grouper-users - Re: [grouper-users] using two instances of PSPNG
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: " Mailing List" <>, Ben Beecher <>
- Subject: Re: [grouper-users] using two instances of PSPNG
- Date: Wed, 9 Nov 2022 16:00:40 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7KvUfKf+sDR65/keONgL0QoKIyfGu/K3uW1oVoGL9Kg=; b=Fv3bhpd17uy9W5p+giqKuB23orwhyN5UNh5mBj04H0lUEQVDlXIgQnr7aNVyE6gzD3xaXPsLKblXyp1MysCkSi6TX+8S020IvzzATN82kKhKILi5rRYdzPJV4eTSZ6GNkZvIiFZIkzad7mFRJNpQV34hi/PROxa048ftjCCNxII4dTvB0tyBtQGQmmnIqG4mBhba0lqUl9o2990XGz+2wJXFvj68pAnpboCEFq6120/Ex+QH5XF9TxTuoQXrg/r3V4v2pAAhBzxclM80kYoQLIq/gFvK9ZpLjqWGisFq2j/J2Cv27y192Q0zeLOJb44APaYP/N9E53yOfgoebyVwHw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P9SKQWOogabYzhSy/rIgfWwC6cVWEMJNDBcOczCFWF6n65DbXGwjTpEyIdWp7GuqUmNhyegYDVjvg/n/TdAjLjnePNaaF/dd6ilmkVQNG2EegVmoFPbMGIKWVyxvmJledt51q4P9rSjRBT/2NS1LUrr2T0yElvRMSbGup8Vw+vIVUR4aMK4TTR3MfgzvYuEMyCgvHGItINWd7v9kQTDZQm0O9n08Y1lgVeNV5LXOdzEPq2qIVz+hWbTpe/zsiKV1qVdhw35fXv3W8qTmhMLh8uL7akKYCH/7Ad3tPC1mcist6VO5xAkTPo4V2L6cWAwXmxN6dUNoB7InSvq92n1HBQ==
- Msip_labels:
Can we discuss this on slack? Was it resolved? I wonder if it is because one config ID is the prefix of the other? Maybe rename the config ID and all the provision_to attribute values from adcu to adcu2 so that will not be a prefix of adcu_universal?
From: <> on behalf of Ben Beecher <>
Sent: Wednesday, September 21, 2022 9:05 AM
To: Mailing List <>
Subject: [grouper-users] using two instances of PSPNG
Sent: Wednesday, September 21, 2022 9:05 AM
To: Mailing List <>
Subject: [grouper-users] using two instances of PSPNG
I am using two instances of PSPNG to provision groups in Active Directory. One provisioner creates Security Universal groups with group type -2147483640 for groups under cu:app:adcu_universal. The other provisioner creates
regular groups in Active Directory for groups under cu:app:adcu.
The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.
The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:
# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?
# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?
Ben
The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.
The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:
# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?
# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?
Ben
- Re: [grouper-users] using two instances of PSPNG, Hyzer, Chris, 11/09/2022
- Re: [grouper-users] using two instances of PSPNG, Sudheer Singidi, 11/09/2022
- Re: [grouper-users] using two instances of PSPNG, Ben Beecher, 11/09/2022
- Re: [grouper-users] using two instances of PSPNG, Ben Beecher, 11/09/2022
- Re: [grouper-users] using two instances of PSPNG, Sudheer Singidi, 11/09/2022
Archive powered by MHonArc 2.6.24.