Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] using two instances of PSPNG

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] using two instances of PSPNG


Chronological Thread 
  • From: Sudheer Singidi <>
  • To: "Hyzer, Chris" <>
  • Cc: " Mailing List" <>, Ben Beecher <>
  • Subject: Re: [grouper-users] using two instances of PSPNG
  • Date: Wed, 9 Nov 2022 10:17:16 -0600
  • Dkim-filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4N6qrM1Z86z9vYVL
  • Dmarc-filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4N6qrM1Z86z9vYVL

In addition to what Chris proposed, Can you try using different accounts in provisioners to write groups in AD. Have the "CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu" account provision groups under "OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu" for "adcu_universal" provisioner and use a different account that has privileges to provision groups under "OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu" only  for "adcu" provisioner? 

On Wed, Nov 9, 2022 at 10:01 AM Hyzer, Chris <> wrote:
Can we discuss this on slack?  Was it resolved?  I wonder if it is because one config ID is the prefix of the other?  Maybe rename the config ID and all the provision_to attribute values from adcu to adcu2 so that will not be a prefix of adcu_universal?  


From: <> on behalf of Ben Beecher <>
Sent: Wednesday, September 21, 2022 9:05 AM
To: Mailing List <>
Subject: [grouper-users] using two instances of PSPNG
 
I am using two instances of PSPNG to provision groups in Active Directory. One provisioner creates Security Universal groups with group type -2147483640 for groups under cu:app:adcu_universal. The other provisioner creates regular groups in Active Directory for groups under cu:app:adcu.

The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.

The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:

# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?


# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?

Ben


--
Sudheer Singidi, DevOps Engineer - IAM
University of Minnesota
Office of Information Technology
1300 south 2nd Street
Minneapolis,MN 55454







Archive powered by MHonArc 2.6.24.

Top of Page