Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
Description
Hello,
With PSPNG 2.3 Patch 21, a full sync deletes all provisioned attribute
My config :
## Alimentation de l'attribut FrEduLilHabilitation dans la branche ou=ac-lille,ou=education,o=gouv,c=fr
changeLog.consumer.pspng_attrFrEduLilHabilitation.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_attrFrEduLilHabilitation.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
changeLog.consumer.pspng_attrFrEduLilHabilitation.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_attrFrEduLilHabilitation.ldapPoolName = aclille
changeLog.consumer.pspng_attrFrEduLilHabilitation.provisionedAttributeName = FrEduLilHabilitation
changeLog.consumer.pspng_attrFrEduLilHabilitation.provisionedAttributeValueFormat = Grouper|${group.name}
changeLog.consumer.pspng_attrFrEduLilHabilitation.userSearchBaseDn = ou=ac-lille,ou=education,o=gouv,c=fr
changeLog.consumer.pspng_attrFrEduLilHabilitation.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_attrFrEduLilHabilitation.groupSelectionExpression = ${name.startsWith("app:") && name.contains(":habil:")}
changeLog.consumer.pspng_attrFrEduLilHabilitation.grouperIsAuthoritative = true
changeLog.consumer.pspng_attrFrEduLilHabilitation.allProvisionedValuesPrefix = Grouper|
Incremental provisioning works well : adding/deleting someone in a group like app:habil:testa result in adding/deleting the provisioned attribute in the user ldap entry
This problem occurs only with the full sync...
For this config we use a specific groupSelectionExpression.
I used gsh to evaluate Group selection and the result is empty :
groovy:000> provisioner_name="pspng_attrFrEduLilHabilitation"
===> pspng_attrFrEduLilHabilitation
groovy:000> gs=GrouperSession.startRootSession();
===> 15fb4e8176344454a3b63e1e5671156f,'GrouperSystem','application'
groovy:000> provisioner=edu.internet2.middleware.grouper.pspng.ProvisionerFactory.createProvisioner(provisioner_name,false);
===> LdapAttributeProvisioner[pspng_attrFrEduLilHabilitation]
groovy:000> provisioner.getAllGroupsForProvisioner();
===> []
In the log :
2018-09-19 15:34:57,558: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1520) - - Looking for folders that match attribute etc:pspng:provision_to=pspng_attrFrEduLilHabilitation
2018-09-19 15:34:57,605: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1522) - - Looking for groups that match attribute etc:pspng:provision_to=pspng_attrFrEduLilHabilitation
2018-09-19 15:34:57,637: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1532) - - pspng_attrFrEduLilHabilitation: There are 0 folders that match etc:pspng:provision_to attribute
2018-09-19 15:34:57,637: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1533) - - pspng_attrFrEduLilHabilitation: There are 0 groups that match etc:pspng:provision_to attribute
2018-09-19 15:34:57,638: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1520) - - Looking for folders that match attribute etc:pspng:do_not_provision_to=pspng_attrFrEduLilHabilitation
2018-09-19 15:34:57,677: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1522) - - Looking for groups that match attribute etc:pspng:do_not_provision_to=pspng_attrFrEduLilHabilitation
2018-09-19 15:34:57,715: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1532) - - pspng_attrFrEduLilHabilitation: There are 0 folders that match etc:pspng:do_not_provision_to attribute
2018-09-19 15:34:57,716: [main] DEBUG Provisioner.getAllGroupsForProvisioner(1533) - - pspng_attrFrEduLilHabilitation: There are 0 groups that match etc:pspng:do_not_provision_to attribute
Thanks,
Yoann