Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Troubles with Google provisioning

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Troubles with Google provisioning


Chronological Thread 
  • From: John Gasper <>
  • To: Christopher Sutherin <>, <>
  • Subject: Re: [grouper-users] Troubles with Google provisioning
  • Date: Tue, 18 Apr 2017 15:31:02 -0700
  • Ironport-phdr: 9a23:HZQ9nxZ6LWLVP7b4PYhvC8D/LSx+4OfEezUN459isYplN5qZr8S4bnLW6fgltlLVR4KTs6sC0LuI9fqxEjVbqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjSwbLdzIRmsswncssYajZZsJ60s1hbHv3xEdvhMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTDQhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlTwKPCAl/m7JlsNwjbpboBO/qBx5347Ue5yeOP5ncq/AYd8WWW9NU8BMXCJDH4y8dZMCAOQPM+hFr4fzuVgArRW8CgajGOzi0SVHimPz3aAgz+gsCwPL0Qo9FNwOqnTUq9D1Ob8WX+CyzKnIyyjIYfJM1jfm8IjHbAohquyLULJyfsre01IvFxvbgVWKsoHlIjWV1uURvGic6epsT+SvhHA7qwxopDWk28kiio7Mho0Py1DE8z10wJswJdKjVEF3e8CrH4ZNty2CKYR3TdktQ2RwuCY+1LIKo5m7fDIFyJkh2hXRaOSHfpCI7x/sTuqcIyp0iGh4dL+/hhu+61asxvP9W8Ws0ltGsDBJnsfRun0NzRDf9NSLR/Rn8ku81juDywbe4fxeL08uj6rUMZshz6YwlpUNtUTDGTf7mUT3jK+TbUok4PKn5/76YrXgp5+TK4h0igfkPqQohMO/Hfw0MgkIX2eF5eSxzL3u8ELjTLhIk/E6iLTVvZDbKMgBuKK1HQ5Y3p4m6xmlDjem1NoYnWMALFJAYB+HjYfpNEvVIPDgE/i/mU+hkCptx/DHIrLhBZPNImLFkLj/YbZx81RcxxYrzdBD+5JUDakMIP3pWk/2qdzYFgE2Mxatz+b6E9VyyJkeWXmUD6+dMaPSqkOI5vkxL+WWZY8Vvir9JOY/5/7ok3A5hUERcbO30pQKdXDrVshhdm6Ze3v3ntAZEWoQ9jEjUOznklyEGWpYZ2yzRLkU+zQxA8SrAZqVAsj5j6aGwT+2BNhLfW1cEXiNF2vlbYOJR61KZS6PdJxPiDsBAJqmS4lp+hi1rALgg+5lIePP4iACnY/l1dNy4avVmA1kpm88NNiUz2zYFzI8pWgPXTJjmfkn+UE=

There maybe other issues too, but changeLog.consumer.googleapps.serviceImpersonationUser has to be a real account on the domain. This is the account that will be labelled in the logs, etc as the creator/editor.

 

Otherwise I’d double check the grants. needs to be granted admin and group settings api access.

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Christopher Sutherin <>
Date: Monday, April 17, 2017 at 10:59 AM
To: <>
Subject: [grouper-users] Troubles with Google provisioning

 

Hi, 

    I’ve been trying test Grouper provisioning to Google.  I’v compile the google-apps-provisioner-1.2.0 and placed it in cust/lib of the Grouper API home.  My grouper-loader.properties has the following entries:

 

# googleapps-grouper-provisioner

 

#This tells Grouper which class to invoke when running the change log consumer. It is required if using the change log consumer functionality.

changeLog.consumer.googleapps.class = edu.internet2.middleware.changelogconsumer.googleapps.GoogleAppsChangeLogConsumer

 

# You may optional override the default time that the Grouper Loader invokes the consumer.

changeLog.consumer.googleapps.quartzCron = 0 * * * * ?

 

# The Google managed domain name. (e.g. example.org)

changeLog.consumer.googleapps.domain = umbc.edu

 

#The service account email address created by Google.

changeLog.consumer.googleapps.serviceAccountEmail =

 

#The path of the PKCS12 file created and downloaded from Google. The OS account running the Grouper Loader process or full sync functionality needs to have read permissions to this file. Access to this file should be limited.

changeLog.consumer.googleapps.serviceAccountPKCS12FilePath = /opt/grouper/conf/umbc-grouper-provisioner-de039f2d97eb.p12

 

#This is the account that all actions will be made by. It needs to exists and will be the creator and modifier account associated with the Google auditing logs.

changeLog.consumer.googleapps.serviceImpersonationUser =

 

 

Our Google Apps admin said he has configured it as stated in the documentation. 

 

I receive the following error:

 

2017-04-17 13:50:59,583: [main] ERROR GoogleAppsFullSync.processMissingGroups(342) -  - Google Apps Consume 'googleapps' Full Sync - Error adding missing group (): 403 Forbidden

{

  "code" : 403,

  "errors" : [ {

    "domain" : "global",

    "message" : "Not Authorized to access this resource/api",

    "reason" : "forbidden"

  } ],

  "message" : "Not Authorized to access this resource/api"

}

 

Thanks for any help,

Chris

 

Chris Sutherin , DB/PS Admin, Business Systems 
Division of Information Technology (DoIT) 
Support Response -   http://www.umbc.edu/oit
Administration 618
Office - 410-455-3327
Email -

 




Archive powered by MHonArc 2.6.19.

Top of Page