Grouper Users - Open Discussion List

[Michael R Gettes <>]

My point, which I clearly failed to communicate, was no 
“etc:pspng:provision_to” attribute was created - just _def
My read of the documentation page for PSPNG was the attribute was defined to 
contain a JEXL expression of those
to match.  I believe I have completely misunderstood.  As I re-read, it’s 
still confusing to me.

So, I have assigned the attribute to one folder to sync vis PSPNG.  I am now 
seeing activity.  There are searches for the static group object and the 
isMemberOf attribute but no ADD/modifications.  I am getting NO errors from 
PSPNG itself.

I get the sense I am very close to having this work.

Any pointers are appreciated.

/mrg

> On Feb 14, 2017, at 11:40 AM, Hyzer, Chris 
> <>
>  wrote:
> 
> My understanding is they are created the first time you run the PSPNG.  
> (which would do nothing since the attributes don’t exist and aren’t 
> assigned).  Then you assign them, and run again, and it provisions.  
> Anyways, you can pre-create.  Your output doesn’t look terrible, attributes 
> should be there now :)
> 
> Take a look at this wiki:
> 
> https://spaces.internet2.edu/display/Grouper/PSPNG+at+Penn
> 
> Assign the provision_to attribute to a folder or group or multiple, and run 
> it, and see if it works :)
> 
> Thanks
> Chris
> 
> 
> 
> -----Original Message-----
> From: Michael R Gettes 
> [mailto:]
>  
> Sent: Tuesday, February 14, 2017 11:27 AM
> To: Hyzer, Chris 
> <>
> Cc: grouper-users 
> <>
> Subject: Re: [grouper-users] PSPNG (latest)
> 
> Thanks Chris.
> 
> I got the following output - which seems like there might be an error.  I 
> had commented to Bert - I don’t understand why these attributes need to be 
> created and the rest of the configuration is in grouper-loader.properties.  
> Why not have them all in the same place?  Anyway, am i not supposed to have 
> provision_to some place defined some place?  Sorry, I remain a little 
> confused as to what to do next.
> 
> gsh 0% gsh 1% gsh 2% gsh 3% gsh 4% gsh 5% gsh 6% stem: name='etc:pspng' 
> displayName='etc:pspng' uuid='b04ab59001ab4a0da1977aeee0e54d86' 
> gsh 7% java.lang.Long: 0
> gsh 8% Made change for stem: etc:pspng
> gsh 9% Tue Feb 14 11:19:37 EST 2017 Done with folders, objects: 1, expected 
> approx total: 8, changes: 1, known errors (view output for full list): 0
> gsh 10% Tue Feb 14 11:19:37 EST 2017 Done with groups, objects: 1, expected 
> approx total: 8, changes: 1, known errors (view output for full list): 0
> gsh 11% Tue Feb 14 11:19:37 EST 2017 Done with composites, objects: 1, 
> expected approx total: 8, changes: 1, known errors (view output for full 
> list): 0
> gsh 12% gsh 13% gsh 14% java.lang.Long: 1
> gsh 15% Made change for attributeDef: etc:pspng:do_not_provision_to_def
> gsh 16% gsh 17% gsh 18% java.lang.Long: 2
> gsh 19% Made change for attributeDef: etc:pspng:provision_to_def
> gsh 20% Tue Feb 14 11:19:39 EST 2017 Done with attribute definitions, 
> objects: 3, expected approx total: 8, changes: 3, known errors (view output 
> for full list): 0
> gsh 21% Tue Feb 14 11:19:39 EST 2017 Done with role hierarchies, objects: 
> 3, expected approx total: 8, changes: 3, known errors (view output for full 
> list): 0
> gsh 22% edu.internet2.middleware.grouper.attr.AttributeDef: 
> AttributeDef[name=etc:pspng:do_not_provision_to_def,uuid=75bef106a7404aeebb7ad1f622d2a0b1]
> gsh 23% gsh 24% edu.internet2.middleware.grouper.attr.AttributeDef: 
> AttributeDef[name=etc:pspng:provision_to_def,uuid=1b76d4fb678748ee99a0e3e610929be5]
> gsh 25% gsh 26% Tue Feb 14 11:19:39 EST 2017 Done with attribute actions, 
> objects: 5, expected approx total: 8, changes: 3, known errors (view output 
> for full list): 0
> gsh 27% Tue Feb 14 11:19:39 EST 2017 Done with attribute action 
> hierarchies, objects: 5, expected approx total: 8, changes: 3, known errors 
> (view output for full list): 0
>> On Feb 14, 2017, at 11:08 AM, Hyzer, Chris 
>> <>
>>  wrote:
>> 
>> Yeah, at some point we should probably move that logic to the same place 
>> that creates other attributes for Grouper.
>> 
>> There is a script at the bottom here that is what Penn used to create the 
>> attributes:
>> 
>> https://spaces.internet2.edu/display/Grouper/PSPNG+at+Penn
>> 
>> Note, edit the names if you have a different location for "etc".  (e.g. 
>> psu:etc?)
>> 
>> Thanks
>> Chris
>> 
>> 
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Michael R Gettes
>> Sent: Tuesday, February 14, 2017 11:05 AM
>> To: grouper-users 
>> <>
>> Subject: [grouper-users] PSPNG (latest)
>> 
>> We have applied patches (all patches) and, from a private conversation 
>> with Bert, I was led to believe when we first start up PSPNG it will 
>> create the attributes for PSPNG in etc:attribute:userData:provision_to and 
>> …:do_not_provision_to
>> 
>> I start up the loader with PSPNG enabled and I do not see these attributes 
>> created.  I waited a couple of minutes.  I see the PSPNG jobs run in the 
>> GROUPER_LOADER_LOG.  No errors for the jobs and no errors in the log files 
>> on startup.
>> 
>> Either I misunderstand something or haven’t done something right.
>> 
>> Guidance appreciated.
>> 
>> PSPNG patches from patch file in api:
>> grouper_v2_3_0_pspng_patch_0.date = 2017/02/10 15:52:42
>> grouper_v2_3_0_pspng_patch_0.state = applied
>> grouper_v2_3_0_pspng_patch_1.date = 2017/02/10 15:52:45
>> grouper_v2_3_0_pspng_patch_1.state = applied
>> grouper_v2_3_0_pspng_patch_2.date = 2017/02/10 15:52:47
>> grouper_v2_3_0_pspng_patch_2.state = applied
>> grouper_v2_3_0_pspng_patch_3.date = 2017/02/10 15:52:49
>> grouper_v2_3_0_pspng_patch_3.state = applied
>> grouper_v2_3_0_pspng_patch_4.date = 2017/02/10 15:52:50
>> grouper_v2_3_0_pspng_patch_4.state = applied
>> grouper_v2_3_0_pspng_patch_5.date = 2017/02/10 15:52:52
>> grouper_v2_3_0_pspng_patch_5.state = applied
>> grouper_v2_3_0_pspng_patch_6.date = 2017/02/10 15:52:53
>> grouper_v2_3_0_pspng_patch_6.state = applied
>> grouper_v2_3_0_pspng_patch_7.date = 2017/02/10 15:52:55
>> grouper_v2_3_0_pspng_patch_7.state = applied
>> grouper_v2_3_0_pspng_patch_8.date = 2017/02/10 15:52:56
>> grouper_v2_3_0_pspng_patch_8.state = applied
>> 
>> ldap.openldap.ldapUrl = X
>> ldap.openldap.bindDn = Y
>> ldap.openldap.bindCredential = Z
>> ldap.openldap.ldapUserCacheSize = 150000
>> ldap.openldap.grouperSubjectCacheSize = 150000
>> ldap.openldap.ldapSearchResultPagingSize = 1000
>> ldap.openldap.connectTimeout = 30000
>> ldap.openldap.useStartTLS = true
>> 
>> 
>> #changeLog.consumer.pspng_groupOfNames.ldapPoolName = groupOfNames
>> 
>> changeLog.consumer.pspng_groupOfNames.class = 
>> edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
>> changeLog.consumer.pspng_groupOfNames.type = 
>> edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
>> changeLog.consumer.pspng_groupOfNames.quartzCron = 0/10 * * * * ?
>> changeLog.consumer.pspng_groupOfNames.ldapPoolName = openldap
>> changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
>> changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = 
>> ${ldapUser.getDn()}
>> changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = TRUE
>> changeLog.consumer.pspng_groupOfNames.maxValuesToChangePerOperation = 5000
>> changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = 
>> ou=ng,ou=group,dc=psu,dc=edu
>> changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = 
>> objectclass=groupOfNames
>> changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = 
>> (&(objectclass=groupOfNames)(cn=${group.name}))
>> changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = 
>> cn,gidNumber,objectclass
>> changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: 
>> cn=${group.name}||cn: ${group.name}||objectclass: 
>> groupOfNames||objectclass: posixGroup||gidNumber: ${group.idIndex}
>> changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = dc=psu,dc=edu
>> changeLog.consumer.pspng_groupOfNames.userSearchFilter = 
>> (&(objectclass=eduPerson)(eduPersonPrincipalName=${subject.id}))
>> 
>