Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?


Chronological Thread 
  • From: Jeffrey Williams <>
  • To: Dominique Petitpierre <>
  • Cc: Grouper-Users <>
  • Subject: Re: [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?
  • Date: Thu, 17 Sep 2020 15:34:20 -0400

Hello Dominique,

It sounds like you have 2 things to check:

1) Your subject.properties to be sure your student and employee members will uniquely identify when specified.
2) How to get 2 members for the price of 1 membership add?


Talking about 1, first:
ERROR LdapProvisioner.fetchTargetSystemUsers(262) -  - activedirectory-full: User data from ldap server was not matched with a grouper subject (perhaps attributes are used in userSearchFilter (employeeNumber=${subject.id.replaceFirst("@unige.ch","")}) that are not included in userSearchAttributes ([dn, employeeNumber, employeeType, memberof])?): cn=bello6,ou=lettres,ou=etu,ou=usersunige,ou=_unige,dc=isis-klif,dc=unige,dc=ch

  Is your subject.properties( https://spaces.at.internet2.edu/pages/viewpage.action?pageId=14517958#APIBuilding&Configuration-ChoosingIdentifiersforSubjects) configured to resolve members in both ETU and FCI?  The error message seems to indicate that bello6 couldn't be resolved into a subject.  If Grouper can't resolve it back to a subject, it'll treat it as an unknown.

- Is it possible to configure a PSPNG provisioner to synchronize one Grouper group member to two target directory group members?  

I think the short answer is not likely.  At least for the reason when it came to full-syncs, PSPNG would delete the member account in the target group that was not a bona fide member of the Grouper group.

Talking about 2, next. At UNCG, I have a similar situation where I have 2 sets of groups whose membership represent the same individuals:

*DepartmentalTechnicalSupport(DTS) - group of techs represented by their administrative account
*DepartmentalTechnicalSupport-Primary - same group of techs, represented by their primary account.

The DTS group is manually maintained.  I have a GSH script that periodically will loop through these DTS groups, find the tech's primary account by searching through an eligibleEmployee-Primary group, and create an array of administrative -to- primary translation records with the two subjects and the  employeeNumber they share.  The script then adds any new users to the corresponding -Primary group, followed by removing any that no longer have a member in the original DTS group.

You could take a similar script to take the members of your "employee" group, search in a suitable student group for any student accounts with the same employeeNumber, then add that member to a "student" group and keep those synced.  You'd then take the employee and student group and make them members of the group you'd ultimately want them to be in.

The end result would be that your employee group is still driving the membership of the final group, but is also influencing which student accounts would get added as well.

The upside is that your provisioners don't have to be manipulated to get this desired behavior.  

The downside is that it's not instant, which may or may not matter depending on your situation.  Also, since you're also on 2.4, there isn't a great way to cron gsh scripts except for getting the host to do it via docker commands on it's own scheduler.  2.5 has a loader script option that you can schedule within the app, but I haven't had a chance to play with it yet.

Let me know if you're interested in the script or if you have more questions/comments.

-Jeff








On Mon, Sep 14, 2020 at 4:02 AM Dominique Petitpierre <> wrote:
Hello,

On 10.09.20 04:07, Dominique Petitpierre wrote:

Alternatively,
- is it possible to have two provisioners, one taking care of the student members and the other of the staff members in the same target directory group?
(I don't quite see how full sync would work but asking just in case I am missing something!)

- Is it possible to select which Grouper group members should be synchronized? (eg. only students or only staff members)

If both source and target members could be selected, then such two provisioners could work.

Thanks in advance for your insights!

-- 
Mr Dominique Petitpierre, user=Dominique.Petitpierre domain=unige.ch
IT Division, University of Geneva, Switzerland




--
Jeffrey Williams 
Identity & Access Engineer
Identity & Access Services
https://its.uncg.edu





Archive powered by MHonArc 2.6.19.

Top of Page