Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1312

PSPNG: Group Selection - too much or too little

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.3.1, 2.3.0.patch
    • 2.3.0
    • provisioning
    • None

    Description

      The default group-selection logic is behaving as an all-or-nothing setting.

      From the grouper-users list:
      I’m attempting to give PSPNG a spin, and am having some difficulty with the default groupSelectionExpression.
      The goal is to provision a single security group to an active directory service. I’m using Grouper 2.3.0, and the matching PSPNG.

      If I have no groups or folders assigned the attribute “provision_to”, nothing gets provisioned to the active directory target as expected.
      If I have at least one group or folder assigned the “provision_to” attribute with the target name as a value, ALL groups get provisioned to the active directory target.
      If I have one group assigned the “provision_to” attribute with target name, and “do_not_provision_to” attribute with target name assigned to all other groups, ALL groups get provisioned to the active directory (including those assigned do_not_provision_to).
      Have I missed a step, or mis-understood something?

      Somewhat sanitized configuration below:

            1. PSPNG Config ####
      2. Nexus Active Directory Groups
        ldap.AD.ldapUrl = ldap://example.com:389
        ldap.AD.bindDn = !!blah@example.com
        ldap.AD.bindCredential = XXXXX

      changeLog.consumer.pspng_nexus.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
      changeLog.consumer.pspng_nexus.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
      changeLog.consumer.pspng_nexus.quartzCron = 0 * * * * ?
      changeLog.consumer.pspng_nexus.ldapPoolName = AD
      changeLog.consumer.pspng_nexus.memberAttributeName = member
      changeLog.consumer.pspng_nexus.memberAttributeValueFormat = ${ldapUser.getDn()}
      changeLog.consumer.pspng_nexus.groupSearchBaseDn = OU=Security Groups,DC=Example,DC=com
      changeLog.consumer.pspng_nexus.allGroupsSearchFilter = objectclass=group
      changeLog.consumer.pspng_nexus.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name}))
      changeLog.consumer.pspng_nexus.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group
      changeLog.consumer.pspng_nexus.userSearchBaseDn = OU=people,DC=example,DC=com
      changeLog.consumer.pspng_nexus.userSearchFilter = samAccountName=${subject.id}
      changeLog.consumer.pspng_nexus.isActiveDirectory = TRUE

      changeLog.psp.fullSync.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
      changeLog.psp.fullSync.quartzCron = 0 0 * * * ?
      changeLog.psp.fullSync.runAtStartup = true

      Thanks,
      Sean.

      Attachments

        Issue Links

          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. GRP-1383 Fixes included in Patch 1 of PSPNG

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              bert.beelindgren@at.internet2.edu Bert Bee-Lindgren
              bert.beelindgren@at.internet2.edu Bert Bee-Lindgren
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: