Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Making PSPNG authoritative for all values of an attribute

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Making PSPNG authoritative for all values of an attribute


Chronological Thread 
  • From: Paul Engle <>
  • To:
  • Subject: Re: [grouper-users] Making PSPNG authoritative for all values of an attribute
  • Date: Thu, 23 Feb 2017 09:39:34 -0600
  • Ironport-phdr: 9a23:XvPcGxep4C/SwOC3ltV79dkGlGMj4u6mDksu8pMizoh2WeGdxcu7Yx7h7PlgxGXEQZ/co6odzbGH7ua5CSdfsd6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52LBi6txjdu8oZjYZgKas61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzoBOjUk8m/Yl9ZwgbpGrhy/qRxxw43abo+bO/VxfKzSYdwUSHFdXstTTSFNHp+wYoUNAucHIO1Wr5P9p1wLrRamHwejHv7vyjtVjXH526063OAhHh/b1wEnB9IBrnLUrNrxNKgMSu211qjIwindYP9Mxzjy9ZXIfwknrPqRXrxwadLcxVQxGw7GlFmdppLpMymL2ugRrmSX9fdsWf6zh2I/tg19vDuiyt0jh4XXnI4Z11TJ+CFjzIooOdG1TlNwb8S+H5tKrS6aMpN7QsM8TGFsvyY30qUGuYamcCQQ0pQnxgLQZOKdf4eW/x3jSf6dITZ+hH17ZLKynwu+/Vajx+HmWcS4zkxGojRZntXRrHwBygDf5tSfRvt45Eih2DKP1w7J6uFDJEA5jbLbJIAnwr4/kpocr1/OHjX3mErqkqCabFsr9fW16+j/eLXpuoecN5NoigH5Kqkulda/AeMlMggWQWeb4/2w1KD4/ULnWrVKleY7kq3YsJDBOcQbvbC1DxVU0oYl9xawES2m0NIGknkbMl5JYgyIgJX0OwKGHPetAu24nkyhinJ23P3cJZXgBInANH7OjO2ncLpguGBGzw9m9dlC49p5DL4FLbqnQkL3u9jVJgU4OAHyzur6XoYunrgCUH6CV/fKeJjZtkWFs7oi

Slight correction to this. The property is actually
allProvisionedValuesPrefix for the attribute provisioner. I fixed it in
the wiki.

Thinking about this some more, I can understand the logic of wanting to
require a prefix when the authoritative switch is thrown to keep it from
blowing away values from other sources. But does it seem reasonable to
have a new boolean property, provisionedValuesPrefixIsNull or somesuch
to trigger the case when there really should be an empty prefix? That
would prevent an admin from accidentally turning on the authoritative
behavior and not specifying a prefix explicitly. Either the prefix
property contains a string or the isNull property is true. Does that
make sense?

-paul

On 2/20/2017 11:16 AM, Paul Engle wrote:
>
> I understand how to make Grouper authoritative for prefixed values of an
> LDAP attribute using the LdapAttributeProvisioner and setting a value
> for the grouperIsAuthoritative & allProvisionedAttributePrefix
> properties. But how can I do so for _all_ values of an attribute,
> without a prefix?
>
> Up to now, we've had isMemberOf populated from the group name, so they
> don't all share a common prefix. Introducing a prefix at this stage
> would break several applications that are already using the existing
> values. I thought I could be clever and put in a string like '*:',
> making the resultant LDAP filter be (isMemberOf=*:*). But apparently
> later on during the reconciliation, the prefix is made part of a regex,
> so the asterisk blows it up.
>
> Is there any way to specify an empty string for the property? If not,
> can that be a feature request? If I can get this one issue solved, then
> I think I will have a fully functional pspng equivalent of our existing
> psp config.
>
> -paul
>
>

--
Paul Engle
Office of Information Technology

713-348-4702



Archive powered by MHonArc 2.6.19.

Top of Page