Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Re: Attribute Based Provisioning - PSPNG

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Re: Attribute Based Provisioning - PSPNG

Chronological Thread 
  • From: "Bee-Lindgren, Bert" <>
  • To: "Black, Carey M." <>, Drew Zebrowski <>, "" <>
  • Subject: [grouper-users] Re: Attribute Based Provisioning - PSPNG
  • Date: Fri, 2 Jun 2017 21:23:28 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
  • Ironport-phdr: 9a23:dIHMjhMqCsIOI8i7i3El6mtUPXoX/o7sNwtQ0KIMzox0K/3ypcbcNUDSrc9gkEXOFd2CrakV1KyL6uu5BD1IyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbF/IA+2oAnMucUanItvJ6IswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyhdYsCF+oPM/hFoYnhqVUArhW+CgutBOzzxTBFnWX50bEm3+k7DQ3KwAwtEtQTu3rUttX1M6ISXPi7wKTV0zrMcepa1zH86IjObx8hruuMUqx2ccbJ1EIiCh3Kjk+MqYDrIjiY0f8CvHaB7+p8T+6gkHAopB9orjirx8csjJTGho0Pyl/a8yV024E1JdykSEJhbt6rCodQuD+GOIt2WM8tXXxnuDsjx7AApJW1ci8KyJE9yB7ebfyKa4mI4hT/VOmPOzd4gmxqeK6hixqo70ev1/D8W8+p21hJtipIisfAuWoR2xDO78WLV+Zx8lqk1DaB2A3f9v1ILEU6laXFJJMu2Ls9m58RvEjeAyP6gFv6ga6Lekk4/+Wk9uvqb7bjq5OBOY94lh/yP6EzlsGxHeg0Lg0DUmaF9emz17Du+E30TbdKg/A2l6TUv5LXKMsGqqO8HgNV3Jsv5Au5Ajy7ytoXh2MHI0hAeB+fj4jmJVXOIPfgAPmnn1milytnyv7fMrD8AJrBMGHPkLD6crlj8UJczxczzcxE6JJTF7EBJu/8VlXptNzCCR85LxK7zPr7CNV80YMeX3iDAqiEMKPOtV+I4eUvI+qWaIAJvzb9LuAp5//ojXAnhV8QZbel0oELZHylG/lqPliVbWfpj9cPHmoGohYyQenkiFKcXjNcfXO/Uqc+6z0mFY6qFYLDSZqsgLyF0ie7BJpWZmVeB1+XD3jobZmEV+0XZy2MPMBtizgEVbmnS4A82hGurhH1y7x8I+rT+y0YqYjv1Ndv6O3Pix496Tx0A96D3G6QUmF4hnkISCMu3KBjvUx9zU+O0adig/xfCNxT/+1GUh0jOZ7B1Ox1FcryWhnac9eNSVamWcmmASovQt4rwt8OZVp9FMu4jhDFwSWqH6EZm6aVC5Mp76KPl0T2coxXz3/N1+1ppFA8T9oHECvszvp18wHYBMiQyR6xkL23M6kQwXiJvEuZwHXGjkxSSglvSqbEFSQ2YEfMoMu/1E7IVbixErcmGglMx8CPMLBNbJvkgUgQAL+pN87Zfnq8gSKtHhuS3ZuNapbnYWMQwH+bBUQZ2UhH8myBKBAzHGK8uG/EFxRvE07ieUXh7bM4pX+mGBwa1QaPOgdL2rfw3h8TifOGRvVXlpgJojtr42F+EUyhmdjbBp+Epgxtc79RZ/s64UsB2mvFugd9eJGsMvYx1RYlbw1rsha2hF1MAYJanJ1v9StywQ==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99


You are going to want to use a group-provisioning template as described in Carey's link. This will generally do the right thing and certainly should prevent objectclass violations.

The question I have is what you want the gidNumber and uidNumber of the group objects to be?

a) Normally, gidNumber will come from Grouper, eg, ${group.idIndex}. 

b) [Assuming you didn't mean memberUid] I'm not sure what uidNumber should be in your environment.RFC2307 [snippet below] indicates that you'll have to add another objectclass to define uidNumber. And then you'll need to find a value in the grouper group to define it. Let us know a little more and we can help.

 NAME 'posixGroup'
 DESC 'Standard LDAP objectclass'
 SUP top
 MUST ( cn $
  gidNumber )
 MAY ( userPassword $
  memberUid $
  description )
 X-ORIGIN 'RFC 2307' )


  Bert Bee-Lindgren

From: <> on behalf of Black, Carey M. <>
Sent: Friday, June 2, 2017 3:53 PM
To: Drew Zebrowski;
Subject: [grouper-users] RE: Attribute Based Provisioning - PSPNG



I think you are not looking at this the right way. ( But I am not an expert at grouper or specifically the PSPNG part.)


If you have not bumped into this page, it looks relevant.



Specifically I think this looks “wrong” to me.

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = gidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = uidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

You are trying to insert random integers for the gid and uid for the user. I doubt that is really what you want. ( on every “provisioning” of the user/groups.)





My guess is that you would want to assign a value ( using grouper to be the “authoritative source”) then send those values out to the connected system(s).

                REF:  (Note: this is circa 2011… YMMV )

                  “Hooks Example - Assign a UNIX ID to Each New Group”


                REF: ( NOTE: circa 2012…. YMM Improve?, looks more civilized.

J )

                “In Grouper 2.2+ the main Grouper objects in the database (groups, folders, attribute definitions, attribute names) will be assigned unique integers.  These integers can be used, for instance, as UNIX GIDs.”


Hope that helps.



Carey Matthew


From: [mailto:] On Behalf Of Drew Zebrowski
Sent: Friday, June 2, 2017 2:44 PM
Subject: [grouper-users] Attribute Based Provisioning - PSPNG


We are working on a way to provision posixAccount objectclass attributes for users and are looking at using Grouper to see if we can do this. I am new to Grouper and don’t have much experience with using the PSPNG component.


Here is our end-goal: Provision out the following attributes to an LDAP Person Entry.


-          Generate objectclass: posixAccount

-          Generate uidNumber: <Random Number>

-          Generate gidNumber: <Random Number>


In, I tried the following which defines multiple attribute/value pairs. It doesn’t appear as though Grouper handles this since the LDAP returns an ObjectClass Violation.


# User gidNumber Provisioning

changeLog.consumer.pspng_secsds_gidNumber.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_secsds_gidNumber.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_secsds_gidNumber.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_secsds_gidNumber.retryOnError = true

changeLog.consumer.pspng_secsds_gidNumber.ldapPoolName = secsds

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = objectclass

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = posixAccount

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = gidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = uidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

changeLog.consumer.pspng_secsds_gidNumber.userSearchBaseDn = cn=users,o=tjuh

changeLog.consumer.pspng_secsds_gidNumber.userSearchFilter = uid=${}



Is this a supported function of the loader? Can it provision objectclasses along with the required attributes through the attribute provisioner or is this not designed to work that way? Has anyone done this sort of thing and is willing to share their experience? Thanks.


Drew Zebrowski

Thomas Jefferson University


The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.


Archive powered by MHonArc 2.6.19.

Top of Page