Child pages
  • 30-Sept-2020
Skip to end of metadata
Go to start of metadata



  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Jeff Williams - University of North Carolina Greensboro

  • Emily Eisbruch, Internet2

Intellectual Property reminder:

 Grouper Action Items are here  

New Action Items

  •  AI Jeffrey work on GRP 2343 and commit patch, there is a code proposal in comments
  •  AI Chad - look at GRP-2968 ArithmeticException (after Grouper training in October)
  •  AI Shilen -  start a wiki about Shib and Grouper and container, document what people should do.  Explain what files go in what directories
  • AI Chad create JIRA around adding filters for CAS, add web XML filters and then dynamic filters   
  • AI  Vivek  Revisit rules documentation , it’s not clear enough  (after provisioning work is complete)


  1. Administrivia

Grouper Training

Grouper School Oct 13-16, 2020

  • A virtual class, spanning 4 half days  
  • Chris and Chad are the trainers
  • Chad being sure modules work and make sense
  • Chris recording 101  videos and getting them into Canvas
  • Next week, get container spun up
  • Then students are to do 10 hours of prework for training
  • Will leave more time during training
  • For next training, will collect thoughts on the content
  • Tasks that people need to do
  • Hope for a new list of what is highly relevant to cover
  • Chad: could improve material on grace periods , there’s a 201 module on recent grads and it will need constant updates 

 Internet2 TechEx  Tuesday Oct 6,  be sure to register (no charge)

  •  “Science at the Speed of Infection: NIH Responds to the Pandemic with Academic Researchers," will be presented by Andrea Norris, Chief Information Officer of the National Institutes of Health and Mike Tartakovsky, Chief Information Officer of the National Institute of Allergy and Infectious Diseases and Director Office of Cyber Infrastructure and Computational Biology, and will focus on research challenges in the era of the pandemic. 

 Current Work

Provisioning work, Chris, Vivek and Shilen

  • Test to simulate LDAP use case , challenges with workflow and order of the updates
  • Challenge identifying which attributes are being read, inserted
  • Type of attributes, compares
  • Confusing , issues around empty values for attributes
  • Can still use translation scripts
  • Take a field or an attribute, from an attribute map,
  • Target representation of the object
  • Can also configure all the attributes or fields and put settings on the attributes, will be managed thru the UI
  • To make the UI work, you first say how many you are going to have (for groups 6 attributes, for example)
  • With configs you say what value type  
  • Are there things we should add to the attribute config?
  • Can have entity attributes, from an entity link
  • Test cases work
  • Chris has been focusing on the logging, there is a logging switch  per provisioner
  • One log output at the end so everything is in one place
  • There are configuration features to help with support
  • DAO , perhaps add reflection
  • Provisioner behaviors class, you don’t have to do much with it
  • SQL group attributes
  • Provisioner can tell framework what it should be doing as opposed to what it can do
  • Will translate groups and entities to the target format. For SQL need an ID field, DN and GID number
  • Then can get target ID
  • Carey: special case for LDAP
    • Need member attribute for create
    • Some LDAPs take Null value
  • Print out action that DAO is going to receive
  • Translating the memberships
  • Shilen: before, needed to remove membership object  when removing group object
  • Chris: Next Steps: Look at each part of the framework, which part in LDAP or SQL, for example search attributes, maybe not needed
  • Looking at behaviors and perhaps fleshing them out
  • Shilen: Added to behaviors to get LDAP test to work
  • Chris: the way behaviors are intended to work is all fields are upper case booleans, 
  • If a user sets something we use it, otherwise make assumptions.
  • Trying to only print out things that are configured
  • Add more test cases 
  • Chris will schedule a meeting with Shilen and Vivek
  • Shilen: testing has been full syncs, what is situation w incremental syncs?
  • Chris: perhaps went down wrong path, lot of code in ESB change log handler 
  • Does things like gets sync objects, converts things to full sync
  • We are limited with that set up , forced to use the change log
  • Chris will take this work and put it in the incremental provisioner framework  code
  • So if things come in thru events or otherwise could still batch things up and filter
  • It works now
  • In ideal world, would refactor the logic to go into the provisioner. May need to wait to do this
  • Ideally grouper provisioner framework knows what must happen,
  • Takes metadata and decides whether to provision, if a group sync can be done
  • Provisioning framework will do the logic and handle in a consistent way
  • Not much to do with real time, but need to refactor
  • Code is pretty well organized and that will help with the real time


  • Updating the LDAP DAO, adding more methods
  • Plan to continue that and other provisioning work


 Issue Roundup

JIRAs in past 2 weeks

AI Jeffrey work on GRP 2343 and commit patch, there is a code proposal in comments

Grouper WIKI updates in past 2 weeks

Grouper Slack in past 2 weeks

Jeffrey  It seems like when searching for entities, using a comma ',' has some sort of special meaning. Most of our records are stored like "LASTNAME, FIRST I." but it seems to split the search when using a coma in the search. Is there a way. to turn that off?

Keith Hazelton Is Spaces Wiki the home of the most current version of the Grouper Deployment Guide?

Lacey  Is it possible to assign an attribute to a group as part of a loader job, similar to the metadata on groups option in SQL_GROUP_LIST?

Richard F - get the description of a group/stem to render effectively newlines

Erik  In my message queue testing, I have an ActiveMQ node running with the Grouper Client installed.  What part am I missing to actually make the client pull changelog events from Grouper itself and create messages on the ActiveMQ side?

Marwan How do you deal with loader groups from a source (let’s say AD) that have been nested into Grouper groups, when the source group gets renamed/deleted/moved at the source?  

Marwan   Does anyone assign a unique identifier attribute to groups created outside of Grouper and let Grouper load the groups based on that attribute?  

Jeffrey C  Question about I was testing this but updating a group that doesn't impact any provisioning against our LDAP. we were averaging around 550 records processed per min.

Erik C    is there a   Lite method to check a group membership by subjectIdentifier?  

Zachary    I have some classes that I want to package separately and drop in the container alongside the existing jars.  

Chris   Grouper Training is right around the corner: Oct 13-16.   

Carey Question about the UI and adding config values via the UI.

    Just starting to kick the tires on 2.5.35


Josh   I am still having an issue in UI v2.5, concerning loader config...

 Josh in my Dockerfile( which is in /opt/grouperContainer/ on the host), I have

COPY slashRoot /

....yet even though I have a slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/ file that I have modified to tune certain loggers, the file is NOT being copied in the container, to /opt/grouper/grouperWebapp/WEB-INF/classes/  Instead my mods ARE showing up in the container, in /opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/ (edited) 


Chris  I updated this page about customizing grouper config files... comments welcome

Carey  Seeking community input/comments/watches/( up or down) votes for :

 Attestation should optionally disable groups that are not attested after a grace period (GRP-2965)

Feel free to discuss here in Slack or on the GRP.

Carey   Seeking community input/comments/watches/( up or down) votes for :

 Attestation should optionally disable Memberships that are not attested after a grace period (GRP-2965)

Lacey Any idea what would cause a large amount of these INFO messages in the daemon logs? 

Richard   Is there a way to get attestation messages to only go to members of a certain group instead of all of the admin/update users?   

Chris   In order to make upgrades easier and to make sure steps arent missed, the release notes now does not have the upgrade instructions from v2.5.X container version to v2.5.Y.  The upgrade steps are captured here:

Also, the Grouper team will spend more effort trying to automate upgrade steps or have ways to log errors when things are incorrect to make things more foolproof and easier to upgrade.  Feel free to edit that wiki to make things easier for others.

Feedback welcome.  Thanks!

Shilen  Is the grouper report error here a known issue?


Jeffrey  Grouper 2.4.  Had a full-sync job that I wanted to stop, so I did the following …..:

they seem to not do anything after loading for at least 5 -10 minutes.  Blew out the old containers and started fresh ones, not seeing any changes to grouper_qz_triggers.    the daemons don't seem to be processing anything.   

Kevin R Has anyone configured mod-auth-openidc in apache for authn in grouper?

Jeffrey - trying to utilize the grouper-ws/status?diagnosticType=db link to inform a load balancer that a node is up or not.  

Erin  - last call for Grouper Training

Chris  - documented some of Penn's Zoom access management with Grouper.  If people are interested I can put more info up there, or if there are specific parts let me know and I can elaborate:

Next Grouper Call: Wed. Oct. 14, 2020


  • No labels