grouper-users - Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time
Chronological Thread
- From: "Morgan, Andrew Jason" <>
- To: Siju Jacob <>, " Mailing List" <>
- Subject: Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time
- Date: Sat, 28 Mar 2020 20:37:52 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oregonstate.edu; dmarc=pass action=none header.from=oregonstate.edu; dkim=pass header.d=oregonstate.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TAY/P/ZBTSSbZkYZ21vQs6eK6/HEQa/W/e/zwCghEhw=; b=PEoPf7JDVUrXee0bCqE/3Lx5xTf8iCgup8++nJZl7WralcYQhc+Iz/Y88LqF1mNwwSBy4vSUgNtx/08TXeK5OUWhaRe7plwy1m5huYG0oQ02EmhfdGWV3tGGGRfZ38FODIN+hDxjqjWhm3XzbzxYaOn7J6ecHapH8FtPKYRfyKrTkZcx+1YvCcsOgZq3yipxcKdfETO0mMwsKj0XZ8Qw8Uiv7p6KP/hXfiSVEjzyWjF1x0clV7TKD943zKSHZWEMQ9noZjNlPG3N7kczsB/qwO+twfa3KjtdzW6fl2qr/8wLctMnpA4aEsdLQaNsf6XDCNAsY2vPS9neQahmIV9Xfg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=njMd3CSVUxE8EeOzxvIIOa8k5mMi6xrXnfUYfGXHkH648DAqhmQvIRPgAwrjAM48ycRZd4sx8+apuxIneOHeBjJltpNBAHxKW2lx8n4HED/YVYlCssrx0YQLWL7k2uSk8CA0j4u/lBCvry+5lvTk2RMYFAwPOTOJmod93bL1s0QY2sVElglFg+8wgYk5dG8PAWiGWEXuQp6zUz8TBe5lMUvFkxc/PjrOem4FZSNSuPm051akSRbhC+yR+stZogU/XCtfpD/O6aHMG4+msjkxLneGnaLI82kcgIrG6fgJGKasYCTEuiSGv8oqgUQUPKnx9/FpMlaQnAIK9sb/Ev8Saw==
Sent: Saturday, March 28, 2020 1:31 PM
To: Morgan, Andrew Jason <>; Mailing List <>
Subject: RE: PSP Provisioning a large group with small set of users to Active Directory at a time
Hi Andy,
Could you please rename the file with some other extension and resend it. Its blocked by our outlook.
Thanks,
Siju
From: Morgan, Andrew Jason <>
Sent: Saturday, March 28, 2020 4:27 PM
To: Siju Jacob <>; Mailing List <>
Subject: Re: PSP Provisioning a large group with small set of users to Active Directory at a time
Sure, see the attached script. You'll need to make some mods for your local AD environment, such as DNs and connection parameters. It accepts a list of DNs on STDIN to add to the group.
Thanks,
Andy Morgan
Identity & Access Management
Oregon State University
From: Siju Jacob <>
Sent: Saturday, March 28, 2020 1:20 PM
To: Morgan, Andrew Jason <>;
Mailing List <>
Subject: RE: PSP Provisioning a large group with small set of users to Active Directory at a time
Thanks Andy, appreciate your quick response. Could you please share the pearl script with me.
Thanks,
Siju
From: Morgan, Andrew Jason <>
Sent: Saturday, March 28, 2020 4:17 PM
To: Mailing List <>; Siju Jacob <>
Subject: Re: PSP Provisioning a large group with small set of users to Active Directory at a time
Siju,
I'm not aware of a way to control PSP's behavior that way. I ran into this same issue as well. Our AD won't accept more than 5,000 operations in a single transaction, so it was impossible to use gsh -psp -sync on a large group if some error occurred during the original creation. I ended up writing a Perl script to add members to an AD group in chunks of 5,000. I can share this script if it would help you.
We just upgraded to v2.4 with PSPNG. I'm not sure if this same issue exists with PSPNG.
Thanks,
Andy Morgan
Identity & Access Management
Oregon State University
From:
<> on behalf of Siju Jacob <>
Sent: Saturday, March 28, 2020 10:45 AM
To: Mailing List <>
Subject: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time
Hi Team,
We are using grouper 2.3 PSP to provision a reference group with 80,000 members to Active Directory.
Does grouper have any configuration in PSP to restrict the number of members in each update request to Active directory.
I mean is it possible to configure the PSP to make 8 update request to Active Directory with 10,000 members in each request instead of single request with all 80,000 members to Active Directory.
Any advice or guidance will be of great help and would be greatly appreciated..!
Thanks,
Siju Jacob
use Net::LDAPS;
use Net::LDAP;
if ($#ARGV < 0) {
print "Usage: $0 <group-dn>\n";
print " Reads a list of DNs from STDIN to add as members of
<group-dn>.\n";
exit;
}
my $groupdn = $ARGV[0];
# Setup some variables
$| = 1;
require "/private/admin/acct/requires/prefs.pl";
$prefs{'gchost'} = "gc.oregonstate.edu";
$prefs{'gcport'} = 3268;
# Connect to AD
my $ad = Net::LDAPS->new($prefs{'adhost'},
port => $prefs{'ldapport'},
verify => 'none',
capath => $prefs{'ldapcertdir'},
) or die("Could not connect to LDAP server - $!");
$ad->bind($prefs{'ad_update_user'}, password => $prefs{'ad_update_password'});
$mesg = $ad->search(
base => $groupdn,
filter =>
"(objectcategory=cn=group,cn=schema,cn=configuration,dc=oregonstate,dc=edu)",
scope => "base",
attrs => [ 'cn' ],
);
if ($mesg->is_error) {
print "Error: " . $mesg->error . "\n";
exit(-1);
}
if ($mesg->count != 1) {
print "Error: " . $mesg->count . " entries found for user
'$groupdn'.\n";
exit;
}
$entry = $mesg->entry(0);
$dn = $entry->dn();
my @members = ();
my $count = 0;
while ($memberdn = <STDIN>) {
chomp $memberdn;
$count++;
push @members, $memberdn;
if ($count % 5000 == 0) {
$mesg = $ad->modify($dn, add => { member => \@members });
if ($mesg->is_error) {
print "Error: " . $mesg->error . "\n";
exit;
}
print "Added $count members to $dn\n";
@members = ();
$count = 0;
}
}
# process any remainders
if ($count != 0) {
$mesg = $ad->modify($dn, add => { member => \@members });
if ($mesg->is_error) {
print "Error: " . $mesg->error . "\n";
exit;
}
print "Added $count members to $dn\n";
}
$ad->unbind;
- [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Siju Jacob, 03/28/2020
- Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Morgan, Andrew Jason, 03/28/2020
- RE: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Siju Jacob, 03/28/2020
- Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Morgan, Andrew Jason, 03/28/2020
- RE: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Siju Jacob, 03/28/2020
- Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Morgan, Andrew Jason, 03/28/2020
- RE: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Siju Jacob, 03/28/2020
- Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Morgan, Andrew Jason, 03/28/2020
- RE: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Siju Jacob, 03/28/2020
- Re: [grouper-users] PSP Provisioning a large group with small set of users to Active Directory at a time, Morgan, Andrew Jason, 03/28/2020
Archive powered by MHonArc 2.6.19.