Grouper Users - Open Discussion List

["Morgan, Andrew Jason" <>]

Sure, see the attached script.  You'll need to make some mods for your local AD environment, such as DNs and connection parameters.  It accepts a list of DNs on STDIN to add to the group.

Thanks,

Andy Morgan

Identity & Access Management

Oregon State University

---

From: Siju Jacob <>
Sent: Saturday, March 28, 2020 1:20 PM
To: Morgan, Andrew Jason <>; Mailing List <>
Subject: RE: PSP Provisioning a large group with small set of users to Active Directory at a time

 

Thanks Andy, appreciate your quick response. Could you please share the pearl script with me.

 

Thanks,

Siju  

 

From: Morgan, Andrew Jason <>
Sent: Saturday, March 28, 2020 4:17 PM
To: Mailing List <>; Siju Jacob <>
Subject: Re: PSP Provisioning a large group with small set of users to Active Directory at a time

 

Siju,

 

I'm not aware of a way to control PSP's behavior that way.  I ran into this same issue as well.  Our AD won't accept more than 5,000 operations in a single transaction, so it was impossible to use gsh -psp -sync on a large group if some error occurred during the original creation.  I ended up writing a Perl script to add members to an AD group in chunks of 5,000.  I can share this script if it would help you.

 

We just upgraded to v2.4 with PSPNG.  I'm not sure if this same issue exists with PSPNG.

 

Thanks,

 

Andy Morgan

Identity & Access Management

Oregon State University

 

---

From: <> on behalf of Siju Jacob <>
Sent: Saturday, March 28, 2020 10:45 AM
To: Mailing List <>
Subject: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time

 

Hi Team,

       We are using grouper 2.3 PSP to provision a reference group with 80,000 members to Active Directory.

      Does grouper have any configuration in PSP to restrict the number of members in each update request to Active directory.

    I mean is it possible to configure the PSP to make 8 update request to Active Directory with 10,000 members in each request instead of single request with all 80,000 members to Active Directory.

      Any advice or guidance will be of great help and would be greatly appreciated..!

 

Thanks,

Siju Jacob

#!/usr/bin/perl -w

use Net::LDAPS;
use Net::LDAP;

if ($#ARGV < 0) {
	print "Usage: $0 <group-dn>\n";
	print "  Reads a list of DNs from STDIN to add as members of <group-dn>.\n";
	exit;
}

my $groupdn = $ARGV[0];


# Setup some variables
$| = 1;
require "/private/admin/acct/requires/prefs.pl";
$prefs{'gchost'} = "gc.oregonstate.edu";
$prefs{'gcport'} = 3268;


# Connect to AD
my $ad = Net::LDAPS->new($prefs{'adhost'},
			port => $prefs{'ldapport'},
			verify => 'none',
			capath => $prefs{'ldapcertdir'},
			) or die("Could not connect to LDAP server - $!");
$ad->bind($prefs{'ad_update_user'}, password => $prefs{'ad_update_password'});


$mesg = $ad->search(
	base => $groupdn,
	filter => "(objectcategory=cn=group,cn=schema,cn=configuration,dc=oregonstate,dc=edu)",
	scope => "base",
	attrs => [ 'cn' ],
	);
if ($mesg->is_error) {
	print "Error: " . $mesg->error . "\n";
	exit(-1);
}
if ($mesg->count != 1) {
	print "Error: " . $mesg->count . " entries found for user '$groupdn'.\n";
	exit;
}

$entry = $mesg->entry(0);
$dn = $entry->dn();

my @members = ();
my $count = 0;
while ($memberdn = <STDIN>) {
	chomp $memberdn;
	$count++;
	push @members, $memberdn;
	if ($count % 5000 == 0) {
		$mesg = $ad->modify($dn, add => { member => \@members });
		if ($mesg->is_error) {
			print "Error: " . $mesg->error . "\n";
			exit;
		}
		print "Added $count members to $dn\n";
		@members = ();
		$count = 0;
	}
}

# process any remainders
if ($count != 0) {
	$mesg = $ad->modify($dn, add => { member => \@members });
	if ($mesg->is_error) {
		print "Error: " . $mesg->error . "\n";
		exit;
	}
	print "Added $count members to $dn\n";
}


$ad->unbind;