Skip to Content.
Sympa Menu

grouper-users - [grouper-users] PSPNG and groupSelectionExpression - still need etc:pspng:provision_to when using groupSelectionExpression ?

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] PSPNG and groupSelectionExpression - still need etc:pspng:provision_to when using groupSelectionExpression ?

Chronological Thread 
  • From: "Pete St. Onge" <>
  • To: "" <>
  • Subject: [grouper-users] PSPNG and groupSelectionExpression - still need etc:pspng:provision_to when using groupSelectionExpression ?
  • Date: Mon, 22 Jul 2019 18:56:02 -0400


As a bit of a follow up on my previous email, we are successfully using PSPNG to provision to our proof-of-concept environment, so long as all of the groups and folders have the etc:pspng:provision_to attribute set on all entities below our provisioning target (the "d:" stem in our Grouper).

The goal, however, is to leverage specific stems to provision to different provisioning targets (our OpenLDAP 'd' target for now, 'e' or similar for AzureAD (and 'f' or similar for AD) in the near future ($foo in the future etc) so that we don't have to add and manage the attributes.

From what I understand in my reading this far, the groupSelectionExpression option should allow us to set out what stem for the provisionner to provision. I've set this so far to this:

changeLog.consumer.pspng_groupOfNames.groupSelectionExpression = ${name.startsWith("d:")}

I'm not seeing errors in the API logs during a full sync or subsequent incrementals, but it seems like groups added below d: aren't being provisioned unless they have the etc:pspng:provision_to attribute added, with the value set to 'pspng_groupOfNames'

The (somewhat) redacted config is as follows:

changeLog.consumer.pspng_groupOfNames.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_groupOfNames.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_groupOfNames.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_groupOfNames.ldapPoolName = d
changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=grouper,dc=c,dc=b,dc=a
changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${grouperUtil.extensionFromName(name)}))
changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${}||cn: ${}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = dc=c,dc=b,dc=a
changeLog.consumer.pspng_groupOfNames.userSearchFilter = torontoid=${}
changeLog.consumer.pspng_groupOfNames.userSearchAttributes = dn,cn,torontoid,mail,utid,objectclass
changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: ${utils.bushyDn("d:",""), "cn","ou")}||cn: ${grouperUtil.extensionFromName(name)}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.groupSelectionExpression = ${name.startsWith("d:")}

As before, any suggestions appreciated.

Thanks in advance, -- pete

Peter St. Onge
Information Security Architect (416)978-5030
Business Continuity and Communications
Information + Technology Services University of Toronto

Archive powered by MHonArc 2.6.19.

Top of Page