Grouper Users - Open Discussion List

[Andrew Jason Morgan <>]

Todd,

Do Grouper's logs show the deletion of the groups?  You may be able to gain an understanding of PSPNG's actions by following the logs.  I have not seen this problem before, but I've spent a lot of time investigating PSPNG...

Also, do you mind sharing your PSPNG config?

Thanks,

Andy

---

From: <> on behalf of Weston, Todd <>
Sent: Saturday, September 19, 2020 6:07 PM
To: <>
Subject: [grouper-users] Head Scratcher...

 

[This email originated from outside of OSU. Use caution with links and attachments.]

OK – this is one I cannot explain – any clues would be appreciated.

 

We are building our second instance of Grouper (Prod this time) and have used all GSH commands to build out the entire structure.

 

I added one of the seven provisioners to a test folder and made three groups which all provisioned in AD as expected. Only the “test:ad” folder below had the pspng attribute and value applied:

 

The other six provisioners defined were to be applied to the  affiliates, employees and students folders in “wsu.edu:bundle:ad:campus.groups” and “wsu.edu:bundle:ad:role.groups” folder once the test groups were confirmed. All seven provisioners have a unique OU in the directory structure – naming in AD is similar to the folder structure in Grouper.

 

While only the one test provisioner was in place, I noticed that there were two classes of employee groups and two classes of student groups that had naming capitalization inconsistencies with our AD groups. I’m not sure if that would have been a problem, but I wanted to clean them up. So I made a list of the groups needing changes, ran a GSH script to remove them and regenerate them with the updated spelling version. All of our bundle groups are composites and no provisioning attributers had yet been applied to the folders. I didn’t even think to worry. The groups I deleted (which were empty and not provisioning) via GSH caused their counterparts in AD to delete – a behavior I would expect if provisioning were in place. We were able to restore the groups via the AD recycle bin, but the result was that thousands of employees and students lost critical group memberships – but wouldn’t realize until the following day when their Kerberos and SAML tickets expired.

 

Does anyone have any idea about how this would have occurred? I’ve triple checked the folders and the groups for provisioner attributes and there are none.  I’m wondering if there is more juice in GSH to look at grouper-loader properties and find groups being removed via shell? Totally scratching my head over this. I’m fairly certain I won’t do anything to cause a repeat, but the circumstances seem fishy.

 

-

Todd Weston

Information Security Analyst, Identity |

Information Technology Services | Washington State University

Phone 509.335.4479 PO Box 641222 Pullman, WA  99164-1222