Grouper Users - Open Discussion List

["Bee-Lindgren, Bert" <>]

Hello,

Here is what should be expected with group deletion:

1) Group deletion actions should be propagated to the ldap server regardless of the grouperIsAuthoritative setting. During this process, the following might be logged

If the query for point-in-time group information failed when getting ready to delete the group:

          workItem.markAsSkippedAndWarn("Ignoring group-deletion event because group information was not found in grouper");

If the group was not found in an ldap search   

      LOG.warn("Nothing to do: Unable to delete group {} because the group wasn't found on target system", grouperGroupInfo);

If the group was found by an ldap search
    LOG.info("Deleting group {} by deleting DN {}", grouperGroupInfo, dn);
   

2) If the grouperIsAuthoritative setting is true, then scheduled FullSyncs will include a "Group Cleanup" process: comparison of all the marked-for-provisioning groups in grouper with all the groups found by an allGroupsSearchFilter search on base groupSearchBaseDn. This process logs some of the following:

FYI, if Grouper is not authoritative, the FullSync schedule should log:

     LOG.warn("{}: Ignoring group-cleanup because grouper is not authoritative", getName());

The start of the Group Cleanup:
      LOG.info("{}: Starting Group Cleanup ({})", getName(), queueItem.reason);

Progress is logged at debug level:

    LOG.debug("Doing ldap search: <filter> / <base> / <attributes>",

After the group-list comparisons are done:

    LOG.info("{}: There are {} groups that we should delete", getName(), groupsToDelete.size());

    (This will log "There are 0 groups that we should delete" if everything is in sync)

For each extra group found in LDAP (that is not in Grouper or is not labeled for provisioning):

    LOG.info("{}: Deleting LDAP object: {}", ldapSystemName, dnToDelete);

The end of the Group Cleanup:

      LOG.info("{}: Group-cleanup done. Stats: {}", getName(), queueItem.stats);

3) When supportsEmptyGroups=false: The removal of the last member of a group should cause the ldap group to be deleted regardless of the grouperIsAuthoritative flag.


It seems clear that your experiences don't match these expectations, particularly in that you're seeing changelog-event-triggered group-deletion depend on the grouperIsAuthoritative setting. As listed above, there are several INFO-level messages logged during this processing. I don't see problems with your configuration.

Can you run with such logging enabled and forward it to me?


Sincerely,
  Bert Bee-Lindgren

---

From: <> on behalf of Yoann Delattre <>
Sent: Thursday, February 1, 2018 2:45 AM
To:
Subject: Re: [grouper-users] [PSPNG] Not deleting groups in LDAP

 

Hello !

anyone ?

Thanks !
Yoann

Le 18/12/2017 à 09:22, Yoann Delattre a écrit :

Hello everyone,

for summarise :

When grouperIsAuthoritative is set to true, a group deleted in Grouper are not deleted in LDAP.
No problem when i create groups or delete members : all this changes are provisioned correctly in the LDAP.

Has anyone ran into this issue?

Thanks,
Yoann.

Le 11/12/2017 à 16:02, Yoann Delattre a écrit :

grouperIsAuthoritative was set to true.
So i tried set it to false, and now it works...Strange :-/

maybe something wrong with my conf ?

changeLog.consumer.pspng_brancheGrouper.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_brancheGrouper.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_brancheGrouper.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_brancheGrouper.ldapPoolName = aclille
changeLog.consumer.pspng_brancheGrouper.memberAttributeName = uniqueMember
changeLog.consumer.pspng_brancheGrouper.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_brancheGrouper.groupSearchBaseDn = ou=Grouper,ou=xxxxx,o=yyyy,c=zz
changeLog.consumer.pspng_brancheGrouper.allGroupsSearchFilter = objectclass=groupOfUniqueNames
changeLog.consumer.pspng_brancheGrouper.singleGroupSearchFilter = (&(objectclass=groupOfUniqueNames)(cn=${group.name}))
changeLog.consumer.pspng_brancheGrouper.groupSearchAttributes = cn,objectclass
changeLog.consumer.pspng_brancheGrouper.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfUniqueNames||objectclass: educationnationale
changeLog.consumer.pspng_brancheGrouper.userSearchBaseDn = ou=people,ou=xxxxx,o=yyyy,c=zz
changeLog.consumer.pspng_brancheGrouper.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_brancheGrouper.grouperIsAuthoritative = false

Thanks for your help !

Yoann

Le 11/12/2017 à 15:18, Jeffrey Williams a écrit :

Hi Yoann,

My first thought was whether you had grouperIsAuthoritative set?

from: https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG

Should groups in the groupSearchBaseDn/allGroupSearchFilter be removed if they no longer exist in Grouper?

By default, it is set to FALSE, which sounds like the behavior you're experiencing.

On Mon, Dec 11, 2017 at 9:11 AM, Yoann Delattre <> wrote:

Hello everyone,

i have a problem with the PSPNG : a group deleted in Grouper are not deleted in LDAP.
It's weird because i have c

I get this in the log :

2017-12-11 11:39:00,045: [DefaultQuartzScheduler_Worker-9] INFO  ProvisioningWorkItem.setStatus(143) -  - Work item handled: ProvisioningWorkItem[successful=true,msg=Ignoring work item because group is not provisioned,clog=clog #3921904 / ChangeLog type: group: deleteGroup,group=test-pspng4:test-2]

Anyone encounter this issue ?

Thanks for your help,
Yoann

--

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)