grouper-users - [grouper-users] Re: Attribute Based Provisioning - PSPNG
Subject: Grouper Users - Open Discussion List
List archive
- From: "Bee-Lindgren, Bert" <>
- To: "Black, Carey M." <>, Drew Zebrowski <>, "" <>
- Subject: [grouper-users] Re: Attribute Based Provisioning - PSPNG
- Date: Fri, 2 Jun 2017 21:23:28 +0000
- Accept-language: en-US
- Authentication-results: osu.edu; dkim=none (message not signed) header.d=none;osu.edu; dmarc=none action=none header.from=oit.gatech.edu;
- Ironport-phdr: 9a23:dIHMjhMqCsIOI8i7i3El6mtUPXoX/o7sNwtQ0KIMzox0K/3ypcbcNUDSrc9gkEXOFd2CrakV1KyL6uu5BD1IyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbF/IA+2oAnMucUanItvJ6IswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyhdYsCF+oPM/hFoYnhqVUArhW+CgutBOzzxTBFnWX50bEm3+k7DQ3KwAwtEtQTu3rUttX1M6ISXPi7wKTV0zrMcepa1zH86IjObx8hruuMUqx2ccbJ1EIiCh3Kjk+MqYDrIjiY0f8CvHaB7+p8T+6gkHAopB9orjirx8csjJTGho0Pyl/a8yV024E1JdykSEJhbt6rCodQuD+GOIt2WM8tXXxnuDsjx7AApJW1ci8KyJE9yB7ebfyKa4mI4hT/VOmPOzd4gmxqeK6hixqo70ev1/D8W8+p21hJtipIisfAuWoR2xDO78WLV+Zx8lqk1DaB2A3f9v1ILEU6laXFJJMu2Ls9m58RvEjeAyP6gFv6ga6Lekk4/+Wk9uvqb7bjq5OBOY94lh/yP6EzlsGxHeg0Lg0DUmaF9emz17Du+E30TbdKg/A2l6TUv5LXKMsGqqO8HgNV3Jsv5Au5Ajy7ytoXh2MHI0hAeB+fj4jmJVXOIPfgAPmnn1milytnyv7fMrD8AJrBMGHPkLD6crlj8UJczxczzcxE6JJTF7EBJu/8VlXptNzCCR85LxK7zPr7CNV80YMeX3iDAqiEMKPOtV+I4eUvI+qWaIAJvzb9LuAp5//ojXAnhV8QZbel0oELZHylG/lqPliVbWfpj9cPHmoGohYyQenkiFKcXjNcfXO/Uqc+6z0mFY6qFYLDSZqsgLyF0ie7BJpWZmVeB1+XD3jobZmEV+0XZy2MPMBtizgEVbmnS4A82hGurhH1y7x8I+rT+y0YqYjv1Ndv6O3Pix496Tx0A96D3G6QUmF4hnkISCMu3KBjvUx9zU+O0adig/xfCNxT/+1GUh0jOZ7B1Ox1FcryWhnac9eNSVamWcmmASovQt4rwt8OZVp9FMu4jhDFwSWqH6EZm6aVC5Mp76KPl0T2coxXz3/N1+1ppFA8T9oHECvszvp18wHYBMiQyR6xkL23M6kQwXiJvEuZwHXGjkxSSglvSqbEFSQ2YEfMoMu/1E7IVbixErcmGglMx8CPMLBNbJvkgUgQAL+pN87Zfnq8gSKtHhuS3ZuNapbnYWMQwH+bBUQZ2UhH8myBKBAzHGK8uG/EFxRvE07ieUXh7bM4pX+mGBwa1QaPOgdL2rfw3h8TifOGRvVXlpgJojtr42F+EUyhmdjbBp+Epgxtc79RZ/s64UsB2mvFugd9eJGsMvYx1RYlbw1rsha2hF1MAYJanJ1v9StywQ==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
Drew,
You are going to want to use a group-provisioning template as described in Carey's link. This will generally do the right thing and certainly should prevent objectclass violations.
The question I have is what you want the gidNumber and uidNumber of the group objects to be?
a) Normally, gidNumber will come from Grouper, eg, ${group.idIndex}.
b) [Assuming you didn't mean memberUid] I'm not sure what uidNumber should be in your environment.RFC2307 [snippet below] indicates that you'll have to add another objectclass to define uidNumber. And then you'll need to find a value in the grouper group to define it. Let us know a little more and we can help.
( 1.3.6.1.1.1.2.2
NAME 'posixGroup'
DESC 'Standard LDAP objectclass'
SUP top
STRUCTURAL
MUST ( cn $
gidNumber )
MAY ( userPassword $
memberUid $
description )
X-ORIGIN 'RFC 2307' )
Sincerely, Bert Bee-Lindgren From: <> on behalf of Black, Carey M. <>
Sent: Friday, June 2, 2017 3:53 PM To: Drew Zebrowski; Subject: [grouper-users] RE: Attribute Based Provisioning - PSPNG Drew,
I think you are not looking at this the right way. ( But I am not an expert at grouper or specifically the PSPNG part.)
If you have not bumped into this page, it looks relevant.
Specifically I think this looks “wrong” to me. “ changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = gidNumber changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()} changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = uidNumber changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()} “ You are trying to insert random integers for the gid and uid for the user. I doubt that is really what you want. ( on every “provisioning” of the user/groups.)
My guess is that you would want to assign a value ( using grouper to be the “authoritative source”) then send those values out to the connected system(s). REF: https://spaces.internet2.edu/display/Grouper/Getting+started+with+hooks2 (Note: this is circa 2011… YMMV )
“Hooks Example - Assign a UNIX ID to Each New Group”
REF: https://spaces.internet2.edu/display/Grouper/Integer+IDs+on+Grouper+objects ( NOTE: circa 2012…. YMM Improve?, looks more civilized.
J ) “In Grouper 2.2+ the main Grouper objects in the database (groups, folders, attribute definitions, attribute names) will be assigned unique integers. These integers can be used, for instance, as UNIX GIDs.”
Hope that helps.
-- Carey Matthew
From: [mailto:]
On Behalf Of Drew Zebrowski
We are working on a way to provision posixAccount objectclass attributes for users and are looking at using Grouper to see if we can do this. I am new to Grouper and don’t have much experience with using the PSPNG component.
Here is our end-goal: Provision out the following attributes to an LDAP Person Entry.
- Generate objectclass: posixAccount - Generate uidNumber: <Random Number> - Generate gidNumber: <Random Number>
In grouper-loader.properties, I tried the following which defines multiple attribute/value pairs. It doesn’t appear as though Grouper handles this since the LDAP returns an ObjectClass Violation.
# User gidNumber Provisioning changeLog.consumer.pspng_secsds_gidNumber.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim changeLog.consumer.pspng_secsds_gidNumber.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner changeLog.consumer.pspng_secsds_gidNumber.quartzCron = 0 * * * * ? changeLog.consumer.pspng_secsds_gidNumber.retryOnError = true changeLog.consumer.pspng_secsds_gidNumber.ldapPoolName = secsds changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = objectclass changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = posixAccount changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = gidNumber changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()} changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = uidNumber changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()} changeLog.consumer.pspng_secsds_gidNumber.userSearchBaseDn = cn=users,o=tjuh changeLog.consumer.pspng_secsds_gidNumber.userSearchFilter = uid=${subject.id}
Is this a supported function of the loader? Can it provision objectclasses along with the required attributes through the attribute provisioner or is this not designed to work that way? Has anyone done this sort of thing and is willing to share their experience? Thanks.
Drew Zebrowski Thomas Jefferson University
| |||||||
- [grouper-users] Attribute Based Provisioning - PSPNG, Drew Zebrowski, 06/02/2017
- [grouper-users] RE: Attribute Based Provisioning - PSPNG, Black, Carey M., 06/02/2017
- [grouper-users] Re: Attribute Based Provisioning - PSPNG, Bee-Lindgren, Bert, 06/02/2017
- [grouper-users] RE: Attribute Based Provisioning - PSPNG, Drew Zebrowski, 06/05/2017
- [grouper-users] Re: Attribute Based Provisioning - PSPNG, Bee-Lindgren, Bert, 06/02/2017
- [grouper-users] RE: Attribute Based Provisioning - PSPNG, Black, Carey M., 06/02/2017
Archive powered by MHonArc 2.6.19.