grouper-users - [grouper-users] using two instances of PSPNG
Subject: Grouper Users - Open Discussion List
List archive
- From: Ben Beecher <>
- To: " Mailing List" <>
- Subject: [grouper-users] using two instances of PSPNG
- Date: Wed, 21 Sep 2022 09:05:40 -0400
I am using two instances of PSPNG to provision groups in Active Directory. One provisioner creates Security Universal groups with group type -2147483640 for groups under cu:app:adcu_universal. The other provisioner creates regular groups in Active Directory for groups under cu:app:adcu.
The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.
The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:
# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?
# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?
Ben
The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.
The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:
# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?
# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?
Ben
- [grouper-users] using two instances of PSPNG, Ben Beecher, 09/21/2022
Archive powered by MHonArc 2.6.24.