Skip to Content.
Sympa Menu

grouper-users - [grouper-users] PSPNG with users in different AD domain than groups

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] PSPNG with users in different AD domain than groups


Chronological Thread 
    < Chronological >      < Thread >
  • From: Daniel Burtenshaw <>
  • To: "" <>
  • Subject: [grouper-users] PSPNG with users in different AD domain than groups
  • Date: Fri, 8 Mar 2019 16:36:01 +0000

Hi,

I can’t seem to get the PSPNG to add users from our root AD domain into groups in a child domain. Is this something that anyone else has done successfully?

 

I first tried configuring the child domain in grouper-loader.properties and setting up a new PSPNG changelog consumer, but it errors that it can’t find the subject in the ldap so it doesn’t add the members.

 

I have granted the account that we use in grouper-loader.properties permissions in the child domain, and turned on following referrals, then in the child domain’s PSPNG config I use the root AD as the source ldap, but that does not work either.

 

I even tried hard-coding the memberAttributeValueFormat to see if it would just add the users by distinguishedName without trying to resolve them, but it still wants to resolve them in the directory and doesn’t add them.

 

Here is my grouper-loader.properties, any insight or suggestions?

 

Thanks!

 

####################################

ldap.activeDirectory.user = CN=Grouper,OU=Administration,DC=domain,DC=utah,DC=edu

ldap.activeDirectory.pass = ***************

ldap.activeDirectory.url = "ldaps://dc.domain.utah.edu:636

ldap.activeDirectory.pagedResultsSize = 1000

ldap.activeDirectory.batchSize = 1000

ldap.activeDirectory.subtreeSearch = true

ldap.activeDirectory.referral = follow

ldap.activeDirectory.searchResultHandlers=org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.gro

uper.ldap.ldaptive.GrouperRangeEntryHandler

ldap.activeDirectory.countLimit = 50000

 

 

ldap.HSCactiveDirectory.user = CN=HSCGrouper,OU=Administration,DC=hscdomain,DC=domain,DC=utah,DC=edu

ldap.HSCactiveDirectory.pass = ***************

ldap.HSCactiveDirectory.url = "ldaps://hscdc.hscdomain.domain.utah.edu:636

ldap.HSCactiveDirectory.pagedResultsSize = 1000

ldap.HSCactiveDirectory.batchSize = 1000

ldap.activeDirectory.subtreeSearch = true

ldap.HSCactiveDirectory.referral = follow

ldap.HSCactiveDirectory.searchResultHandlers=org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.

grouper.ldap.ldaptive.GrouperRangeEntryHandler

 

 

####################################

## PSPNG   HSC

####################################

changeLog.consumer.pspng_HSCactivedirectory.provisionerName=pspng_HSCactivedirectory

changeLog.consumer.pspng_HSCactivedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_HSCactivedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.pspng_HSCactivedirectory.quartzCron =  20 * * * * ?

changeLog.consumer.pspng_HSCactivedirectory.ldapPoolName = HSCactiveDirectory

changeLog.consumer.pspng_HSCactivedirectory.isActiveDirectory = true

changeLog.consumer.pspng_HSCactivedirectory.grouperIsAuthoritative = false

changeLog.consumer.pspng_HSCactivedirectory.memberAttributeName = member

changeLog.consumer.pspng_HSCactivedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}

#changeLog.consumer.pspng_HSCactivedirectory.memberAttributeValueFormat = cn=${subject.id},ou=People,dc=domain,dc=utah,dc=edu

changeLog.consumer.pspng_HSCactivedirectory.groupSearchBaseDn = DC=hscdomain,DC=domain,DC=utah,DC=edu

changeLog.consumer.pspng_HSCactivedirectory.allGroupsSearchFilter = objectclass=group

changeLog.consumer.pspng_HSCactivedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${grouperUtil.extensionFromName(name)}))

changeLog.consumer.pspng_HSCactivedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name.replace("hscdomain.domain.utah.edu:",""),"cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: group||grouptype: -2147483640||samaccountname: ${grouperUtil.extensionFromName(name)}||description: ${group.description}

changeLog.consumer.pspng_HSCactivedirectory.userSearchBaseDn = DC=domain,DC=utah,DC=edu

changeLog.consumer.pspng_HSCactivedirectory.userSearchFilter = cn=${subject.id}

changeLog.consumer.pspng_HSCactivedirectory.userSearchAttributes = dn,cn,uid,mail,samAccountName,uidNumber,objectclass

 

Thanks!

Danny Burtenshaw

 

 


  • [grouper-users] PSPNG with users in different AD domain than groups, Daniel Burtenshaw, 03/08/2019

Archive powered by MHonArc 2.6.19.

Top of Page