Grouper Users - Open Discussion List

["Black, Carey M." <>]

Peter,

I think the "docs" on "groupSelectionExpression" ( 
https://spaces.at.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG 
) may need some improvement.
Description: "Jexl expression that refers to stem_attributes, 
group_attributes, or group"
        I am really unclear on what the ",or group" means for that 
description.


However, I *think* that setting is limited to only grouper attributes. ( AKA: 
Objects in Grouper called "attributes". Not "properties" of the group 
themselves. Like the parent stem locations, their descriptions, their 
extension values, etc....)

        So I think what your config is trying to say is:
                PSPNG find an attribute named "${name.startsWith("d:")}". If 
the group (or stem) has that attribute on it, then provision it.
                However, PSPNG would fail to find an attribute named 
"${name.startsWith("d:")}" and *maybe* it falls back to the "default" 
attribute? (And maybe it breaks the searching for parent objects with that 
attribute.)

So maybe try to remove that config value and see if the system behavior 
changes.


I can confirm that for me, I have the "etc:pspng:provision_to" on a parent 
folder (and a parent's parent folder) with a value that matches the 
provisioner's name. And the groups in the sub-sub folder are provisioned 
without having the attribute directly assigned to the group.


And this is in my config:
        changeLog.consumer.<provisioner's Name>.provisionerName = 
<provisioner's Name>

-- 
Carey Matthew 

-----Original Message-----
From:  
<> On Behalf Of Pete St. Onge
Sent: Monday, July 22, 2019 6:56 PM
To: 
Subject: [grouper-users] PSPNG and groupSelectionExpression - still need 
etc:pspng:provision_to when using groupSelectionExpression ?

Hello,

As a bit of a follow up on my previous email, we are successfully using 
PSPNG to provision to our proof-of-concept environment, so long as all 
of the groups and folders have the etc:pspng:provision_to attribute set 
on all entities below our provisioning target (the "d:" stem in our 
Grouper).

The goal, however, is to leverage specific stems to provision to 
different provisioning targets (our OpenLDAP 'd' target for now, 'e' or 
similar for AzureAD (and 'f' or similar for AD) in the near future ($foo 
in the future etc) so that we don't have to add and manage the attributes.

 From what I understand in my reading this far, the 
groupSelectionExpression option should allow us to set out what stem for 
the provisionner to provision. I've set this so far to this:

changeLog.consumer.pspng_groupOfNames.groupSelectionExpression = 
${name.startsWith("d:")}

I'm not seeing errors in the API logs during a full sync or subsequent 
incrementals, but it seems like groups added below d: aren't being 
provisioned unless they have the etc:pspng:provision_to attribute added, 
with the value set to 'pspng_groupOfNames'

The (somewhat) redacted config is as follows:

changeLog.consumer.pspng_groupOfNames.class = 
edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_groupOfNames.type = 
edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_groupOfNames.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_groupOfNames.ldapPoolName = d
changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = 
${ldapUser.getDn()}
changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = 
ou=grouper,dc=c,dc=b,dc=a
changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = 
objectclass=groupOfNames
changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = 
(&(objectclass=groupOfNames)(cn=${grouperUtil.extensionFromName(name)}))
changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: 
cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = dc=c,dc=b,dc=a
changeLog.consumer.pspng_groupOfNames.userSearchFilter = 
torontoid=${subject.id}
changeLog.consumer.pspng_groupOfNames.userSearchAttributes = 
dn,cn,torontoid,mail,utid,objectclass
changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: 
${utils.bushyDn(group.name.replaceFirst("d:",""), "cn","ou")}||cn: 
${grouperUtil.extensionFromName(name)}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.groupSelectionExpression = 
${name.startsWith("d:")}

As before, any suggestions appreciated.

Thanks in advance, -- pete

-- 
Peter St. Onge                           
Information Security Architect                     (416)978-5030
Business Continuity and Communications
Information + Technology Services          University of Toronto