Skip to Content.
Sympa Menu

grouper-users - [grouper-users] PSPNG with bushy LDAP

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] PSPNG with bushy LDAP

Chronological Thread 
  • From: "Morgan, Andrew Jason" <>
  • To: "" <>
  • Subject: [grouper-users] PSPNG with bushy LDAP
  • Date: Thu, 30 Jan 2020 23:37:19 +0000
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H7x92XKMqbG5aZxnFav3FVIQ4OhGWrOJ93Flxcv0VVA=; b=flQSlVBwh36aIOtVQvVZORliXvUYDpJSOd/nv049n4aO1bdaqiMrho6RrDP56JlkRKNRbGBysjV5kX1so237lK/T0LawV0BbhTS0rc0XkmCGak8WYXfdW+qMudW9Iolw0JXTytV4ytRj3S/D6sOGE1+LKbX3/ENd5SEiYASbykG8yusB5JepYjw9aw63rubLkeCV8yd2MefKCpfabqqTZB5RvDDFybeUvWUtNncyRfwTIgqpn7e0LDqhw18/WkiojXS1wjzgiJ5CluMz/C1Fp8/Vgb9YDzPEPT2dVgEx3d8en5uVDzy+U0NVMFbmrE84+IS5koxUhxqHp8lTFdDUBw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=DPIPDuk8C8Z9eqIt1V3H7Wrd4lmgIr3EULqCBp07fYEN+vsZ+bmKmu7a7kpjjcAbTBmlBHVL81FhFs3tssQKjRMCRlIAZSMg4mvZcTTQP1q7cPvmNBPDLgL92/8A/eh2nFne9HG0/RBj1E8hVbwTDFhFQBysCGIJpKth3qiycfuhgjPa98FaD4A4vP3/ObW8Hmuq2AiLhW5K5glC+HCoq9n1zYOftORtrvkU/rDuUjfhsWTBL+gJwnESq/qI6ATV6RMS1tkv9rJIfcBtoSfm5RW1Oj10NSlPb4TExLe6uvG2R3r8m0zlir+6vEzLsW3XHY6wQm8PIGNQy0/IFB2f3A==

I'm experimenting with PSPNG as a replacement for PSP, but I'm stuck on a specific use-case.  Is anyone using PSPNG with a non-AD LDAP server with bushy layout?

Following the examples, I configured PSPNG to provision to AD with the gidNumber attribute as a unique identifier for the group.  Here is a little snippet of the config for that:

changeLog.consumer.pspng_activedirectory.grouperIsAuthoritative = true
changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = (objectclass=group)
changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(gidNumber=${group.idIndex}))
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn("^psp:",""), "cn", "ou")}
  ||cn: ${group.extension}
  ||objectclass: group
  ||gidNumber: ${group.idIndex}
  ||samAccountName: ${"^psp:","").replaceAll(":","_")}
  ||description:${org.apache.commons.lang3.StringUtils.abbreviate(group.description == null ? null : group.description.replaceAll("\\r\\n"," ").replaceAll("\\n"," ").replaceAll("\\r"," "), 900)}

There is some JEXL to remove the old baseStemDN ("psp:"), but otherwise it is a basic bushy layout config.

I'm trying to do the same thing for our Oracle DSEE LDAP server, but I don't see a clean way to do it.  I need to create a working singleGroupSearchFilter, but gidNumber is not an allowed attribute on objectclass=groupOfUniqueNames (or groupOfNames).  We want to keep our bushy layout.  Here are a couple ideas:
  1. Stick the group.idIndex in the "description" attribute
  2. Create the groups with objectclass=groupOfUniqueNames,posixGroup (not allowed by the schema, but ODSEE doesn't enforce it) and use gidNumber
  3. Create a new Auxiliary objectclass "osuGrouperGroup" that allows gidNumber
  4. Use bushyDN but stick the whole group name in the "cn" attribute so that cn is unique

Are there other ideas?  Is anyone else using bushy layout with ODSEE, OpenLDAP, etc?


Andy Morgan
Identity & Access Management
Oregon State University

Archive powered by MHonArc 2.6.19.

Top of Page