn,distinguishedName,uid,uidNumber,mail,samAccountName,objectclass

changeLog.consumer.pspng_activedirectory.isActiveDirectory = true

#changeLog.consumer.pspng_activedirectory.grouperIsAuthoritative = true – once pspng configured

 

# Active Directory Changelog Consumer -- User Attribute Provisioner

changeLog.consumer.pspng_attributes.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_attributes.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_attributes.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_attributes.retryOnError = true

changeLog.consumer.pspng_attributes.ldapPoolName = active_directory

changeLog.consumer.pspng_attributes.provisionedAttributeName = memberOf

changeLog.consumer.pspng_attributes.provisionedAttributeValueFormat = ${grouperUtil.extensionFromName(name)}

changeLog.consumer.pspng_attributes.userSearchBaseDn = *

changeLog.consumer.pspng_attributes.userSearchFilter = cn=${subject.getAttributeValue("loginid")}

changeLog.consumer.pspng_attributes.userSearchAttributes = cn,distinguishedName,uid,uidNumber,mail,samAccountName,objectclass

changeLog.consumer.pspng_attributes.isActiveDirectory = true

#changeLog.consumer.pspng_attributes.allProvisionedAttributePrefix=g:

 

# Full Sync

changeLog.psp.fullSync.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter

changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?

changeLog.psp.fullSync.runAtStartup = true

 

Please let me know if you would like any clarification.

 

Thank You,

Shaun K.

 

From: Shaun Koh
Sent: Thursday, 4 August 2016 2:56 p.m.
To: 'Hyzer, Chris';
Subject: RE: Assistance required with PSPNG installation and patching -- Grouper 2.3.0

 

Hi Chris,

 

Thanks, I had an earlier version of the Grouper Installer 2.3.0 that did not support installation of the PSPNG.

 

I’ll give the latest copy a run and come back to you with any queries.

 

Thank You,

Shaun K.

 

From: Hyzer, Chris []
Sent: Thursday, 4 August 2016 6:07 a.m.
To: Shaun Koh;
Subject: RE: Assistance required with PSPNG installation and patching -- Grouper 2.3.0

 

 

> I would like to try out the PSPNG with a fresh install of Grouper 2.3.0

> and was wondering if there was some resources I could refer to regarding

> installation/patching/manual runs ? – Grouper Installer v2.3.0 seems to

> only support PSP

 

It supports both, the installer can install the PSPNG if you don’t know how

 

>

> I’ve had a look at the PSPNG Confluence page however it only mentions

> configuring the changelog consumer in grouper-loader.properties which

> I hope to have done correctly (inc. copying the jars to

> /grouper.apiBinary-2.3.0/lib/custom)

 

Yes, that is what the installer would do

 

>

> However, I’m unsure as to how I can manually run for instance a Fullsync

> for testing ? – logs doesn’t seem to be printing anything with the quartz

> cron configured

 

I don’t know what the job name is for the PSP for your config.  If you find it in the grouper_loader_log you can manually call that from gsh

e.g. for this job

 

loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog");

 

 

>

> Also, I’ve noticed that there’s a patch `grouper_v2_3_0_pspng_patch_0`

> that implements auto creation of the `provision_to` and `do_not_provision_to`

> attributes which I would like to install however not quite sure how to do so

> manually – e.g. would overwriting the relevant *.java files in

> /grouper.pspng-2.3.0/src/main/java/edu/internet2/middleware/grouper/pspng

> and rebuilding the grouper-pspng-2.3.0.jar work ?

> 

 

I would not install this manually, do this from the grouper installer, pick patch, pspng, input the location of the pspng (the api with the libraries), and you are good

 

Thanks

Chris