Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Quick question re: upgrade from 2.2.2 (PSP) to 2.3.0 (PSPNG)

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Quick question re: upgrade from 2.2.2 (PSP) to 2.3.0 (PSPNG)


Chronological Thread 
  • From: Dave Churchley <>
  • To: Mark Cairney <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Quick question re: upgrade from 2.2.2 (PSP) to 2.3.0 (PSPNG)
  • Date: Fri, 10 Nov 2017 10:04:03 +0000
  • Accept-language: en-GB, en-US
  • Authentication-results: mailhub-mx4.ncl.ac.uk; spf=pass smtp.mailfrom=newcastle.ac.uk
  • Ironport-phdr: 9a23:6jedBRGl2ctbHB0MgMWbxZ1GYnF86YWxBRYc798ds5kLTJ7yps+wAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95RWSJfH428c4UBAOgAPelEoIb9qUADrR6iCQWwHu7j1iNEi33w0KYn0+ohCwbG3Ak4EtwAqnvUssv6P7oMXOC10anI1ynMb/NS2Tjj6InDbxcsr/+WUrJub8Xd01ciFwPYjlWKtYPlPzeV2foNsmWA6epvS+yuhHI9pAFqvjivwtkjhpPTiY0J0FzE6CZ5zZ8zKNalS0B7ecapHIZOuyyZLYd6XMwvT31ytCokxLALtoS3cSsFxZg/2hLTdf+Kf5KW7h/sSOqdOyl0iGxldb6lhRu/8FCsyuPiWcS3zFpHqy9IktfIu38WyRPe79KIR/pn8UqkxzqP2QTe5f1BLE8ulKfXNYQuz7gtnZQJq0vDBDX5mEDuga+WaEok/u+o5vziYrr8p5+cM490ihzlPag3n8y+Dus1PhIIX2eH/eSwzqfs8lHjTLVXjf06iqjZsJbEKsQHvqO1HhFZ34U55xqhADqqzM4UkWcJIV9KYh6KjIfkN0nLIP/iDPe/h1qskC1sx/DDJrDvDI/CLmbdn7v7Y7t961NcyBAvwtBf45JbFLEALen1WkDvut3XEgU2Mxeow+bjFtpxzJkRVn6VDq+EM6PeqUWI6f43I+mQeI8Vvy7wK/c/5/7pkH85gUESfbOw0ZsKc3C3AO5mI16CbHrog9cBCnsKvhEgQODwiV2CVyJTaGioX6I6+D47FJyqAZ3dSY+wnbzSlBu8S7hffGMOIVmNC3HlZs3Qfv4Wa2S5K857lDEVfbWtDYYqkwyt4lzU0b1ie8bd5CBQnpL+ztN14+DC3UUe/CJ5Se+dznuGT2V5j0sOSiA91btjpUE7w1zFzKsu0K8QLsBa+/4cClRyDpXb1eEvTomqAg8=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
Hi Mark

A few months ago we embarked on a similar project but had to hold off
upgrading our production Grouper system in the end as we came across several
issues with PSPNG which we couldn't get past at the time. I've attached a
couple of email chains with details of the issues we encountered. These might
give you some things to look out for when you're testing. Of course, these
issues might not be important to you, but if you manage to get past them
please let me know!

For now we're still on 2.2.2 with PSP provisioning to AD but we're still very
keen to upgrade to 2.3 and PSPNG when we can.

Regards
Dave Churchley
Newcastle University


>-----Original Message-----
>From:
>
> [
>]
> On Behalf Of Mark Cairney
>Sent: 09 November 2017 15:03
>To:
>
>Subject: [grouper-users] Quick question re: upgrade from 2.2.2 (PSP) to 2.3.0
>(PSPNG)
>
>Hi,
>
>We're about to embark on upgrading our Grouper instance and we plan on
>migrating from the PSP to PSPNG.
>
>1. Do the upgrade scripts make any attempt at transferring the
>configuration?
>
>2. Is it possible/feasible to provision multiple LDAP directories from a
>single PSPNG instance? We struggled with this with our PSP install and
>ended up having 2 instances feeding AD and OpenLDAP independently.
>
>Kind regards,
>
>Mark
>
>--
>/****************************
>
>Mark Cairney
>ITI Enterprise Services
>Information Services
>University of Edinburgh
>
>Tel: 0131 650 6565
>Email:
>
>PGP: 0x435A9621
>
>*******************************/
>
>The University of Edinburgh is a charitable body, registered in
>Scotland, with registration number SC005336.
--- Begin Message ---
  • From: Dave Churchley <>
  • To: "Bee-Lindgren, Bert" <>, Grouper-Users <>
  • Subject: [grouper-users] RE: PSPNG issues
  • Date: Mon, 31 Jul 2017 16:00:29 +0000
  • Accept-language: en-GB, en-US
  • List-archive: <https://lists.internet2.edu/sympa/arc/grouper-users>
  • List-id: <grouper-users.internet2.edu>

Hello again

 

Following on from point 1 below, I’d like to add a name change to the list as well. When we change the name of a group we get something like this in grouper_error.log and no changes in AD:

 

Work item handled: ProvisioningWorkItem[successful=true,msg=Nothing to do (not a supported change),clog=clog #4279617 / ChangeLog type: group: updateGroup]

 

Is what constitutes a “supported change” configurable?

 

If we subsequently add more members to the group, we get a new group in AD, with the new name and only containing the new members. The old group, with the old members, remains in AD. I’m sure this can’t be expected behaviour?

 

Thanks
Dave

 

From: [mailto:] On Behalf Of Dave Churchley
Sent: 26 July 2017 17:22
To: Bee-Lindgren, Bert <>; Grouper-Users <>
Subject: [grouper-users] RE: PSPNG issues

 

Thanks Bert

 

Are also you able to provide any comments or advice on the other issues I’m facing?

 

1.       When I move or delete a group in Grouper, that change is not going through to AD

2.       When PSP-NG can’t update AD, the whole process gets stuck and no other updates go through. It doesn’t skip the one it’s having a problem with.

 

As I said before, I’m not sure if this is an issue with PSP-NG or with my config so any advice would be welcome!

 

Thanks
Dave

 

 

From: Bee-Lindgren, Bert []
Sent: 26 July 2017 16:41
To: Dave Churchley <>; Grouper-Users <>
Subject: Re: PSPNG issues

 

bushyDn should already do all the escaping that is necessary. It was tested with OU commas and escapleLdapRdn was tested with group-name commas, but I'm duplicating and patching the problem with bushyDn and group-name commas/pluses. 

 

From: <> on behalf of Dave Churchley <>
Sent: Tuesday, July 25, 2017 12:13 PM
To: Grouper-Users
Subject: [grouper-users] RE: PSPNG issues

 

Good afternoon

I see that Bert has released a patch for issue https://bugs.internet2.edu/jira/browse/GRP-1533

I've installed the patch but I'm still seeing the same issue (with  + and , for example).

I suspect that I need to do something with utils.escapeLdapRdn(string) in grouper-loader.properties. I've tried various things but haven't been able to work it out yet. Any advice, please?

I've attached the relevant part of grouper-loader.properties.

Thanks
Dave

>-----Original Message-----
>From: [mailto:grouper-users-
>] On Behalf Of Dave Churchley
>Sent: 19 July 2017 14:43
>To: Grouper-Users <>
>Subject: [grouper-users] RE: PSPNG issues
>
>Just to add to number 1 below, it seems that PSPNG also struggles with plus
>signs, parentheses and spaces in group names. This could be related to
>https://bugs.internet2.edu/jira/browse/GRP-1533?
>
>Thanks
>Dave
>
>>-----Original Message-----
>>From: [mailto:grouper-users-
>>] On Behalf Of Dave Churchley
>>Sent: 18 July 2017 16:56
>>To: Grouper-Users <>
>>Subject: [grouper-users] PSPNG issues
>>
>>Hi
>>
>>I'm currently testing PSPNG provisioning to a test AD. So far, I really like what
>I
>>see but I've now run into a couple of snags.
>>
>>1. I get an error when the Grouper group name has multiple consecutive
>>asterisks, eg LIBR_Auto_CEG****. The old PSP service could handle this
>group
>>name. I've attached the an extract from grouper_error.log to show the
>error.
>>
>>2. Related to the above, when the full sync can't provision a group, it appears
>>to get stuck and retry ever second. This means that it will never complete. I
>>think it would be preferable to write a nice error and then skip that group.
>>
>>I'm not sure if these are real issues or if I'm doing something wrong, so any
>>advice would be appreciated! Also, is there a gsh command to force PSPNG
>to
>>sync a specific group? Similar to the old PSP?
>>
>>Thanks
>>Dave
>>
>>Dave Churchley
>>Newcastle University


--- End Message ---
--- Begin Message ---
  • From: "Bee-Lindgren, Bert" <>
  • To: Dave Churchley <>, Grouper-Users <>
  • Subject: [grouper-users] Re: PSPNG issues
  • Date: Tue, 1 Aug 2017 23:31:04 +0000
  • Accept-language: en-US
  • List-archive: <https://lists.internet2.edu/sympa/arc/grouper-users>
  • List-id: <grouper-users.internet2.edu>

Hello,


PSPNG 2.3 Patch 14 now makes sure that the escaping sticks all the way through the expressions and into LDAP; there was a gap in that process as Patch 13 implemented it.


In response to several of your other problems, my next task is to (as quickly as possible) address the updates that do not get propagated to LDAP groups name/description (GRP-1345) and DN (GRP-1346).


Thanks,
  Bert Bee-Lindgren

From: Bee-Lindgren, Bert
Sent: Wednesday, July 26, 2017 11:40 AM
To: Dave Churchley; Grouper-Users
Subject: Re: PSPNG issues
 

bushyDn should already do all the escaping that is necessary. It was tested with OU commas and escapleLdapRdn was tested with group-name commas, but I'm duplicating and patching the problem with bushyDn and group-name commas/pluses. 



From: <> on behalf of Dave Churchley <>
Sent: Tuesday, July 25, 2017 12:13 PM
To: Grouper-Users
Subject: [grouper-users] RE: PSPNG issues
 
Good afternoon

I see that Bert has released a patch for issue https://bugs.internet2.edu/jira/browse/GRP-1533

I've installed the patch but I'm still seeing the same issue (with  + and , for example).

I suspect that I need to do something with utils.escapeLdapRdn(string) in grouper-loader.properties. I've tried various things but haven't been able to work it out yet. Any advice, please?

I've attached the relevant part of grouper-loader.properties.

Thanks
Dave

>-----Original Message-----
>From: [mailto:grouper-users-
>] On Behalf Of Dave Churchley
>Sent: 19 July 2017 14:43
>To: Grouper-Users <>
>Subject: [grouper-users] RE: PSPNG issues
>
>Just to add to number 1 below, it seems that PSPNG also struggles with plus
>signs, parentheses and spaces in group names. This could be related to
>https://bugs.internet2.edu/jira/browse/GRP-1533?
>
>Thanks
>Dave
>
>>-----Original Message-----
>>From: [mailto:grouper-users-
>>] On Behalf Of Dave Churchley
>>Sent: 18 July 2017 16:56
>>To: Grouper-Users <>
>>Subject: [grouper-users] PSPNG issues
>>
>>Hi
>>
>>I'm currently testing PSPNG provisioning to a test AD. So far, I really like what
>I
>>see but I've now run into a couple of snags.
>>
>>1. I get an error when the Grouper group name has multiple consecutive
>>asterisks, eg LIBR_Auto_CEG****. The old PSP service could handle this
>group
>>name. I've attached the an extract from grouper_error.log to show the
>error.
>>
>>2. Related to the above, when the full sync can't provision a group, it appears
>>to get stuck and retry ever second. This means that it will never complete. I
>>think it would be preferable to write a nice error and then skip that group.
>>
>>I'm not sure if these are real issues or if I'm doing something wrong, so any
>>advice would be appreciated! Also, is there a gsh command to force PSPNG
>to
>>sync a specific group? Similar to the old PSP?
>>
>>Thanks
>>Dave
>>
>>Dave Churchley
>>Newcastle University

--- End Message ---

Archive powered by MHonArc 2.6.19.

Top of Page