Skip to Content.
Sympa Menu

grouper-users - [grouper-users] PSPNG mostly working

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] PSPNG mostly working


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Weston, Todd" <>
  • To: "" <>
  • Subject: [grouper-users] PSPNG mostly working
  • Date: Tue, 3 Mar 2020 16:34:13 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wsu.edu; dmarc=pass action=none header.from=wsu.edu; dkim=pass header.d=wsu.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3RUiOZp03riy3bD5aVkVFRjTKus4gG+Fz2q71qFLl6U=; b=U4DXRRqCyhY4NcbrVUqhJucK6Jwd3EXeUlEaq/VatMu2mtQS8hHgjjRAAsE/Cyq5QIrx3wOoJjbfXqr2poWPZMOGRRbEanzjhLhc+SEh+3o58fl/aL0LtMblJtKtDKcivhVjRj3JsEcF9z/b2/jTzkhUxC7fSz3wWCi05OsICorH/TsApdHG1lap4sOH/Fvs4IFKGtzsYzVMeYJGgU9wiUQyqPS9J5h7sf4S4dPv4CYS+/I1ufY9L2fElc/p6EMf2UjfMZt2h5PrENMiCxAU4zMLP+nO3LBSUFOhAQmlXm4EBCC1/7Zw+oS85JXMtlJRw3BL+rUXH0Em4wH76hsgMQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CAQCHYjYS6L9dXLEj50uqKKFXYmWY8iGwCj9EaJmd7Sspp0hk7SpknYJfbnsbBqDWFFiXL42/rgKiI312vszKIv7bY+aX0qu/KIJCLKj0I+xMXv+J6R+cr+ff4Wu97bd+el2s8FlOfPJSIM1VkIcEpkVy0eAu2qV2oeG1IVezwKPGDzGJrijwPo73esrkenEs34AcbGnJigW3Duum9G4UZCqDrbD22QKLGNsa5J25sgJM7DUDpEKl5Nn8zB8tYDkUa8VywkYFH5OI9nwziAN9XOdtShKz7TEIPA8KG8N3sa+xLBqJDRIGnuJeh70JSQDazoDlj4IDajwbAvxS8YfFg==

So – I have figured out the majority of provisioning workflow into AD – but have 5 groups that will not provision users into AD. My pspng attribute assignments have been made at the folder level and we have three different pspng configs to push groups into different OUs:

The PSPNG attribute assignments are applied at the affiliates, employees and students folders. All but two of the groups in employees is provisioning users into the groups:

These two groups show membership in the Grouper database of 2063 and 1736, respectively. But their AD counterparts are empty. A similar issue presents in our student groups:

These groups show memberships in the database of 37,543, 1341 and 16,055, respectively, yet AD groups are empty.

All of the remaining groups in both folders have populated their AD groups with no issues and maintain their dynamic membership on a daily basis.

 

I’m pretty certain the PSPNG config in the grouper-loader.properties is configured correctly as these other groups are provisioning properly and update regularly. And they are in the same folders as the ones that are not working. There are roll-up groups in the above output that we will populate with the child groups eventually, so most of the zero-membership groups in the list aren’t concerning – just the highlighted ones that should be getting memberships.

 

I have not gone as far as deleting the AD groups and allowing Grouper to recreate them as this is not a desirable method once we go into production. We which to retain the SIDs of these existing groups to make the transition from our current group populator to grouper as seamless as possible. We did empty all of these groups prior to turning on provisioning settings in Grouper – and it’s mostly worked…

 

One other note: we were running into memory issues originally (Java heap full in the logs) – went from 8GB to 16GB on the app server. The level memory consumption on the server is now close to 10GB, so I don’t believe we’re memory constrained any longer  and I don’t see the Java memory errors.

 

Any Ideas? I can post filtered logs fi I know what to look for (The grouper_error.log is incredibly noisy).

 

-

QR to scan into contacts

Todd Weston

Information Security Analyst, Identity |

Information Technology Services | Washington State University

Phone 509.335.4479 PO Box 641222 Pullman, WA  99164-1222

 

 

 


Archive powered by MHonArc 2.6.19.

Top of Page