Grouper Users - Open Discussion List

["Black, Carey M." <>]

Todd,

 

I would suggest you try to manually trigger a full sync and watch what happens with respect to those groups. ( Maybe an AD access restriction? Just a guess. )

https://spaces.at.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG#GrouperProvisioning:PSPNG-FullSYNCProvisioning

 

 

NOTE: You might also want to turn up the log level too. See the section a bit farther down the page “Adjusting log level.” And you can set it in GSH before you manually start the full sync.

 

--

Carey Matthew

 

From: <> On Behalf Of Weston, Todd
Sent: Tuesday, March 3, 2020 11:34 AM
To:
Subject: [grouper-users] PSPNG mostly working

 

So – I have figured out the majority of provisioning workflow into AD – but have 5 groups that will not provision users into AD. My pspng attribute assignments have been made at the folder level and we have three different pspng configs to push groups into different OUs:

The PSPNG attribute assignments are applied at the affiliates, employees and students folders. All but two of the groups in employees is provisioning users into the groups:

These two groups show membership in the Grouper database of 2063 and 1736, respectively. But their AD counterparts are empty. A similar issue presents in our student groups:

These groups show memberships in the database of 37,543, 1341 and 16,055, respectively, yet AD groups are empty.

All of the remaining groups in both folders have populated their AD groups with no issues and maintain their dynamic membership on a daily basis.

 

I’m pretty certain the PSPNG config in the grouper-loader.properties is configured correctly as these other groups are provisioning properly and update regularly. And they are in the same folders as the ones that are not working. There are roll-up groups in the above output that we will populate with the child groups eventually, so most of the zero-membership groups in the list aren’t concerning – just the highlighted ones that should be getting memberships.

 

I have not gone as far as deleting the AD groups and allowing Grouper to recreate them as this is not a desirable method once we go into production. We which to retain the SIDs of these existing groups to make the transition from our current group populator to grouper as seamless as possible. We did empty all of these groups prior to turning on provisioning settings in Grouper – and it’s mostly worked…

 

One other note: we were running into memory issues originally (Java heap full in the logs) – went from 8GB to 16GB on the app server. The level memory consumption on the server is now close to 10GB, so I don’t believe we’re memory constrained any longer  and I don’t see the Java memory errors.

 

Any Ideas? I can post filtered logs fi I know what to look for (The grouper_error.log is incredibly noisy).

 

-

Todd Weston Information Security Analyst, Identity | Information Technology Services | Washington State University Phone 509.335.4479 PO Box 641222 Pullman, WA  99164-1222