Attending

Chris Hyzer, Penn, Chair
Shilen Patel, Duke
Chad Redman, University of North Carolina Chapel Hill
Vivek Sachdiva, independent
Carey Black, the Ohio State University
Scott Koranda, CILogon
Emily Eisbruch, Internet2

New Action Items from this call

AI Shilen -- Add a row to 2.5 upgrade task wiki re propagation changes for provisionable attributes, anyone using new provisioning framework should do this, most people don’t need it
AI Shilen and Chris - talk about null member for LIGO and get unit test working

DISCUSSION

https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
Approve minutes
Review AIs Grouper Project Action Items (Google Doc)
Agenda bash

LIGO Use Cases

Scott K: https://spaces.at.internet2.edu/display/Grouper/Requirements+from+LIGO+Project

LDAP provisioning
Work w PSP NG
LIGO has been a long time term user of Grouper and provisioning to LDAP way back to LDAP PC approach .
Involved thru CI Logon, Scott works for CI Logon https://www.cilogon.org/home
Getting LIGO from 2.3 to Grouper 2.5 container working in CI LOGON cloud
Found missing functionality in PSP NG that was in PSP in Grouper 2.3
Some trade offs, now mostly ready to go on a 2.5 image with PSP NG
Good to talk about the gaps and how they might be filled
One app must be transitioned to getting info it needs from web services
Three items
PSP supported provisioning of empty group where object class is group of names in open LDAP
LIGO wants that to continue they, know open LDAP well
They rely on SYMPA, mailing list
Need to access/handle empty groups, some sympa lists can be empty. The PSP enabled provisioning of empty groups into LDAP with the groupOfNames objectClass (which requires the member attribute) by provisioning the member attribute with the null DN as value.
Q: does underlying API for LDAP support this?
Shilen: with new LDAP provisioning framework, the default value can be a blank string, that should provision the member attributes w nothing.
could have boolean value
Required but blank is seen as missing
Need to handle this case
Server accepts member attribute w no value
Be sure LDAP session can assign member attribute w no value
Chad: If no members, instead of blank, set to root user, (not production ready)
Add test case to LDAP server

Nesting groups, The PSP enabled provisioning of "nested" groups in LDAP, represented both in the member attribute and the hasMember attribute (again, using groupOfNames as the objectClass):
Likely negotiated away for LIGO
Assumption in provisioning framework, ….
Translations w JEXL
No translation per subject source
If nested in multiple ways, could miss a group

Q: If a group is a member of a group in LDAP is it an immediate member, or effective, of a group in Grouper?
A: Immediate
Potential edge case
Chris: Ignore change log issue and resolve in full sync
Gap of provisioning multiple subject sources w different translations. No use case for this right now
Carey: consider service principles, local subjects to a given provisioning system
Not all tied to a subject source
Chad : we have that use case, different OUs
Carey: Subjects from the internal subject sources only from a folder or list of stems
Model subjects to provisioned systems
Could create in different OUs and translate differently
Multiple provisioned systems
Configuration of a provisioner could get more complex, and it’s already complex
Chris: we don’t have a precise plan, do the things we know we need now

The PSP-NG forced a change in the LIGO LDAP by requiring an attribute with a unique value on each group, even when using a "bushy" approach

Had to add an attribute for each group w unique value
LIGO complaint , this is Unnecessary extra info , want it to go away
Chris: we store STATE in Grouper
Extra attribute helps when you move or rename a group
ID index never changes
To do an efficient full sync, hope to retrieve all groups at once
If all groups in one OU it’s easy, but if not, this ID Index helps
Suggestion to store number as attribute
Not required by the new framework
Recommended if LDAP people don’t complain
Liam at U-MICH wants group provisioned, bushy, point to groups outside of the provisioned OU.
Is Grouper authoritative for all the groups or just one source, and leave others alone.
When more solidified with LDAP, have a section in wiki to describe pros and cons
Scott: be concrete on which attribute to use from the Grouper side
Tried ID (UUID) , but does not flow out of point in time tables
Hoping new provisioning framework solves point in time issues
Point in Time holds UUID, but not ID
Scott: there was an issue w UUID
Q: Change log consumer , rename or delete, is it processed as an event?
A: Incremental handles that
Chris: Specify search OU and filter, wants to get only groups for that application, could be multiple OUs, couldn’t make a filter that looks at the DN with wildcards, use another attribute extension attribute 10 for full name of the group, you can filter on that with wildcards, even in bushy system
Request to Scott to kick tires on new provisioning system when time is right

AI Shilen and Chris will talk about null member for LIGO and get unit test working

Current Work

Vivek

Duo mock server
To test integration
Flip the domain name
URL from Grouper to real DUO
Tomcat, problem on MAC, works on Windows
Switch from local to real and it should just work
Once basic tests are done, will work on hooking w provisioner
Create a group and provision to DUO, provision a user to DUO.
Server side of DUO is implemented in mock server
Would like to store configs in the database table
To share test configs
Unit tests against DUO to test for releases
DUO is unusual, can’t search for a group by name,

Workaround: You can get all the groups, thus provisioning engine can see if the group is in the cache

The provisioner generally expects that
Provisioning engine will need to do things slightly differently
Membership provisioning, can’t do a group sync
Can see all the groups a member is in
“To retrieve group members” use this (in V2, not in V1)
Disabled flags on the DUO side
A group can be disabled,
Active, bypass or disabled, right now we ignore that.
Goal: get unit tests working to provisioning members and groups
Then work on Admin Role
Comments: good work, looks great
Similar to the Azure work
Long term goal: whatever CICD we have could take advantage of this
Run all tests for DUO or Azure, would be a big plus
Now we need a DUO account to test
DUO gives you a free account
Goal : end to end provisioner testing, then move on to roles

Shilen

Working on propagation changes for provisionable attributes
Should be done now
Go to UI and mark folder as provisionable , set metadata,
The groups under wont have attribute framework attributes anymore
The provisioner will add the data to the Sync object directly
Performance is better now, based on shilen’s tests
Method to clean up old assignments
Need to make this an upgrade task

AI Shilen -- Add a row to 2.5 upgrade task wiki re propagation changes for provisionable attributes , anyone using new provisioning framework should do this, most people don’t need it

Sync table issue resolved now
Fixed other issues
If group is provisionable and then no longer provisionable, sync table was updated correctly but there was still an issue in the target. Shilen looking at this. Not solved yet.
Will retest performance

Chris

Issue of labels for GSH templates

Null label
Carey: Issue of output from script, backend GSH
AI Chris will fix GRP-3476
Chris will create a new Grouper release
Hoping for more adoption and replacing PSP NG
Chris working on Mock services
Working w Vivek on DUO
GSH template issues
Need to get list of TO DOs for the provisioner
Things LIAM has suggested
Number of inserts does not match up
UI does not perfectly reflect what’s happening
Will collect , prioritize and fix

Chad

Working on Web AUTHN project at UNC
Hoping to finish in a week or so
There are pilot groups for passwordless device authentication

Grouper Training June 22 to June 25 https://www.incommon.org/academy/grouper/

Will start weekly meetings for Grouper training
For training: fix basis groups versus reference groups in examples used in class
Student years should go into basis groups
Switch to new subject source wizard
Use workbench instead of GTE eventually

Carey