Grouper Users - Open Discussion List

["Black, Carey M." <>]

Todd,

 

RE: Manual modifications

                It depends on how you have it configured and when the “full provisioning runs”. When it runs it should correct the memberships (adds and/or removes) to match what is in Grouper.

 

                NOTE: The grouper tooling does not “listen for changes”. Rather the jobs run on a “cron type”(time of day) schedule. So if you only correct the group “once a day” it will be right at least once a day. :)

                                It is best to help your AD admin know that the groups “in that OU” are not to be manually/directly altered. ( Use Policy instead of Technology. )

 

                Check the grouper-loader.properties: for edu.internet2.middleware.grouper.pspng.FullSyncStarter and when it is scheduled to run.

 

RE: Large groups

                I wonder if you see 1000 (or less) users in the groups in AD?

                Maybe you did not configure the connection as “AD” ( …. .isActiveDirectory = true ) and/or if you do not have the paging set up properly on the LDAP connection? (ldap.<yourLDAPname>.pagedResultsSize = 1000 )

 

Hope that helps.

 

Oh and “Grouper 2.4.0” is a good ball park. However, there are 12 PSPNG patches that really matter too. So you might check which patch level you are using too.

  Start gsh and it will output a line at the top Example: “pspng patches installed:      0, 1, 2, 3, 4,……” ( then enter 5 characters  “ :exit ”  and then press enter to exit gsh )

 

--

Carey Matthew

 

From: <> On Behalf Of Weston, Todd
Sent: Wednesday, February 26, 2020 2:03 PM
To:
Subject: [grouper-users] PSPNG Provisioned groups in AD

 

I’m new here, so if these have already been covered, please point me in that direction:

 

1. Manual modifications - What are the implications of an admin editing a grouper-generated group via ADUC or PowerShell and removing or adding users? I would like to have grouper override these changes and force the group membership back to compliance with the compositing/inclusion methods defined in the Grouper config for the group. I did some testing and it doesn’t appear to work that way “out of the box.”
2. Large groups – We have a large group ( enrolled.students = 27K users) that doesn’t seem to be provisioning (I’ve only been waiting 1 day, so I might just be impatient). Most other groups have been provisioned in AD and populated. Anywhere to look for failures? The grouper_error.log is churning so fast I wouldn’t even know what to look for…

 

I’m an old-school Windows guy, so please don’t assume a lot of Linux context is residing in me…

Grouper 2.4.0, MySQL 5.5

 

-

Todd Weston Information Security Analyst, Identity | Information Technology Services | Washington State University Phone 509.335.4479 PO Box 641222 Pullman, WA  99164-1222