Grouper Users - Open Discussion List

[Jeffrey Crawford <>]

Once this all goes to PSPNG all our problems go away so I need a PSP solution in the meantime.

That make sense?

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Tue, Mar 21, 2017 at 10:38 AM, Jeffrey Crawford <> wrote:

The problem is that we don't seem to be ready for pspng yet, PSP is really stable and there is a couple of outstanding issues with PSPNG that I'm working with Bert on (Stopping if a subject isn't present, updating non group membership information like description). PSP is doing all that but it seems tied to one source.

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Tue, Mar 21, 2017 at 9:46 AM, Hyzer, Chris <> wrote:

Cant each configuration for the different pspng’s have different userSearchFilter configs to accommodate that?  Or use the guid somehow?  I would hope we don’t need a different subject source…

 

From: Jeffrey Crawford [mailto:]
Sent: Tuesday, March 21, 2017 12:43 PM
To: Hyzer, Chris <>
Cc: Bee-Lindgren, Bert <>; Gouper Users List <>

Subject: Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes

 

Easiest example of the differing DN's would be:

LDAP: uid=jeffreyc,ou=people,dc=ucsc,dc=edu

AD:   cn=jeffreyc,ou=autest,dc=test,dc=ucsc,dc=edu

 

We base the lookups on a custom attribute in both LDAP and AD called "guid" this is what is stored in Grouper and is used as the subject id.

 

 

Jeffrey E. Crawford
Enterprise Service Team

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Tue, Mar 21, 2017 at 6:10 AM, Hyzer, Chris <> wrote:

Can you explain what your subject id is composed of, what subject identifiers you have in your source, what your DN is made up of in AD, and if any attributes in that user object in AD exist as the subject ID or one of the identifiers?

 

From: [mailto:] On Behalf Of Bee-Lindgren, Bert
Sent: Tuesday, March 21, 2017 7:47 AM
To: Jeffrey Crawford <>; Gouper Users List <>
Subject: Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes

 

Jeffrey,

 

While I've asked Shilen and Chris to verify my theory, I thought I'd sketch it out here before they have a chance so it's not further delayed by my training this week....

 

I think your two daemons don't have enough information nor enough separation to work together properly. I think you need you need to set up your grouper daemons as follows:

1) The "Main" daemon

-Runs the default jobs (change_log_temp to changelog, loaders, etc)

-Has changelog.consumer entries for _all_ the changelog listeners (including pspad)

-Has the pspad changelog listener disabled, perhaps with a blank schedule or with a schedule that specifies year=2010

-Runs the default psp that you've been using

 

2) The "PSP-AD" daemon

-Disables the default jobs, probably with changeLog.changeLogTempToChangeLog.enable = false and perhaps other properties

-I don't know how to disable this daemon from becoming a loader-job node
-Has the changelog.consumer entry for pspad as well as an active quartz schedule for it.

 

Hoping this helps,

  Bert

 

---

From: <> on behalf of Jeffrey Crawford <>
Sent: Monday, March 20, 2017 1:05 PM
To: Gouper Users List
Subject: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes

 

bump :)

Jeffrey E. Crawford
Enterprise Service Team

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Fri, Mar 17, 2017 at 12:38 PM, Jeffrey Crawford <> wrote:

I'll try and keep this as simple as possible. We are not yet ready to move to PSPNG but we have an active project of provisioning groups to AD and have an existing provisioner to a couple of LDAP instances.

 

The LDAP servers use the same DN naming convention so we are able to split up the servers based on the multiple ldap psp-example. Now however we need to provision groups to AD which has a different DN. The following are the things I've tried:

 

running a second daemon that shows the sources.xml as being the AD server, however it seems like the daemon that hits the changelog first wins even if one had a different name for the psp changelog string:

grouper-loader.properties (LDAP)

changeLog.consumer.pspidm.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer

 

grouper-loader.prperties (AD)

changeLog.consumer.pspad.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer

 

I tried using a different source id in sources.xml but then you would have to update groups twice one from each source or provisioners based on the AD source would be blank

 

Is there some method I'm missing here?

 

Jeffrey E. Crawford
Enterprise Service Team

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------