Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Bee-Lindgren, Bert" <>, Jeffrey Crawford <>, Gouper Users List <>
  • Subject: RE: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes
  • Date: Tue, 21 Mar 2017 13:10:48 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
  • Ironport-phdr: 9a23:3q9YbxWhmcwfdoI8OjeiXCyx4avV8LGtZVwlr6E/grcLSJyIuqrYbRyEt8tkgFKBZ4jH8fUM07OQ6PG9HzJRqsrf+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG2oAnLt8QbhYRuJ6kwxxDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipcCY2+coQPFfIMM+ZGoYfgu1sAoxiwBQeuC+Pu1jBHiWT70rcm3+g9CwzKwBAsE8wIvX/JrNv1LqASUeWtwaXGzzvCb/JX1inn6ITQbxssv/GMXahxccrKx0UkCgTIjlCMpozlPzKU1/oCs3KA4uphTuKgl3QrqxxpojexwMcsjJPFiZwIxVDZ7Ch0xps+K96gSENjf9KoDZpduzuUOodoWM8uXmJltDsgxrEbupO2cjAGxIkpyhLDcfCKd5WE7gj9WOqMJTp0nm9pdbC+ihu07EOu0PfzVtOu31ZPtidFksfDtnQK1xHL8saKVvxz8lu81TqWyg3c6P9ILVkzlaXANZEt2LkwlocPsUvYGS/2hUP2g7KMekU84Oio7Pjnbav6qZ+ANo90jQf+Pr4pmsyiHeQ4Ng8OX2+Y+eimyLLj+kj5TK1Ljv0wjKbZrIjXKdoGqqO4GQNY3Jgv5wyiAzqlzdgUh2QLIVFLdR6fiojmIVDOIPT2DfelhFSslS9mx/XaMb3hApTML2bMkK36cLZ88E5T1BA/zc1H551KDLEBJuj/VVHsu9zFFhM5KRC7w/77CNVh0YMTQW2PArWeMKPPqV+H+PgvL/CRZI8Opjn9MeMl6uXqjX84gl8dYbKp0YUNZHC5GPRmP1uWYWDqgtgfDWcGoBAyQ/L3h12fAnZvYCP4da8xoxU6Do6pF4rFAsiHjaadlm/vFJBMeiZMB13JFXbue4qeVvEkbyOOZMBojjEPVf6sR5J3kVmMuQH00bd2ZsHO8zIWsojvnIx36uPdjxwj/hRpBN+WlWyBUjcw1kwPWic7xuhCukFn0R+n0LNky6hXD9tO//5TFxohOITH5+18F93oXA/dJJGEREvwEfu8BjRkBPIg0dIUJw5WG8+jlVqLiy+hA64HmqajBYc/tL/E0n73Yctx1iCVh+Eak1A6T54XZiWdjall+l2WXtaRng==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Can you explain what your subject id is composed of, what subject identifiers you have in your source, what your DN is made up of in AD, and if any attributes in that user object in AD exist as the subject ID or one of the identifiers?


From: [mailto:] On Behalf Of Bee-Lindgren, Bert
Sent: Tuesday, March 21, 2017 7:47 AM
To: Jeffrey Crawford <>; Gouper Users List <>
Subject: Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes




While I've asked Shilen and Chris to verify my theory, I thought I'd sketch it out here before they have a chance so it's not further delayed by my training this week....


I think your two daemons don't have enough information nor enough separation to work together properly. I think you need you need to set up your grouper daemons as follows:

1) The "Main" daemon

-Runs the default jobs (change_log_temp to changelog, loaders, etc)

-Has changelog.consumer entries for _all_ the changelog listeners (including pspad)

-Has the pspad changelog listener disabled, perhaps with a blank schedule or with a schedule that specifies year=2010

-Runs the default psp that you've been using


2) The "PSP-AD" daemon

-Disables the default jobs, probably with changeLog.changeLogTempToChangeLog.enable = false and perhaps other properties

-I don't know how to disable this daemon from becoming a loader-job node
-Has the changelog.consumer entry for pspad as well as an active quartz schedule for it.


Hoping this helps,



From: <> on behalf of Jeffrey Crawford <>
Sent: Monday, March 20, 2017 1:05 PM
To: Gouper Users List
Subject: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes


bump :)

Jeffrey E. Crawford
Enterprise Service Team


Both pilots and IT professionals require training and currency before charging into clouds!



On Fri, Mar 17, 2017 at 12:38 PM, Jeffrey Crawford <> wrote:

I'll try and keep this as simple as possible. We are not yet ready to move to PSPNG but we have an active project of provisioning groups to AD and have an existing provisioner to a couple of LDAP instances.


The LDAP servers use the same DN naming convention so we are able to split up the servers based on the multiple ldap psp-example. Now however we need to provision groups to AD which has a different DN. The following are the things I've tried:


running a second daemon that shows the sources.xml as being the AD server, however it seems like the daemon that hits the changelog first wins even if one had a different name for the psp changelog string: (LDAP)

changeLog.consumer.pspidm.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer


grouper-loader.prperties (AD)

changeLog.consumer.pspad.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer


I tried using a different source id in sources.xml but then you would have to update groups twice one from each source or provisioners based on the AD source would be blank


Is there some method I'm missing here?


Jeffrey E. Crawford
Enterprise Service Team


Both pilots and IT professionals require training and currency before charging into clouds!



Archive powered by MHonArc 2.6.19.

Top of Page