Grouper Users - Open Discussion List

[Drew Zebrowski <>]

If I’m able to extract the unique value of uidNumber and gidNumber from our identity registry for all users (using a hook or something like that), I guess what I’m really asking is, using LdapAttributeProvisioner can Grouper set objectclass, uidNumber and gidNumber attributes for a person. Or is that just not possible with the way LdapAttributeProvisioner is designed?

 

I could handle this process a few ways as I see it. We could just set posixAccount objectclass in the target endpoint for all persons and add the uidNumber/gidNumber attributes at the time of provisioning. This would complicate our provisioning process slightly but is definitely doable with some work.

 

The other method, using Grouper, person accounts are provisioned on the endpoint as-is, no posixAccount objectclasses (or related attributes). As users that are authorized to have this type of access are added into the appropriate group in Grouper, PSPNG will add that objectclass and required attributes to their person entry.

 

I like the Grouper option because it doesn’t require me to provision posixAccount’s for everyone, only when they’re needed, plus we can offload the manual updating of these accounts in the target LDAP (we currently run a script that does this) to the appropriate party here at Jefferson with the possibility of automating the population of these groups down the road.

 

Hopefully I was able to clearly expand on exactly what I want to accomplish.

 

 

Drew Zebrowski

Thomas Jefferson University

 

 

From: Bee-Lindgren, Bert [mailto:]
Sent: Friday, June 02, 2017 5:23 PM
To: Black, Carey M. <>; Drew Zebrowski <>;
Subject: Re: Attribute Based Provisioning - PSPNG

 

Drew,

 

You are going to want to use a group-provisioning template as described in Carey's link. This will generally do the right thing and certainly should prevent objectclass violations.

 

The question I have is what you want the gidNumber and uidNumber of the group objects to be?

 

a) Normally, gidNumber will come from Grouper, eg, ${group.idIndex}. 

 

b) [Assuming you didn't mean memberUid] I'm not sure what uidNumber should be in your environment.RFC2307 [snippet below] indicates that you'll have to add another objectclass to define uidNumber. And then you'll need to find a value in the grouper group to define it. Let us know a little more and we can help.

 

( 1.3.6.1.1.1.2.2

 NAME 'posixGroup'

 DESC 'Standard LDAP objectclass'

 SUP top

 STRUCTURAL

 MUST ( cn $

  gidNumber )

 MAY ( userPassword $

  memberUid $

  description )

 X-ORIGIN 'RFC 2307' )

 

 

Sincerely,

  Bert Bee-Lindgren

 

---

From: <> on behalf of Black, Carey M. <>
Sent: Friday, June 2, 2017 3:53 PM
To: Drew Zebrowski;
Subject: [grouper-users] RE: Attribute Based Provisioning - PSPNG

 

Drew,

 

I think you are not looking at this the right way. ( But I am not an expert at grouper or specifically the PSPNG part.)

 

If you have not bumped into this page, it looks relevant.

REF: https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG#GrouperProvisioning:PSPNG-POSIXGROUPS

Grouper Provisioning: PSPNG - Grouper - Internet2 Wiki

spaces.internet2.edu

Provisioning's job is to reflect Groups and their Memberships in other systems. Over the years, dozens of provisioners have been created -- some focused on a single ...

 

 

Specifically I think this looks “wrong” to me.

“

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = gidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = uidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

“

You are trying to insert random integers for the gid and uid for the user. I doubt that is really what you want. ( on every “provisioning” of the user/groups.)

 

 

 

 

My guess is that you would want to assign a value ( using grouper to be the “authoritative source”) then send those values out to the connected system(s).

                REF: https://spaces.internet2.edu/display/Grouper/Getting+started+with+hooks2  (Note: this is circa 2011… YMMV )

Getting started with hooks2 - Grouper - Internet2 Wiki

spaces.internet2.edu

Hooks Example - Assign a UNIX ID to Each New Group. Hooks Introduction Getting started with hooks Proof of concept (A veto hook) - Assign a Unix id to each new group

 

                  “Hooks Example - Assign a UNIX ID to Each New Group”

 

                REF: https://spaces.internet2.edu/display/Grouper/Integer+IDs+on+Grouper+objects ( NOTE: circa 2012…. YMM Improve?, looks more civilized.

Integer IDs on Grouper objects - Grouper - Internet2 Wiki

spaces.internet2.edu

In Grouper 2.2+ the main Grouper objects in the database (groups, folders, attribute definitions, attribute names) will be assigned unique integers.

J )

                “In Grouper 2.2+ the main Grouper objects in the database (groups, folders, attribute definitions, attribute names) will be assigned unique integers.  These integers can be used, for instance, as UNIX GIDs.”

 

Hope that helps.

 

--

Carey Matthew

 

From: [] On Behalf Of Drew Zebrowski
Sent: Friday, June 2, 2017 2:44 PM
To:
Subject: [grouper-users] Attribute Based Provisioning - PSPNG

 

We are working on a way to provision posixAccount objectclass attributes for users and are looking at using Grouper to see if we can do this. I am new to Grouper and don’t have much experience with using the PSPNG component.

 

Here is our end-goal: Provision out the following attributes to an LDAP Person Entry.

 

-          Generate objectclass: posixAccount

-          Generate uidNumber: <Random Number>

-          Generate gidNumber: <Random Number>

 

In grouper-loader.properties, I tried the following which defines multiple attribute/value pairs. It doesn’t appear as though Grouper handles this since the LDAP returns an ObjectClass Violation.

 

# User gidNumber Provisioning

changeLog.consumer.pspng_secsds_gidNumber.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_secsds_gidNumber.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_secsds_gidNumber.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_secsds_gidNumber.retryOnError = true

changeLog.consumer.pspng_secsds_gidNumber.ldapPoolName = secsds

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = objectclass

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = posixAccount

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = gidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeName = uidNumber

changeLog.consumer.pspng_secsds_gidNumber.provisionedAttributeValueFormat = ${new(java.util.Random).nextInt()}

changeLog.consumer.pspng_secsds_gidNumber.userSearchBaseDn = cn=users,o=tjuh

changeLog.consumer.pspng_secsds_gidNumber.userSearchFilter = uid=${subject.id}

 

 

Is this a supported function of the loader? Can it provision objectclasses along with the required attributes through the attribute provisioner or is this not designed to work that way? Has anyone done this sort of thing and is willing to share their experience? Thanks.

 

Drew Zebrowski

Thomas Jefferson University

 

The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.