Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] [PSPNG] Not deleting groups in LDAP

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] [PSPNG] Not deleting groups in LDAP

Chronological Thread 
  • From: "Bee-Lindgren, Bert" <>
  • To: Yoann Delattre <>, "" <>
  • Subject: Re: [grouper-users] [PSPNG] Not deleting groups in LDAP
  • Date: Sat, 3 Feb 2018 17:47:31 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:OUkyHxezMKKe9XE7u365CzGVlGMj4u6mDksu8pMizoh2WeGdxc26YBON2/xhgRfzUJnB7Loc0qyK6/mmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfa5+IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRBDI2icoUPE+QPM+VWr4b/plsBsRSxCBK2C+/z1jNFnGP60bEn3+knDArI3BYgH9ULsHnMotn4KbkdXv6swKfOzDXDae5Z2Tjn6IfWdBAtueyHUK9ufsrL1UkjGR7Og1KLpoP7JTOVyv4BvHOF4OV+TO6vj28nqwdsrTig3McjlI/Ji5kSylDF6SV12ok1KsekSEFlfdGkEIFcuD+HOItrW84vRXxjtig9yr0Do5G7fS4KxYwmxx7Zd/yIbZKI4hT9W+aNPzt0nmxqd6+ihxu07EOuyfX8W9Gp3FpWoSdJiNbBu3IX2xHd6MWLUOZx80mj1DqX1Q3e5PtILV4omafZMZIswqM8moAOvUnMHCL7nlj9grWMeUU+4Oeo7vzqYrX4qZ+YMI95khnwP7gplMCjH+g0KxYDUGqG9eil073s5lP2TK9Njv0rjqnWq5faJdkdpqGkGQNVypwj6xGjDzi4zNsYgXgHLFVDeB6diIjpJk3OIPT/Dfe4gFSgiitkx/fDPrH5A5XNKGbMkKv5cLpg90JRxxA/wN9d6p5OBLwMIuj/VlL/udHaFhM5Nha7w+fjCNVzzIMeXmePD7eCP6zMq1+I+vgjLPKSa4ALoTr9L/kl5/jzgn82g18SY6+p0IAQaHC5AvRqOUqZbmDwgtgfDWgKvhAyQ/L3h12fSTJTfWq9X7og5jEnD4KrFYjDRpqqgLycxCe0AIdWanlbClCXD3jobZ6EVuwIaCKTOc9hjicEWaa7R48g0xGuqBH1y6BhLuXK5i0Uq4jv28Zo6O3OxlkO8mlFCM2b1SmhQmV9gn8SSndizad2p0o7xlqH2LRkmfFwHNcW4/JNVgp8O4SKi6QwBMr1RxrMZJKUU1u8Wf2nBy08VNQ834VIbkpgUZ32gQrEwjKnGfoIjLGRH7Q19L7RxX78O5w7xnrbgvoPlV4jF4FlOGDjoq95+wfJCoiN22+UjbrgPfAW0TTRsm2OwC+KvUdUXxR9V43CXGxZaULKoN/5oE7OUun9WvwcLgJdxJvaeeNxYdrzgAADHa+7NQ==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99


Here is what should be expected with group deletion:

1) Group deletion actions should be propagated to the ldap server regardless of the grouperIsAuthoritative setting. During this process, the following might be logged

If the query for point-in-time group information failed when getting ready to delete the group:

          workItem.markAsSkippedAndWarn("Ignoring group-deletion event because group information was not found in grouper");

If the group was not found in an ldap search   
      LOG.warn("Nothing to do: Unable to delete group {} because the group wasn't found on target system", grouperGroupInfo);

If the group was found by an ldap search"Deleting group {} by deleting DN {}", grouperGroupInfo, dn);

2) If the grouperIsAuthoritative setting is true, then scheduled FullSyncs will include a "Group Cleanup" process: comparison of all the marked-for-provisioning groups in grouper with all the groups found by an allGroupsSearchFilter search on base groupSearchBaseDn. This process logs some of the following:

FYI, if Grouper is not authoritative, the FullSync schedule should log:
     LOG.warn("{}: Ignoring group-cleanup because grouper is not authoritative", getName());

The start of the Group Cleanup:"{}: Starting Group Cleanup ({})", getName(), queueItem.reason);

Progress is logged at debug level:
    LOG.debug("Doing ldap search: <filter> / <base> / <attributes>",

After the group-list comparisons are done:"{}: There are {} groups that we should delete", getName(), groupsToDelete.size());
    (This will log "There are 0 groups that we should delete" if everything is in sync)

For each extra group found in LDAP (that is not in Grouper or is not labeled for provisioning):"{}: Deleting LDAP object: {}", ldapSystemName, dnToDelete);

The end of the Group Cleanup:"{}: Group-cleanup done. Stats: {}", getName(), queueItem.stats);

3) When supportsEmptyGroups=false: The removal of the last member of a group should cause the ldap group to be deleted regardless of the grouperIsAuthoritative flag.

It seems clear that your experiences don't match these expectations, particularly in that you're seeing changelog-event-triggered group-deletion depend on the grouperIsAuthoritative setting. As listed above, there are several INFO-level messages logged during this processing. I don't see problems with your configuration.

Can you run with such logging enabled and forward it to me?

  Bert Bee-Lindgren

From: <> on behalf of Yoann Delattre <>
Sent: Thursday, February 1, 2018 2:45 AM
Subject: Re: [grouper-users] [PSPNG] Not deleting groups in LDAP

Hello !

anyone ?

Thanks !

Le 18/12/2017 à 09:22, Yoann Delattre a écrit :

Hello everyone,

for summarise :

When grouperIsAuthoritative is set to true, a group deleted in Grouper are not deleted in LDAP.
No problem when i create groups or delete members : all this changes are provisioned correctly in the LDAP.

Has anyone ran into this issue?

Le 11/12/2017 à 16:02, Yoann Delattre a écrit :

grouperIsAuthoritative was set to true.
So i tried set it to false, and now it works...Strange :-/

maybe something wrong with my conf ?

changeLog.consumer.pspng_brancheGrouper.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_brancheGrouper.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_brancheGrouper.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_brancheGrouper.ldapPoolName = aclille
changeLog.consumer.pspng_brancheGrouper.memberAttributeName = uniqueMember
changeLog.consumer.pspng_brancheGrouper.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_brancheGrouper.groupSearchBaseDn = ou=Grouper,ou=xxxxx,o=yyyy,c=zz
changeLog.consumer.pspng_brancheGrouper.allGroupsSearchFilter = objectclass=groupOfUniqueNames
changeLog.consumer.pspng_brancheGrouper.singleGroupSearchFilter = (&(objectclass=groupOfUniqueNames)(cn=${}))
changeLog.consumer.pspng_brancheGrouper.groupSearchAttributes = cn,objectclass
changeLog.consumer.pspng_brancheGrouper.groupCreationLdifTemplate = dn: cn=${}||cn: ${}||objectclass: groupOfUniqueNames||objectclass: educationnationale
changeLog.consumer.pspng_brancheGrouper.userSearchBaseDn = ou=people,ou=xxxxx,o=yyyy,c=zz
changeLog.consumer.pspng_brancheGrouper.userSearchFilter = uid=${}
changeLog.consumer.pspng_brancheGrouper.grouperIsAuthoritative = false

Thanks for your help !


Le 11/12/2017 à 15:18, Jeffrey Williams a écrit :
Hi Yoann,

My first thought was whether you had grouperIsAuthoritative set?

Should groups in the groupSearchBaseDn/allGroupSearchFilter be removed if they no longer exist in Grouper?

By default, it is set to FALSE, which sounds like the behavior you're experiencing.

On Mon, Dec 11, 2017 at 9:11 AM, Yoann Delattre <> wrote:

Hello everyone,

i have a problem with the PSPNG : a group deleted in Grouper are not deleted in LDAP.
It's weird because i have c

I get this in the log :

2017-12-11 11:39:00,045: [DefaultQuartzScheduler_Worker-9] INFO  ProvisioningWorkItem.setStatus(143) -  - Work item handled: ProvisioningWorkItem[successful=true,msg=Ignoring work item because group is not provisioned,clog=clog #3921904 / ChangeLog type: group: deleteGroup,group=test-pspng4:test-2]

Anyone encounter this issue ?

Thanks for your help,


Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)

Archive powered by MHonArc 2.6.19.

Top of Page