Skip to Content.
Sympa Menu

grouper-users - [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?


Chronological Thread 
    < Chronological >      < Thread >
  • From: Dominique Petitpierre <>
  • To: "" <>
  • Subject: [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?
  • Date: Thu, 10 Sep 2020 04:07:20 +0200
  • Organization: University of Geneva

Hello,

- Is it possible to configure a PSPNG provisioner to synchronize one Grouper group member to two target directory group members?

Context:
Grouper subjects are taken from a directory that has one entry per person identified by its employeeNumber; the target directory has two branches, one for students and one for staff; if a person is a student and staff it has two entries in the target directory which both have the same employeeNumber and are identified by a unique login name.

With the PSPNG provisioner configuration below, a full sync of a group containing a member who is both student and staff results in only one membership in the target directory, and an error in the grouper-loader error log.
- What changes to the configuration would allow both members to be inserted in the target directory group?

Alternatively,
- is it possible to have two provisioners, one taking care of the student members and the other of the staff members in the same target directory group?
(I don't quite see how full sync would work but asking just in case I am missing something!)


Here is the relevant part of grouper-loader.properties:

changeLog.consumer.activedirectory.provisionerName = activedirectory
changeLog.consumer.activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.activedirectory.quartzCron = 0 * * * * ?
changeLog.consumer.activedirectory.ldapPoolName = groupLdap
changeLog.consumer.activedirectory.grouperIsAuthoritative = true
changeLog.consumer.activedirectory.isActiveDirectory = true
changeLog.consumer.activedirectory.memberAttributeName = member
changeLog.consumer.activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.activedirectory.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch
changeLog.consumer.activedirectory.allGroupsSearchFilter = objectclass=group
changeLog.consumer.activedirectory.singleGroupSearchFilter = (&(objectclass=group)(gidNumber=${group.idIndex + 2000000}))
changeLog.consumer.activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${group.extension}||objectclass: group||objectclass: top||gidNumber: ${group.idIndex + 2000000}||description: ${empty(group.description)?"":group.description.replaceAll("[\\r\\n]+"," ")}||groupType: 4||sAMAccountName: ${group.name.replaceAll(":","`").replaceAll("[\\\"\\[\\];|=+*?<>/\\\\, ]","_")}
changeLog.consumer.activedirectory.userSearchBaseDn = OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch
changeLog.consumer.activedirectory.userSearchFilter = employeeNumber=${subject.id.replaceFirst("@unige.ch","")}
changeLog.consumer.activedirectory.userSearchAttributes = dn,employeeNumber,employeeType
changeLog.consumer.activedirectory.groupSearchAttributes = cn,objectclass,sAMAccountName,description,gidNumber,groupType


Relevant DEBUG level log messages:

2020-09-10 02:04:02,135: [main] WARN  GrouperStartup.printConfigOnce(232) -  - Grouper starting up: version: 2.4.0, build date: null, env: test_2.4.0_grouper-loader
grouperPatchStatus read from: /usr/local/grouper-loader/grouperPatchStatus.properties
api patches installed:        0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52
, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96
pspng patches installed:      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
...
2020-09-10 02:04:10,666: [TSUserFetcher-activedirectory-full-1] DEBUG LdapProvisioner.getUserLdapFilter(304) -  - activedirectory-full: User LDAP filter for subject : [org.ldaptive.SearchFilter@470619938::filter=employeeNumber=645150, parameters={}]
2020-09-10 02:04:10,666: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(796) -  - Running ldap search: <OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch>/SUBTREE: (|(employeeNumber=645150)) << {}
2020-09-10 02:04:10,666: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(730) -  - Doing ldap search: [org.ldaptive.SearchFilter@-834157842::filter=(|(employeeNumber=645150)), parameters={}] / OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch / [dn, employeeNumber, employeeType, memberof]
2020-09-10 02:04:10,668: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(740) -  - Using attribute-value paging
2020-09-10 02:04:10,668: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(751) -  - Using ldap search-result paging
2020-09-10 02:04:10,670: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem$1.handle(807) -  - Ldap result: CN=bello,OU=PA-PAT,OU=LETTRES,OU=FCI,OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch
2020-09-10 02:04:10,670: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem$1.handle(807) -  - Ldap result: CN=bello6,OU=LETTRES,OU=ETU,OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch
2020-09-10 02:04:10,670: [TSUserFetcher-activedirectory-full-1] INFO  LdapSystem.performLdapSearchRequest(819) -  - LDAP search returned 2 entries
2020-09-10 02:04:10,670: [TSUserFetcher-activedirectory-full-1] DEBUG LdapProvisioner.fetchTargetSystemUsers(222) -  - Read 2 user objects from directory
2020-09-10 02:04:10,671: [TSUserFetcher-activedirectory-full-1] DEBUG Provisioner.evaluateJexlExpression(777) -  - Evaluated UserSearchFilter Jexl _expression_: '645150'
2020-09-10 02:04:10,671: [TSUserFetcher-activedirectory-full-1] DEBUG Provisioner.evaluateJexlExpression(797) -  - Evaluated entire UserSearchFilter Jexl _expression_: 'employeeNumber=645150'
2020-09-10 02:04:10,671: [TSUserFetcher-activedirectory-full-1] DEBUG LdapProvisioner.getUserLdapFilter(304) -  - activedirectory-full: User LDAP filter for subject : [org.ldaptive.SearchFilter@470619938::filter=employeeNumber=645150, parameters={}]
2020-09-10 02:04:10,686: [TSUserFetcher-activedirectory-full-1] ERROR LdapProvisioner.fetchTargetSystemUsers(262) -  - activedirectory-full: User data from ldap server was not matched with a grouper subject (perhaps attributes are used in userSearchFilter (employeeNumber=${subject.id.replaceFirst("@unige.ch","")}) that are not included in userSearchAttributes ([dn, employeeNumber, employeeType, memberof])?): cn=bello6,ou=lettres,ou=etu,ou=usersunige,ou=_unige,dc=isis-klif,dc=unige,dc=ch
2020-09-10 02:04:10,689: [FullSyncer(activedirectory)-Thread] DEBUG Provisioner.cacheUser(1112) -  - Adding target-system user to cache: ''/'person'/'people-test.unige.ch'
2020-09-10 02:04:10,690: [FullSyncer(activedirectory)-Thread] INFO  ProgressMonitor.completelyDone(81) -  - Fetching subjects Completed (Success): 1 items in 00.033s (1818.2 items/minute)
2020-09-10 02:04:10,690: [FullSyncer(activedirectory)-Thread] DEBUG Provisioner.doFullSync(1588) -  - activedirectory-full/application:bpm-poc:bpm-oracle:workflow1:testgroup/#16234(Existing): All correct member subjects: [''/'person'/'people-test.unige.ch']
2020-09-10 02:04:10,691: [FullSyncer(activedirectory)-Thread] INFO  Provisioner.doFullSync(1591) -  - activedirectory-full/application:bpm-poc:bpm-oracle:workflow1:testgroup/#16234(Existing): 1 correct member subjects. Sample: [''/'person'/'people-test.unige.ch']...
Same problem with the following change to the configuration:
changeLog.consumer.activedirectory.userSearchFilter = (|(cn=${subject.attributes["unigechstudentuid"].iterator().next()})(cn=${subject.attributes["unigechemployeeuid"].iterator().next()}))
changeLog.consumer.activedirectory.userSearchAttributes = dn,cn,employeeNumber,employeeType

2020-09-10 03:33:10,315: [TSUserFetcher-activedirectory-full-1] DEBUG LdapProvisioner.getUserLdapFilter(304) -  - activedirectory-full: User LDAP filter for subject : [org.ldaptive.SearchFilter@698652776::filter=(|(cn=bello6)(cn=bello)), parameters={}]
2020-09-10 03:33:10,315: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(796) -  - Running ldap search: <OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch>/SUBTREE: (|(|(cn=bello6)(cn=bello))) << {}
2020-09-10 03:33:10,315: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(730) -  - Doing ldap search: [org.ldaptive.SearchFilter@910561515::filter=(|(|(cn=bello6)(cn=bello))), parameters={}] / OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch / [dn, cn, employeeNumber, employeeType, memberof]
2020-09-10 03:33:10,320: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(740) -  - Using attribute-value paging
2020-09-10 03:33:10,321: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem.performLdapSearchRequest(751) -  - Using ldap search-result paging
2020-09-10 03:33:10,324: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem$1.handle(807) -  - Ldap result: CN=bello,OU=PA-PAT,OU=LETTRES,OU=FCI,OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch
2020-09-10 03:33:10,324: [TSUserFetcher-activedirectory-full-1] DEBUG LdapSystem$1.handle(807) -  - Ldap result: CN=bello6,OU=LETTRES,OU=ETU,OU=UsersUnige,OU=_UNIGE,DC=isis-klif,DC=unige,DC=ch
2020-09-10 03:33:10,324: [TSUserFetcher-activedirectory-full-1] INFO  LdapSystem.performLdapSearchRequest(819) -  - LDAP search returned 2 entries
2020-09-10 03:33:10,325: [TSUserFetcher-activedirectory-full-1] DEBUG LdapProvisioner.fetchTargetSystemUsers(222) -  - Read 2 user objects from directory
2020-09-10 03:33:10,325: [TSUserFetcher-activedirectory-full-1] DEBUG Provisioner.evaluateJexlExpression(777) -  - Evaluated UserSearchFilter Jexl _expression_: 'bello6'
2020-09-10 03:33:10,325: [TSUserFetcher-activedirectory-full-1] DEBUG Provisioner.evaluateJexlExpression(777) -  - Evaluated UserSearchFilter Jexl _expression_: 'bello'
2020-09-10 03:33:10,325: [TSUserFetcher-activedirectory-full-1] DEBUG Provisioner.evaluateJexlExpression(797) -  - Evaluated entire UserSearchFilter Jexl _expression_: '(|(cn=bello6)(cn=bello))'
2020-09-10 03:33:10,325: [TSUserFetcher-activedirectory-full-1] DEBUG LdapProvisioner.getUserLdapFilter(304) -  - activedirectory-full: User LDAP filter for subject : [org.ldaptive.SearchFilter@698652776::filter=(|(cn=bello6)(cn=bello)), parameters={}]
2020-09-10 03:33:10,349: [TSUserFetcher-activedirectory-full-1] ERROR LdapProvisioner.fetchTargetSystemUsers(262) -  - activedirectory-full: User data from ldap server was not matched with a grouper subject (perhaps attributes are used in userSearchFilter ((|(cn=${subject.attributes["unigechstudentuid"].iterator().next()})(cn=${subject.attributes["unigechemployeeuid"].iterator().next()}))) that are not included in userSearchAttributes ([dn, cn, employeeNumber, employeeType, memberof])?): cn=bello6,ou=lettres,ou=etu,ou=usersunige,ou=_unige,dc=isis-klif,dc=unige,dc=ch
2020-09-10 03:33:10,349: [FullSyncer(activedirectory)-Thread] DEBUG Provisioner.cacheUser(1112) -  - Adding target-system user to cache: ''/'person'/'people-test.unige.ch'
2020-09-10 03:33:10,350: [FullSyncer(activedirectory)-Thread] INFO  ProgressMonitor.completelyDone(81) -  - Fetching subjects Completed (Success): 1 items in 00.088s (681.8 items/minute)
2020-09-10 03:33:10,351: [FullSyncer(activedirectory)-Thread] DEBUG Provisioner.doFullSync(1588) -  - activedirectory-full/application:bpm-poc:bpm-oracle:workflow1:testgroup/#16234(Existing): All correct member subjects: [''/'person'/'people-test.unige.ch']
2020-09-10 03:33:10,351: [FullSyncer(activedirectory)-Thread] INFO  Provisioner.doFullSync(1591) -  - activedirectory-full/application:bpm-poc:bpm-oracle:workflow1:testgroup/#16234(Existing): 1 correct member subjects. Sample: [''/'person'/'people-test.unige.ch']...
Thanks in advance for your advice!
-- 
Mr Dominique Petitpierre, user=Dominique.Petitpierre domain=unige.ch
IT Division, University of Geneva, Switzerland

Archive powered by MHonArc 2.6.19.

Top of Page