Grouper Users - Open Discussion List

[Dave Churchley <>]

Hi Bert

 

We’ve recently started looking at PSPNG again. I have a fully patched Grouper 2.3.0 but we’re still experiencing provisioning errors when a group name has special characters in it. I’m assuming I’ve got a configuration error in my groupCreationLdifTemplate but I’ve tried all sorts of different combinations and haven’t been able to get it to work yet.

 

I haven’t been able to find any definitive documentation. Is it possible to update the info at https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG#GrouperProvisioning:PSPNG-ACTIVEDIRECTORYGROUPS? Or is there somewhere else I should be looking?

 

For info, this is where we’ve got to so far:

 

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group||samaccountname: ${grouperUtil.extensionFromName(name)}||description: ${group.description} ${grouperUtil.extensionFromName(name)}

 

Any suggestions would be more than welcome!

 

I’ve just spotted that https://bugs.internet2.edu/jira/browse/GRP-1533 has been reopened. Is it actually the case that there isn’t a solution to this yet?

 

Thanks
Dave

 

 

 

From: [mailto:] On Behalf Of Bee-Lindgren, Bert
Sent: 02 August 2017 00:31
To: Dave Churchley <>; Grouper-Users <>
Subject: [grouper-users] Re: PSPNG issues

 

Hello,

 

PSPNG 2.3 Patch 14 now makes sure that the escaping sticks all the way through the expressions and into LDAP; there was a gap in that process as Patch 13 implemented it.

 

In response to several of your other problems, my next task is to (as quickly as possible) address the updates that do not get propagated to LDAP groups name/description (GRP-1345) and DN (GRP-1346).

 

Thanks,

  Bert Bee-Lindgren

 

---

From: Bee-Lindgren, Bert
Sent: Wednesday, July 26, 2017 11:40 AM
To: Dave Churchley; Grouper-Users
Subject: Re: PSPNG issues

 

bushyDn should already do all the escaping that is necessary. It was tested with OU commas and escapleLdapRdn was tested with group-name commas, but I'm duplicating and patching the problem with bushyDn and group-name commas/pluses. 

---

From: <> on behalf of Dave Churchley <>
Sent: Tuesday, July 25, 2017 12:13 PM
To: Grouper-Users
Subject: [grouper-users] RE: PSPNG issues

 

Good afternoon

I see that Bert has released a patch for issue https://bugs.internet2.edu/jira/browse/GRP-1533

I've installed the patch but I'm still seeing the same issue (with  + and , for example).

I suspect that I need to do something with utils.escapeLdapRdn(string) in grouper-loader.properties. I've tried various things but haven't been able to work it out yet. Any advice, please?

I've attached the relevant part of grouper-loader.properties.

Thanks
Dave

>-----Original Message-----
>From: [mailto:grouper-users-
>] On Behalf Of Dave Churchley
>Sent: 19 July 2017 14:43
>To: Grouper-Users <>
>Subject: [grouper-users] RE: PSPNG issues
>
>Just to add to number 1 below, it seems that PSPNG also struggles with plus
>signs, parentheses and spaces in group names. This could be related to
>https://bugs.internet2.edu/jira/browse/GRP-1533?
>
>Thanks
>Dave
>
>>-----Original Message-----
>>From: [mailto:grouper-users-
>>] On Behalf Of Dave Churchley
>>Sent: 18 July 2017 16:56
>>To: Grouper-Users <>
>>Subject: [grouper-users] PSPNG issues
>>
>>Hi
>>
>>I'm currently testing PSPNG provisioning to a test AD. So far, I really like what
>I
>>see but I've now run into a couple of snags.
>>
>>1. I get an error when the Grouper group name has multiple consecutive
>>asterisks, eg LIBR_Auto_CEG****. The old PSP service could handle this
>group
>>name. I've attached the an extract from grouper_error.log to show the
>error.
>>
>>2. Related to the above, when the full sync can't provision a group, it appears
>>to get stuck and retry ever second. This means that it will never complete. I
>>think it would be preferable to write a nice error and then skip that group.
>>
>>I'm not sure if these are real issues or if I'm doing something wrong, so any
>>advice would be appreciated! Also, is there a gsh command to force PSPNG
>to
>>sync a specific group? Similar to the old PSP?
>>
>>Thanks
>>Dave
>>
>>Dave Churchley
>>Newcastle University