Skip to Content.
Sympa Menu

grouper-users - [grouper-users] using two instances of PSPNG

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] using two instances of PSPNG


Chronological Thread 
  • From: Ben Beecher <>
  • To: " Mailing List" <>
  • Subject: [grouper-users] using two instances of PSPNG
  • Date: Wed, 21 Sep 2022 09:05:40 -0400

I am using two instances of PSPNG to provision groups in Active Directory. One provisioner creates Security Universal groups with group type -2147483640 for groups under cu:app:adcu_universal. The other provisioner creates regular groups in Active Directory for groups under cu:app:adcu.

The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.

The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:

# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?


# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?

Ben


  • [grouper-users] using two instances of PSPNG, Ben Beecher, 09/21/2022

Archive powered by MHonArc 2.6.24.

Top of Page