Grouper Users - Open Discussion List

[Siju Jacob <>]

Thanks Jeffrey…

 

From: <> On Behalf Of Crawford, Jeffrey
Sent: Thursday, August 16, 2018 10:56 AM
To: Mailing List <>
Subject: Re: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0

 

In the section were you define the dn, you can use some classes to manipulate the string like so:

 

${utils.bushyDn(group.name, "cn", "ou").substring(0, utils.bushyDn(group.name, "cn", "ou").length()-"OU=orgs,OU=rad,OU=ds

, ".length())}

 

Jeffrey

 

 

From: <> on behalf of Siju Jacob <>
Date: Monday, August 13, 2018 at 3:06 PM
To: "" <>
Cc: Omer Almatary <>, Nazeer Syed <>, Cyril Phillips <>
Subject: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0

 

Hi Team,

     We are using grouper 2.3.0. I am trying to do bushy provisioning of all the groups in grouper stem ds:rad:orgs to active directory.

 

One of the example group with in the ds:rad:orgs stem is as below

 

Root à ds:rad:orgs:10056:10059:ru-FASN - Biological Sciences_Faculty

 

Folder in Active directory to provision all the groups is OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu

 

 

Expected hierarchy in active directory is 

CN=ru-FASN - Biological Sciences_Faculty,OU=10059,OU=10056,OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu

 

Somehow its provisioning to active directory as below

 

CN=ru-FASN - Biological Sciences_Faculty,

OU=10059,OU=10056,OU=orgs,OU=rad,OU=ds,OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu

 

How could I avoid the OU=orgs,OU=rad,OU=ds from the dn name while being provisioned to active directory and achieve the

below name as dn. Basiaclly how could I avaoid the owner folder name value from dn

CN=ru-FASN - Biological Sciences_Faculty,OU=10059,OU=10056,OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu

 

Below is my grouper loader.properties entry

 

####################################                                                                                              

## PSPNG                                                                                                                           

####################################                                                                                              

# Active Directory Changelog Consumer -- Group Provisioner

changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_activedirectory.ldapPoolName = rutgers

changeLog.consumer.pspng_activedirectory.memberAttributeName = member

changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}

changeLog.consumer.pspng_activedirectory.groupAttributeName = memberOf

changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = OU=Orgs,OU=Groups,DC=TestRad,DC=Rutgers,DC=Edu

changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group

changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${grouperUtil.extensionFromName(name)}))

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group

changeLog.consumer.pspng_activedirectory.userSearchBaseDn = OU=people,DC=TestRad,DC=rutgers,DC=edu

changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id}

changeLog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,distinguishedName,uid,uidNumber,mail,samAccountName,objectclass,employeeID

changeLog.consumer.pspng_activedirectory.isActiveDirectory = true

# Active Directory Changelog Consumer -- User Attribute Provisioner

changeLog.consumer.pspng_attributes.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_attributes.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_attributes.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_attributes.retryOnError = true

changeLog.consumer.pspng_attributes.ldapPoolName = rutgers

changeLog.consumer.pspng_attributes.provisionedAttributeName = memberOf

changeLog.consumer.pspng_attributes.provisionedAttributeValueFormat = ${grouperUtil.extensionFromName(name)}

changeLog.consumer.pspng_attributes.userSearchBaseDn = OU=people,DC=TestRad,DC=rutgers,DC=edu

changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id}

changeLog.consumer.pspng_attributes.userSearchAttributes = dn,cn,distinguishedName,uid,uidNumber,mail,samAccountName,objectclass,employeeID

changeLog.consumer.pspng_attributes.isActiveDirectory = true

 

 

Below is my provision to attribute definition

 

 

     Any advice or guidance will be of great help and would be greatly appreciated..!

 

Thanks,

Siju Jacob