Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Re: Grouper PSPNG

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: Grouper PSPNG


Chronological Thread 
  • From: Jeffrey Crawford <>
  • To: Akki Kumar <>
  • Cc: "Bee-Lindgren, Bert" <>, mchyzerpenn <>, "" <>
  • Subject: Re: [grouper-users] Re: Grouper PSPNG
  • Date: Sat, 1 Oct 2016 19:37:07 -0700
  • Ironport-phdr: 9a23:cRfWQB35JpIpVOPysmDT+DRfVm0co7zxezQtwd8ZsegWLfad9pjvdHbS+e9qxAeQG96Eu7QZ0KGP7ujJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6lX71zMZGw3+OAxpPay1X9eK14Xkn9y1rrTQYAQApye4aKk6eByzpBfQsMYPnIZ5Nqc2zACR+iRgdOFfxGcuLlWWyUXS/MC1qbxu/SpKtuNp3NRJTqv9ZahwGb5VAjo8PnE+zNDgrhKFQAeSsChPGl4KmwZFVlCWpCrxWY38526j7rJw

Would this be an option? I'm wondering if in a situation like AD where you delete a group it may break all permissions that may be assigned to that group. I don't think Windows uses group names in the background rather it uses some sort of SID which would not be re-used.

I may be wrong but we may want pspng to have this "feature" be an option just in case some implementations don't use names as the main identifier. In short some people may want to be able to have empty groups.

just my $0.02 :)

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------

On Fri, Sep 30, 2016 at 9:58 AM, Akki Kumar <> wrote:
Hi Bert,

Thank you for creating Jira ticket. 

Yes, grouper should delete group when the last member or all members of the group are deleted.


Thank you,
Akki

On Mon, Sep 26, 2016 at 6:51 AM, Bee-Lindgren, Bert <> wrote:

Akki,


PSPNG does not currently support combining group creation with the addition of the group's initial member. I've created a Jira for adding this.

https://bugs.internet2.edu/jira/browse/GRP-1376


Are there any concerns about removing the last member?... does the group need to be deleted?


Sincerely,

  Bert




From: Akki Kumar <>
Sent: Wednesday, September 21, 2016 11:29 AM
To: mchyzerpenn; Bee-Lindgren, Bert
Cc:
Subject: Re: Grouper PSPNG
 
Hello,

Does PSPNG support member addition while creating a group in LDAP? Our LDAP system requires adding members during group creation and I couldn't find a way do it through PSPNG

changeLog.consumer.pspng_testOne.groupCreationLdifTemplate = dn: cn=${grouperUtil.extensionFromName(name)}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: groupOfNames||member: <CONFIGURATION_TO_ADD_MEMBER>


Thank you,
Akki



On Tue, Sep 20, 2016 at 10:57 AM, Akki Kumar <> wrote:

Hello,


I am trying to integrate PSPNG with our LDAP system and its erroring out. I followed configuration “Group of Unique Names”: https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG

 


When I run loader with “Group of Unique Names” configuration, it shows below error:


Problem while creating new object: [dn=cn=testGroup,ou=test,ou=testgrouper,dc=umd,dc=edu[[cn[testGroup]], [objectclass[groupOfNames]]]]

[org.ldaptive.LdapException@979158603::resultCode=OBJECT_CLASS_VIOLATION, matchedDn=null, responseControls=null, referralURLs=[], messageId=-1, message=LDAPException(resultCode=65 (object class violation), errorMessage='object class violation'), providerException=LDAPException(resultCode=65 (object class violation), errorMessage='object class violation')]

        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)

        at org.ldaptive.provider.unboundid.UnboundIDConnection.processLDAPException(UnboundIDConnection.java:543)

        at org.ldaptive.provider.unboundid.UnboundIDConnection.add(UnboundIDConnection.java:317)

        at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:253)

        at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:226)

        at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:54)

        at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:678)

        at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:453)

        at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:314)

        at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:175)

        at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:133)

        at java.lang.Thread.run(Thread.java:745)

Caused by: LDAPException(resultCode=65 (object class violation), errorMessage='object class violation')

        at com.unboundid.ldap.sdk.LDAPConnection.add(LDAPConnection.java:1969)

        at org.ldaptive.provider.unboundid.UnboundIDConnection.add(UnboundIDConnection.java:311)

        ... 9 more



 

Questions:

·      *  What configuration are needed to add members during group creation by Grouper?

changeLog.consumer.pspng_testOne.groupCreationLdifTemplate = dn: cn=${grouperUtil.extensionFromName(name)}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: groupOfNames||member: <CONFIGURATION_TO_ADD_MEMBER>

·         *  Also when I set attribute supportsEmptyGroups = false, it still throws above error. Does PSPSNG supportsEmptyGroups attribute works when set to false?


Thank you,

Akki







Archive powered by MHonArc 2.6.19.

Top of Page