Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSPNG: Handling groups that require a member

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSPNG: Handling groups that require a member


Chronological Thread 
  • From: Jim Fox <>
  • To: "Bee-Lindgren, Bert" <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] PSPNG: Handling groups that require a member
  • Date: Wed, 11 Jan 2017 09:00:15 -0800 (PST)
  • Ironport-phdr: 9a23:yBmPNhL7V7BjudNvJ9mcpTZWNBhigK39O0sv0rFitYgRI/TxwZ3uMQTl6Ol3ixeRBMOAuq4C0bqd4v2ocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDWwbalsIBi1ogncsskbipZ+J6gszRfEvmFGcPlMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLDQheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2UxLjljsJOCAl/2HWksxwjbxUoBS9pxxk3oXYZJiZOOdicq/BeN8XQ3dKUMRMWCxbGo6yYYsBAfQcM+larIf9qVUBohSiCgS3AePj1iVFi2Xq0aAgzugsFxzN0gw6H9IJtXTZtNH7NKYXUeuozKfIyjrCZO5R1Dfz74jJfQssoP+WUrJrccrRyE8vFwzZjlWXr4zpJS2a2fkQs2WC6edrSOGhi3Y/pg1srTWj2t0ghpTGi44L0FzI6yt0zYkvKdGlSkN2YMaoHIZOuyyZLYd6XN8uTmJytCom0LELuJi2dzUQxps93R7QcfmHfpCI4h39UOaRJi91hHdqebK4mhay7Vasx+zmWsmvylpKsyREnsPSuX8Qyhzf8smHSv1j8Ue9wTuDyg/e5v1eLUwpmqfXNYQtzqA+m5ccq0jPAy37lUTugK+TbEok++yo6+r9YrXho5+RL4F0igbxM6k1lM2wG/84MggPX2id9uS8yLrj/UvjTLpUk/I2j7HVsIrGKsQDuq65HwhV354s6xalCDemzcwYkmcdLF5cZRKHlJbmO0vVIP3jCfe/gk+skCtwx/zYJLHhA5PNLmTdn7f7e7Zy9VJcxBQpwd9B+p1UF+JJHPWmEGX8uZn8Dxk1PBa5xaKvIthnyslWDWiCGLPfOq7f9FuJ4O4gOeSKTIgUpHDyIuQo7P6ogHMkzwwzZ66siLkWbTiWGeQud0uecVLzi8wBEGEFog04CuHmlQvRAnZoe3+uUvdktXkAA4W8ANKGH9j1jQ==



We use the 'faux member' approach, but only when necessary:

1) creating a group with no members,
2) removing the last member. In this case we add the faux member and delete the real one. That way the group does not need to be deleted.

Jim


On Wed, 11 Jan 2017, Bee-Lindgren, Bert wrote:

Date: Wed, 11 Jan 2017 08:54:51
From: "Bee-Lindgren, Bert"
<>
To:
""

<>
Subject: [grouper-users] PSPNG: Handling groups that require a member


Hello,


I'm trying to start a discussion and get to a decision about how PSPNG should
handle LDAP groups where the schema requires a value for the
membership attribute. This will eventually lead to a solution for GRP-1376.


TL;DR: We would like to extend PSPNG's existing group-provisioning process to
support group schemas that require members. However, we believe
that this will require a pspng-configuration option that will enable 
persistent maintenance of a faux group member.


I don't know if any background is needed, but let's summarize by saying there
are three flavors of group schemas in how they require or don't
require memberships:

1) Standard LDAP Group objectclasses (rfc 2256) that require at least one
member

2) Directory servers that have redefined the "standard" LDAP Group
objectclasses in their default schemas. They don't require members

3) Directory servers (Active Directory) that have their own schemas that
don't require members.


This thread is about how Grouper should support provisioning to (1).


In general, here are some observations:

- It's very good if all these (1)-(3) situations can be provisioned by PSPNG 
in a single implementation


- It's nice when groups go from new --> empty --> populated --> empty --> populated
--> empty --> deleted in a nice, step-wise way. This means
seeing the group in LDAP every step along the way.


- When removing the last member from a (1) group, the group needs to be
deleted. It will likely slow down PSPNG noticeably if it has to read
additional group information to avoid deletion-not-allowed errors or will
create logging noise and modest slowness if the extra information is
read in response to ldap errors to see if the group actually needs to be
deleted.


- Sometimes, groups that are deleted and recreated aren't exactly the same.
For example, a recreated Active Directory group would have a
different SID. Therefore, we cannot standardize our handling of groups by
implementing things as if they all require members.


- Type (1) groups today are created in (at least) some universities with an
initial or persistent Faux member -- an account or dn that doesn't
represent a real user. Pspng can be set up to do that today (by adding the
Faux member to the group-creation template), but that member would be
deleted during full-sync, resulting in errors when that is the last member or
when another last member is eventually removed from a group.


My conclusions:

a) A single group-provisioning system can handle all the ldap group types, if
we take the a Faux-member approach.

b) If Faux-members are too kludgy, then we'll need a separate, noisier and
slower implementation that handles provisioning of groups that require
members.


What do you all think about this?


Sincerely,

  Bert Bee-Lindgren









Archive powered by MHonArc 2.6.19.

Top of Page