grouper-users - Re: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0
Chronological Thread
- From: "Bee-Lindgren, Bert" <>
- To: Siju Jacob <>, " Mailing List" <>
- Cc: Omer Almatary <>, Nazeer Syed <>, Cyril Phillips <>
- Subject: Re: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0
- Date: Tue, 5 Feb 2019 14:30:11 +0000
Hello,
I know that this is an old, neglected thread, but I wanted to check if you still have problems with duplicate chains of OU folders?
There are no particularly elegant ways to avoid parts of the group-folder hierarchy in BushyDn provisioning, but there are two brute-force, string-manipulation methods:
1) Ignore the beginning of the GroupName with a substring( ):
${utils.bushyDn(group.name.substring(12),
"cn",
"ou")}
2) Remove the parts of the GroupName you don't like:
${utils.bushyDn(group.name.replaceFirst("ds:rad:orgs", ""),
"cn",
"ou")}
The advantage of (2) is that you can remove multiple, undesirable substrings with regular expressions: replaceFirst("oneBadPrefix|anotherBadPrefix",
"")
Anyway, I hope this helps,
Bert Bee-Lindgren
Sent: Monday, August 13, 2018 6:05 PM
To: Mailing List
Cc: Omer Almatary; Nazeer Syed; Cyril Phillips
Subject: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0
Hi Team,
We are using grouper 2.3.0. I am trying to do bushy provisioning of all the groups in grouper stem ds:rad:orgs to active directory.
One of the example group with in the ds:rad:orgs stem is as below
Root à ds:rad:orgs:10056:10059:ru-FASN - Biological Sciences_Faculty
Folder in Active directory to provision all the groups is OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu
Expected hierarchy in active directory is
CN=ru-FASN - Biological Sciences_Faculty,OU=10059,OU=10056,OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu
Somehow its provisioning to active directory as below
CN=ru-FASN - Biological Sciences_Faculty,
OU=10059,OU=10056,OU=orgs,OU=rad,OU=ds,OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu
How could I avoid the OU=orgs,OU=rad,OU=ds from the dn name while being provisioned to active directory and achieve the
below name as dn. Basiaclly how could I avaoid the owner folder name value from dn
CN=ru-FASN - Biological Sciences_Faculty,OU=10059,OU=10056,OU=orgs,OU=Groups,DC=rad,DC=rutgers,DC=edu
Below is my grouper loader.properties entry
####################################
## PSPNG
####################################
# Active Directory Changelog Consumer -- Group Provisioner
changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_activedirectory.ldapPoolName = rutgers
changeLog.consumer.pspng_activedirectory.memberAttributeName = member
changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_activedirectory.groupAttributeName = memberOf
changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = OU=Orgs,OU=Groups,DC=TestRad,DC=Rutgers,DC=Edu
changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group
changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${grouperUtil.extensionFromName(name)}))
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name,"cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group
changeLog.consumer.pspng_activedirectory.userSearchBaseDn = OU=people,DC=TestRad,DC=rutgers,DC=edu
changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id}
changeLog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,distinguishedName,uid,uidNumber,mail,samAccountName,objectclass,employeeID
changeLog.consumer.pspng_activedirectory.isActiveDirectory = true
# Active Directory Changelog Consumer -- User Attribute Provisioner
changeLog.consumer.pspng_attributes.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_attributes.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
changeLog.consumer.pspng_attributes.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_attributes.retryOnError = true
changeLog.consumer.pspng_attributes.ldapPoolName = rutgers
changeLog.consumer.pspng_attributes.provisionedAttributeName = memberOf
changeLog.consumer.pspng_attributes.provisionedAttributeValueFormat = ${grouperUtil.extensionFromName(name)}
changeLog.consumer.pspng_attributes.userSearchBaseDn = OU=people,DC=TestRad,DC=rutgers,DC=edu
changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id}
changeLog.consumer.pspng_attributes.userSearchAttributes = dn,cn,distinguishedName,uid,uidNumber,mail,samAccountName,objectclass,employeeID
changeLog.consumer.pspng_attributes.isActiveDirectory = true
Below is my provision to attribute definition
Any advice or guidance will be of great help and would be greatly appreciated..!
Thanks,
Siju Jacob
- Re: [grouper-users] Trying to use PSPNG for bushy provisioning to Active Directory. Grouper version 2.3.0, Bee-Lindgren, Bert, 02/05/2019
Archive powered by MHonArc 2.6.19.