Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes


Chronological Thread 
  • From: "Bee-Lindgren, Bert" <>
  • To: Jeffrey Crawford <>
  • Cc: Gouper Users List <>
  • Subject: Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes
  • Date: Wed, 22 Mar 2017 20:19:59 +0000
  • Accept-language: en-US
  • Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=oit.gatech.edu;
  • Ironport-phdr: 9a23:ETluoBWGjyTQXfJnEQ0+PntSVerV8LGtZVwlr6E/grcLSJyIuqrYbRyAt8tkgFKBZ4jH8fUM07OQ6PG9HzNZqs/a7TgrS99lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyrQjdrMsbjZZtJqosxBbEomZDdvhLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfMTQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklDsLOjgk+2zMlMd+kLxUrw6gpxxnwo7bfoeVNOZlfqjAed8WXHdNUtpNWyBEBI63cokBAPcbPetAr4fzuUYArQewCwevCuPgyD5IiWP50qAhyestDR3K0RY8E94SrXjZqsj+OqcIUeCyyanF1TvPYu5I1jjj8YTGdBEhofeRUrJ/a8re108vGxvYhViNt4PlJS+V2uoQuGWc9OVvS/ivi3I9pw5qvDeg2N4gio3IhoIT11/E+j95z5gzJdCjT057YMKkHIFfty6AK4t5XN8tQ2FytCkk17IGpIe2cS4Xw5ok3x7Sc+KLfJKU7h7+UeudPCp0iG9gdbKxiBu+7VSsx+jyVsaq31tFtC9In9zOu3wT2Rzf8tWLRuV+80u72DuDyhrf5+NZLUwuiKbWL54sz7gtnZQJq0vDBDX5mEDuga+WaEok/u+o5vz/bLj6oZGQK4F5hhjjP6sshMCzGOM4PRMQUGSB/uS8yaHj8lb+QLVXiP05j7PVsIjAJcQcuq62HRNa0poi6xa4CTeqytMYnWQbLFJBfxKHiIvpN0vSL/D/CPezm1WskDF1yPDaJrDtHI/CImTenLrkYLpx9lNQxQ89zd1Q+55YFrQMIPztVUL+rtPVCxo0Pg6qz+bpENl905kRWWOLAq+XKqPStlqI6/o0LOaSfo8VpCzxJOM76PHwlHM5nV4dfa+00psYcnC3APJmLl6eYXrtntcNC2gKsRAiTOP0lFKCUSRfaGivUKIh/j07Ep6pDZ/fRoCxh7yMxCi7HodRZmBbElCDD23oe5yZW/cXdi2SONRhnycAVbigUI8hyQquuBHgx7pmKOrU5jMXtYjl1Ndr++3fiws++iJpAMSAgCmxSDRWk20GXTInlItlqFNzzU2Pmfx6jvJWD9FC7NtUWRwxc5PQ0ropJcr1X1eLVNqEDXKnRNmpGzw3CpobzsUSKQ4pEdi4klbJ0ifvB74Tm7ORCZoc9aPAmXf4O8t2yzDL2LR33ApueddGKWDz3v03zAPUHYOc1hzBz6s=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Jeffrey,


In order to isolate the issue to the dual-daemon setup, is it possible to test your AD Config in a "normal," single daemon?


Thanks,
  Bert

From: Jeffrey Crawford <>
Sent: Wednesday, March 22, 2017 2:52 PM
To: Bee-Lindgren, Bert
Cc: Gouper Users List
Subject: Re: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes
 
This combination seems to be dependent on the order in which the daemons start which is weird. However I'm getting stuck on one thing where my AD config seems to no longer allow a psp full sync, it just hangs with no log output. Anybody have a tip on what may be wrong, which would not even allow logging to start? I know I had this working before but it's been a while since I touched this.

Sorry for the lack of info but no log output makes it hard to pinpoint.

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------

On Tue, Mar 21, 2017 at 12:34 PM, Jeffrey Crawford <> wrote:
Thanks Bert,

I haven't tried the combination of what you suggested yet. I think the loader running twice is probably not the end of the world as long as it doesn't corrupt the data.

once PSPNG is working the way we need it, then we can have a party abandoning all this :)

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------
On Tue, Mar 21, 2017 at 4:46 AM, Bee-Lindgren, Bert <> wrote:

Jeffrey,


While I've asked Shilen and Chris to verify my theory, I thought I'd sketch it out here before they have a chance so it's not further delayed by my training this week....


I think your two daemons don't have enough information nor enough separation to work together properly. I think you need you need to set up your grouper daemons as follows:

1) The "Main" daemon

-Runs the default jobs (change_log_temp to changelog, loaders, etc)

-Has changelog.consumer entries for _all_ the changelog listeners (including pspad)

-Has the pspad changelog listener disabled, perhaps with a blank schedule or with a schedule that specifies year=2010

-Runs the default psp that you've been using


2) The "PSP-AD" daemon

-Disables the default jobs, probably with changeLog.changeLogTempToChangeLog.enable = false and perhaps other properties

-I don't know how to disable this daemon from becoming a loader-job node
-Has the changelog.consumer entry for pspad as well as an active quartz schedule for it.


Hoping this helps,

  Bert


From: <> on behalf of Jeffrey Crawford <>
Sent: Monday, March 20, 2017 1:05 PM
To: Gouper Users List
Subject: [grouper-users] Re: PSP (Original) Provisioning to LDAP and AD woes
 
bump :)

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------

On Fri, Mar 17, 2017 at 12:38 PM, Jeffrey Crawford <> wrote:
I'll try and keep this as simple as possible. We are not yet ready to move to PSPNG but we have an active project of provisioning groups to AD and have an existing provisioner to a couple of LDAP instances.

The LDAP servers use the same DN naming convention so we are able to split up the servers based on the multiple ldap psp-example. Now however we need to provision groups to AD which has a different DN. The following are the things I've tried:

running a second daemon that shows the sources.xml as being the AD server, however it seems like the daemon that hits the changelog first wins even if one had a different name for the psp changelog string:
grouper-loader.properties (LDAP)
changeLog.consumer.pspidm.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer

grouper-loader.prperties (AD)
changeLog.consumer.pspad.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer

I tried using a different source id in sources.xml but then you would have to update groups twice one from each source or provisioners based on the AD source would be blank

Is there some method I'm missing here?

Jeffrey E. Crawford
Enterprise Service Team

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------




Archive powered by MHonArc 2.6.19.

Top of Page