Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] using two instances of PSPNG

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] using two instances of PSPNG


Chronological Thread 
  • From: Ben Beecher <>
  • To: Sudheer Singidi <>
  • Cc: "Hyzer, Chris" <>, " Mailing List" <>
  • Subject: Re: [grouper-users] using two instances of PSPNG
  • Date: Wed, 9 Nov 2022 11:59:45 -0500

This was resolved by changing the active directory OU for universal groups so that it is now separate from the OU for regular groups.
Ben

On Wed, Nov 9, 2022 at 11:17 AM Sudheer Singidi <> wrote:
In addition to what Chris proposed, Can you try using different accounts in provisioners to write groups in AD. Have the "CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu" account provision groups under "OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu" for "adcu_universal" provisioner and use a different account that has privileges to provision groups under "OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu" only  for "adcu" provisioner? 

On Wed, Nov 9, 2022 at 10:01 AM Hyzer, Chris <> wrote:
Can we discuss this on slack?  Was it resolved?  I wonder if it is because one config ID is the prefix of the other?  Maybe rename the config ID and all the provision_to attribute values from adcu to adcu2 so that will not be a prefix of adcu_universal?  


From: <> on behalf of Ben Beecher <>
Sent: Wednesday, September 21, 2022 9:05 AM
To: Mailing List <>
Subject: [grouper-users] using two instances of PSPNG
 
I am using two instances of PSPNG to provision groups in Active Directory. One provisioner creates Security Universal groups with group type -2147483640 for groups under cu:app:adcu_universal. The other provisioner creates regular groups in Active Directory for groups under cu:app:adcu.

The cu:app:adcu folder in Grouper has the provision_to attribute with "adcu" as the assignment value.
The cu:app:adcu_universal folder in Grouper has the provision_to attribute with "adcu_universal" as the assignment value.

The two provisioners are conflicting with each other for groups under cu:app:adcu_universal. The group type for each group is set to -2147483640 and then it is set to 0, back and forth, over and over. How can I prevent the adcu provisioner from updating groups in the adcu_universal folder? These are the grouper-loader properties for both provisioners:

# pspng: adcu provisioner
#
ldap.adcu.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu.useStartTLS = false
changeLog.consumer.adcu.ldapPoolName = adcu
changeLog.consumer.adcu.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu.quartzCron = 0 * * * * ?
changeLog.consumer.adcu.isActiveDirectory = true
changeLog.consumer.adcu.memberAttributeName = member
changeLog.consumer.adcu.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu.groupSearchBaseDn = OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}
changeLog.consumer.adcu.supportsEmptyGroups = false
changeLog.consumer.adcu.retryOnError = false
changeLog.consumer.adcu.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu.searchResultPagingEnabled = false
changeLog.consumer.adcu.createMissingUsers = false
changeLog.consumer.adcu.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu.userSearchAttributes = sAMAccountName,dn,objectClass,cn
changeLog.consumer.adcu.grouperIsAuthoritative = true
changeLog.consumer.adcu.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu.targetSystemUserCacheSize = 400000
otherJob.adcu_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_full.quartzCron = 0 0 0/2 * * ?


# pspng: adcu_universal provisioner
#
# grouptype is -2147483640 for Security Universal groups
#
ldap.adcu_universal.ldapUrl = ldaps://adcu.columbia.edu
ldap.adcu_universal.bindDn = CN=sys_idm_grouper,OU=Generic-Accounts,OU=Resources,DC=adcu,DC=columbia,DC=edu
ldap.adcu_universal.bindCredential = /var/grouper/auth/adcu_prod_bind_credential
ldap.adcu_universal.useStartTLS = false
changeLog.consumer.adcu_universal.ldapPoolName = adcu_universal
changeLog.consumer.adcu_universal.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.adcu_universal.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.adcu_universal.quartzCron = 0 * * * * ?
changeLog.consumer.adcu_universal.isActiveDirectory = true
changeLog.consumer.adcu_universal.memberAttributeName = member
changeLog.consumer.adcu_universal.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.adcu_universal.groupSearchBaseDn = OU=Universal,OU=Grouper,OU=Groups,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.allGroupsSearchFilter = objectclass=group
changeLog.consumer.adcu_universal.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.replace(":",".")}))
changeLog.consumer.adcu_universal.groupSearchAttributes = dn,entryDN,cn,objectclass,name
changeLog.consumer.adcu_universal.groupCreationLdifTemplate = dn: cn=${group.name.replace(":",".")}||cn: ${group.name.replace(":",".")}||objectclass: group||samAccountName: ${group.name.replace(":",".")}||name: ${group.name.replace(":",".")}||groupType: -2147483640
changeLog.consumer.adcu_universal.supportsEmptyGroups = false
changeLog.consumer.adcu_universal.retryOnError = false
changeLog.consumer.adcu_universal.sleepTimeAfterError_ms = 30000
changeLog.consumer.adcu_universal.searchResultPagingEnabled = false
changeLog.consumer.adcu_universal.createMissingUsers = false
changeLog.consumer.adcu_universal.userSearchBaseDn = OU=People,OU=Resources,DC=adcu,DC=columbia,DC=edu
changeLog.consumer.adcu_universal.userSearchFilter = samAccountName=${subject.id}
changeLog.consumer.adcu_universal.userSearchAttributes = samAccountName,dn,objectClass,cn
changeLog.consumer.adcu_universal.grouperIsAuthoritative = true
changeLog.consumer.adcu_universal.grouperSubjectCacheSize = 400000
changeLog.consumer.adcu_universal.targetSystemUserCacheSize = 400000
otherJob.adcu_universal_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
otherJob.adcu_universal_full.quartzCron = 0 0 0/2 * * ?

Ben


--
Sudheer Singidi, DevOps Engineer - IAM
University of Minnesota
Office of Information Technology
1300 south 2nd Street
Minneapolis,MN 55454







Archive powered by MHonArc 2.6.24.

Top of Page