Grouper Users - Open Discussion List

[Jeffrey Williams <>]

Hi Ryan,

I'll bite.  UNCG runs its container outside of the two domains that it provisions to.  We keep a 1:1 relationship of user objects(and a key attribute) between the two, so we can get away with having one subject.properties entry for both. 

subjectApi.source.uncg_person.id = uncg-person  

...and use the key attribute to assign membership to group objects.  

Few questions:

1. Which domain(parent or child) are you provisioning into where the issue is occurring?
2. Do you have a separate source for each domain?
3. Are the members of the child domain also a member of the parent, or are they exclusive to each other?

On Tue, Jun 25, 2019 at 12:53 PM Ryan Rumbaugh <> wrote:

Hi all,

 

Has anyone configured PSPNG for an AD with more than one domain? We’re running into a challenge with doing just that because the parent domain Grouper is connecting to has no visibility to the child domain when running userSearchFilter.

 

Initially, we had an issue because, by default, Grouper is creating domain local groups, but we adjusted the groupCreationLdifTemplate to create Universal groups which now works, but not being to find anyone in the child domain still is the hurdle we need to overcome.

 

One final note, we did explore using the Global Catalog port, 3269, and it does provide visibility in both domains, but unfortunately, ADD or UPDATE operations are not supported.

 

Ideally, we would use the global catalog port for the searching/filtering, but use a different connection on port 636 for the membership updates.

 

Any help or suggestions would be appreciated, thanks!!

 

--

Ryan Rumbaugh

 

--

Jeffrey Williams 

Identity Engineer
Identity & Access Services
https://its.uncg.edu