Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSPNG how to provision only direct members

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSPNG how to provision only direct members


Chronological Thread 
  • From: "Bee-Lindgren, Bert" <>
  • To: Sam Erie <>, "" <>
  • Subject: Re: [grouper-users] PSPNG how to provision only direct members
  • Date: Wed, 25 Jul 2018 15:47:01 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:6v8FeBPrMJKVLgO/5Kkl6mtUPXoX/o7sNwtQ0KIMzox0K/z8rsbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFQDtgGxCRWwCO711jNEmmL60Ksn2OohCwHG2wkgEsoAvHnJstr6Kr4eX+a0zKnO0DrDYOlW1in76ITQbxssvO+DXahsccbf1EIiEBjKgUuKqYz5JT+azfoCvHaC4+pkVOKvjXMoqw5rojexwMchkY7JhoMJylze+iV22po1KsOkR057e9KrDoZftzyDOoZwX8gsQHlotT4kxrIcpZK3YS0HxIk6yxLCbvGHfYeF7g7/WOuULzd3mn1odb26ihu380Ws1u/xWtGp3FtFoCdJiMfAum0N2hDJ98SKTuFx80S/1TqX2QDc9OJJLVwxmKfeN5Eu3rA9m5oWvEvYGiL7nF75gaqZe0gg9OWl7+Hqbajpq5CHOY95jBz1PL40lcylG+s4NxADX2iF9uS4073u5VX3TalNgPEqjKXVqY3UK9wGqqKgBA9ayZgs5wy4Dze7zNQXhn4HLE9DeB2alYTpI0vOIPfkDfihn1usjDZrx/fAPrH7BZXNM2TDkLPmfbZ66E5Q0hY8zdda555MC7EBJuz8WlPpudDGFBA1LxG4zuP6BNlgy48TXGyPD6CFPK/OtFKI6PwgLuaDaYIQvTvwKeQp6vz2gX88g1AdfK2p3ZUNaHC/G/RrO16WbmT2gtcdC2sFpRQxQ/LzhF2GUD5TYWu9X60m5j4lDoKrFoDDRoGxgLCb0ye0BIFWaX5aBVCMC3vnaZiLW+oUZCKIPsBhiiAEVaSmS4I52hGurgj6y6d/LuXK4C0UrI/j1MNr6O3JjhE/7jh0D8WG02GRVGF4gHkERz4w3KBjv0N90FGD3rZkg/BGD9Bc+e5GUhppfaLbmtdzDpjfQAPMNoOSRUynT/2vBTgqTdt3ztMTNQI1Udq4iQ3b0jDvHqQYjaejBZoo/7ja0mSrYctx1jyOgKY7iEQ+T9EKKHarnLVX9g7PCpTPnlnD0aumaPJP8jTK8TLJ52eD+WVZVgJ/S6jDGTg1a1HK55yt7E7YU/mkBLliNgpHxcGYJ61ibdz1y1pPWProOJLTb3/nyDT4PgqB2r7ZNNmiQG4axiiITRFcy1pJr3+bKQgzADugqGvCDTtoUEjieF7o7fIh9SGgVkFhyQaMYgUhzLez9hMPzd2kA/IIlvNh2m86rilsWlO03tbYEd2F8gBsZrkaa94wpVNG027WrQF7FpuhM+Ztj0ITeAQxsk/zhF16
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

There is no way today to configure PSPNG to provision nested grouper groups as nested ldap groups.


There are three main reasons for this:

1) LDAP servers often do not unwind the nesting, so applications need to have code to identify and handle nested groups. I know Active Directory does flatten memberships for applications, so this doesn't apply to your use case, but just explains why other LDAP servers don't benefit.


2) The "only provision subject memberships" approach works across all groups (composite, etc) while other group types would need to be handled separately because group-math, etc cannot be represented within most (all?) ldap servers.


3) When groups are nested, they obviously all need to be provisioned into the target LDAP server, complicating the marking of groups for provisioning or making the resultant groups incomplete.



I understand the awesome transparency that comes from seeing group-nesting within the LDAP server. And there might be some performance benefits, as there are when nested-groups are used within grouper-loader-maintained groups. However, only policy groups "should" be provisioned into LDAP, and those tend to be downstream of Group Math and, therefore, need to be flattened. Also, with PSPNG doing the work, I'm not sure how "unwieldy" flattened provisioning really is.


In other words, a new setting can probably be added to nest groups when possible, but the many nestings within Grouper will not actually be able to be represented. 


Let us know what you think and create a Jira if you still wish to see the setting added.


Sincerely,

  Bert Bee-Lindgren





From: <> on behalf of Sam Erie <>
Sent: Friday, July 6, 2018 8:38 PM
To:
Subject: [grouper-users] PSPNG how to provision only direct members
 
I am bumping this in hopes a more clear subject will get me a response.

Is there a way to only provision direct memberships (immediateMembers)?

I have PSPNG set up for some Organizational Groups in AD. The provisioning is working correctly, however the AD Groups are getting all memberships from the Grouper Groups, direct and indirect.

These are major Organizational Groups that need to hold many groups of groups. It will get unwieldy very quickly if it adds every child (indirect member) as a member.

Archive powered by MHonArc 2.6.19.

Top of Page