grouper-users - [grouper-users] PSPNG with bushy LDAP
Subject: Grouper Users - Open Discussion List
List archive
- From: "Morgan, Andrew Jason" <>
- To: "" <>
- Subject: [grouper-users] PSPNG with bushy LDAP
- Date: Thu, 30 Jan 2020 23:37:19 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oregonstate.edu; dmarc=pass action=none header.from=oregonstate.edu; dkim=pass header.d=oregonstate.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H7x92XKMqbG5aZxnFav3FVIQ4OhGWrOJ93Flxcv0VVA=; b=flQSlVBwh36aIOtVQvVZORliXvUYDpJSOd/nv049n4aO1bdaqiMrho6RrDP56JlkRKNRbGBysjV5kX1so237lK/T0LawV0BbhTS0rc0XkmCGak8WYXfdW+qMudW9Iolw0JXTytV4ytRj3S/D6sOGE1+LKbX3/ENd5SEiYASbykG8yusB5JepYjw9aw63rubLkeCV8yd2MefKCpfabqqTZB5RvDDFybeUvWUtNncyRfwTIgqpn7e0LDqhw18/WkiojXS1wjzgiJ5CluMz/C1Fp8/Vgb9YDzPEPT2dVgEx3d8en5uVDzy+U0NVMFbmrE84+IS5koxUhxqHp8lTFdDUBw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DPIPDuk8C8Z9eqIt1V3H7Wrd4lmgIr3EULqCBp07fYEN+vsZ+bmKmu7a7kpjjcAbTBmlBHVL81FhFs3tssQKjRMCRlIAZSMg4mvZcTTQP1q7cPvmNBPDLgL92/8A/eh2nFne9HG0/RBj1E8hVbwTDFhFQBysCGIJpKth3qiycfuhgjPa98FaD4A4vP3/ObW8Hmuq2AiLhW5K5glC+HCoq9n1zYOftORtrvkU/rDuUjfhsWTBL+gJwnESq/qI6ATV6RMS1tkv9rJIfcBtoSfm5RW1Oj10NSlPb4TExLe6uvG2R3r8m0zlir+6vEzLsW3XHY6wQm8PIGNQy0/IFB2f3A==
I'm experimenting with PSPNG as a replacement for PSP, but I'm stuck on a specific use-case. Is anyone using PSPNG with a non-AD LDAP server with bushy layout?
Following the examples, I configured PSPNG to provision to AD with the gidNumber attribute as a unique identifier for the group. Here is a little snippet of the config for that:
changeLog.consumer.pspng_activedirectory.grouperIsAuthoritative = true
changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = (objectclass=group)
changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(gidNumber=${group.idIndex}))
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name.replaceFirst("^psp:",""), "cn", "ou")}
||cn: ${group.extension}
||objectclass: group
||gidNumber: ${group.idIndex}
||samAccountName: ${group.name.replaceFirst("^psp:","").replaceAll(":","_")}
||displayname:${group.displayName.replace(group.parentStemName.toString()+":","")}
||description:${org.apache.commons.lang3.StringUtils.abbreviate(group.description == null ? null : group.description.replaceAll("\\r\\n"," ").replaceAll("\\n"," ").replaceAll("\\r"," "), 900)}
There is some JEXL to remove the old baseStemDN ("psp:"), but otherwise it is a basic bushy layout config.
I'm trying to do the same thing for our Oracle DSEE LDAP server, but I don't see a clean way to do it. I need to create a working singleGroupSearchFilter, but gidNumber is not an allowed attribute on objectclass=groupOfUniqueNames (or groupOfNames). We want
to keep our bushy layout. Here are a couple ideas:
- Stick the group.idIndex in the "description" attribute
- Create the groups with objectclass=groupOfUniqueNames,posixGroup (not allowed by the schema, but ODSEE doesn't enforce it) and use gidNumber
- Create a new Auxiliary objectclass "osuGrouperGroup" that allows gidNumber
- Use bushyDN but stick the whole group name in the "cn" attribute so that cn is unique
Are there other ideas? Is anyone else using bushy layout with ODSEE, OpenLDAP, etc?
Thanks,
Andy Morgan
Identity & Access Management
Oregon State University
- [grouper-users] PSPNG with bushy LDAP, Morgan, Andrew Jason, 01/30/2020
- Re: [grouper-users] PSPNG with bushy LDAP, Greg Haverkamp, 01/31/2020
Archive powered by MHonArc 2.6.19.