Grouper Users - Open Discussion List

[Akki Kumar <>]

Hi Bert,

Checking status of the below ticket. 

https://bugs.internet2.edu/jira/browse/GRP-1376

Since above ticket is holding our Grouper update from 2.2.2 to 2.3.0, please let me know estimated time (for the bug fix) so that I can forward a message to our management and plan accordingly.

Thank you,

Akki

On Thu, Oct 6, 2016 at 4:14 PM, Akki Kumar <> wrote:

Yes, adding configuration flag seems to be a right way do it since it will give the flexibility to create groups with or without members based on the flag configuration. 

Thank you,

Akki

On Mon, Oct 3, 2016 at 6:30 AM, Bee-Lindgren, Bert <> wrote:

I understand. This thread is about groups that require a member (groupOfNames) and, in particular, what to do with them when the group no longer has members. 

My thought is to add a configuration flag memberIsRequired that would both combine group creation with the addition of the initial member as well as delete the group when the last member is removed. 

Does this sound right?

Thanks very much,

  Bert

On Oct 3, 2016, at 4:07 AM, Dave Churchley <> wrote:

+1

 

Yes, this would definitely be the case for us.

 

From: [] On Behalf Of Jeffrey Crawford
Sent: 02 October 2016 03:37
To: Akki Kumar <>
Cc: Bee-Lindgren, Bert <>; mchyzerpenn <>;
Subject: Re: [grouper-users] Re: Grouper PSPNG

 

Would this be an option? I'm wondering if in a situation like AD where you delete a group it may break all permissions that may be assigned to that group. I don't think Windows uses group names in the background rather it uses some sort of SID which would not be re-used.

 

I may be wrong but we may want pspng to have this "feature" be an option just in case some implementations don't use names as the main identifier. In short some people may want to be able to have empty groups.

 

just my $0.02 :)

Jeffrey E. Crawford
Enterprise Service Team

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Fri, Sep 30, 2016 at 9:58 AM, Akki Kumar <> wrote:

Hi Bert,

 

Thank you for creating Jira ticket. 

 

Yes, grouper should delete group when the last member or all members of the group are deleted.

 

 

Thank you,

Akki

 

On Mon, Sep 26, 2016 at 6:51 AM, Bee-Lindgren, Bert <> wrote:

Akki,

 

PSPNG does not currently support combining group creation with the addition of the group's initial member. I've created a Jira for adding this.

https://bugs.internet2.edu/jira/browse/GRP-1376

 

Are there any concerns about removing the last member?... does the group need to be deleted?

 

Sincerely,

  Bert

 

---

From: Akki Kumar <>
Sent: Wednesday, September 21, 2016 11:29 AM
To: mchyzerpenn; Bee-Lindgren, Bert
Cc:
Subject: Re: Grouper PSPNG

 

Hello,

 

Does PSPNG support member addition while creating a group in LDAP? Our LDAP system requires adding members during group creation and I couldn't find a way do it through PSPNG. 

 

changeLog.consumer.pspng_testOne.groupCreationLdifTemplate = dn: cn=${grouperUtil.extensionFromName(name)}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: groupOfNames||member: <CONFIGURATION_TO_ADD_MEMBER>

 

 

Thank you,

Akki

 

 

 

On Tue, Sep 20, 2016 at 10:57 AM, Akki Kumar <> wrote:

Hello,

 

I am trying to integrate PSPNG with our LDAP system and its erroring out. I followed configuration “Group of Unique Names”: https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG

 

 

When I run loader with “Group of Unique Names” configuration, it shows below error:

 

Problem while creating new object: [dn=cn=testGroup,ou=test,ou=testgrouper,dc=umd,dc=edu[[cn[testGroup]], [objectclass[groupOfNames]]]]

[org.ldaptive.LdapException@979158603::resultCode=OBJECT_CLASS_VIOLATION, matchedDn=null, responseControls=null, referralURLs=[], messageId=-1, message=LDAPException(resultCode=65 (object class violation), errorMessage='object class violation'), providerException=LDAPException(resultCode=65 (object class violation), errorMessage='object class violation')]

        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)

        at org.ldaptive.provider.unboundid.UnboundIDConnection.processLDAPException(UnboundIDConnection.java:543)

        at org.ldaptive.provider.unboundid.UnboundIDConnection.add(UnboundIDConnection.java:317)

        at edu.internet2.middleware.grouper.pspng.LdapProvisioner.performLdapAdd(LdapProvisioner.java:253)

        at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:226)

        at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.createGroup(LdapGroupProvisioner.java:54)

        at edu.internet2.middleware.grouper.pspng.Provisioner.prepareGroupCache(Provisioner.java:678)

        at edu.internet2.middleware.grouper.pspng.Provisioner.startProvisioningBatch(Provisioner.java:453)

        at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.processGroup(FullSyncProvisioner.java:314)

        at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner.thread_manageFullSyncProcessing(FullSyncProvisioner.java:175)

        at edu.internet2.middleware.grouper.pspng.FullSyncProvisioner$1.run(FullSyncProvisioner.java:133)

        at java.lang.Thread.run(Thread.java:745)

Caused by: LDAPException(resultCode=65 (object class violation), errorMessage='object class violation')

        at com.unboundid.ldap.sdk.LDAPConnection.add(LDAPConnection.java:1969)

        at org.ldaptive.provider.unboundid.UnboundIDConnection.add(UnboundIDConnection.java:311)

        ... 9 more

 

 

 

Questions:

·      *  What configuration are needed to add members during group creation by Grouper?

changeLog.consumer.pspng_testOne.groupCreationLdifTemplate = dn: cn=${grouperUtil.extensionFromName(name)}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: groupOfNames||member: <CONFIGURATION_TO_ADD_MEMBER>

·         *  Also when I set attribute supportsEmptyGroups = false, it still throws above error. Does PSPSNG supportsEmptyGroups attribute works when set to false?

 

Thank you,

Akki