You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 22 Next »

Maintain

Run the incremental job from gsh

loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog");
loaderRunOneJob("CHANGE_LOG_consumer_pspng_activedirectory");

Run full refresh from GSH (I think this works)

loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog");
loaderRunOneJob("PSP_FULL_SYNC.runAtStartup");

 

Mark a group / folder as provisionable to AD

Assign an attribute at a group or folder level with a value of the config for AD

Setup

At Penn initially we would like to sync up a Grouper group with an AD group.  Later on we might want to sync up more groups.  We will use a flat namespace in AD.

In Grouper we have a group:

penn:isc:nandt:apps:vdi:vdiTechnicalUsers

In AD we have an OU for groups:

OU=Grouper,OU=LocalAuth,DC=kite-dev,DC=upenn,DC=edu

The group to go into AD should be:

CN=penn:isc:nandt:apps:vdi:vdiTechnicalUsers,OU=Grouper,OU=LocalAuth,DC=kite-dev,DC=upenn,DC=edu

We have the grouperLoader installed, we will install the PSPNG inside:

  1. Install pspng

    [appadmin@fasttest-mgmt-01 lib]$ pwd
/opt/appserv/tomcat/apps/grouperWs/loader/lib
[appadmin@fasttest-mgmt-01 lib]$ cp /tmp/grouper.pspng-2.3.0/lib/custom/* .
[appadmin@fasttest-mgmt-01 lib]$ cp /tmp/grouper.pspng-2.3.0/dist/grouper-pspng-2.3.0.jar .
[appadmin@fasttest-mgmt-01 lib]$ more /tmp/grouper.pspng-2.3.0/README.txt

  2. Patch pspng

    [appadmin@fasttest-mgmt-01 classes]$ cd /tmp
[appadmin@fasttest-mgmt-01 tmp]$ mkdir installer
[appadmin@fasttest-mgmt-01 tmp]$ cd installer/
[appadmin@fasttest-mgmt-01 installer]$ wget http://software.internet2.edu/grouper/release/2.3.0/grouper.installer-2.3.0.tar.gz
[appadmin@fasttest-mgmt-01 installer]$ tar xzf grouper.installer-2.3.0.tar.gz 
[appadmin@fasttest-mgmt-01 installer]$ cd grouper.installer-2.3.0
[appadmin@fasttest-mgmt-01 grouper.installer-2.3.0]$ java -jar grouperInstaller.jar 
Do you want to 'install' a new installation of grouper, 'upgrade' an existing installation,
  'patch' an existing installation, or 'createPatch' for Grouper developers
  (enter: 'install', 'upgrade', 'patch', 'createPatch' or blank for the default) [install]: patch
Enter in a Grouper temp directory to download tarballs (note: better if no spaces or special chars) [/tmp/installer/grouper.installer-2.3.0]: 
What do you want to patch?  api, ui, ws, pspng, or psp? [api]: pspng
Where is the grouper PSPNG installed? /opt/appserv/tomcat/apps/grouperWs/loader/

  3. Note, upgrade loader to java7 instead of java6

  4. Configure pspng (backup grouper-loader.properties first, then add this)

     
#note the URL should start with ldap: or ldaps: if it is SSL.                                                                       
#It should contain the server and port (optional if not default), and baseDn,                                                       
#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu                                                                            
ldap.pennKiteAd.url = ldaps://someServer.upenn.edu:636                                                          
#optional, if authenticated                                                                                                         
ldap.pennKiteAd.user = someUserName
#optional, if authenticated, note the password can be stored encrypted in an external file                                          
ldap.pennKiteAd.pass = ************


 
####################################                                                                                                
## PSPNG                                                                                                                            
####################################                                                                                                
changeLog.consumer.pspng_activedirectory.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_activedirectory.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
changeLog.consumer.pspng_activedirectory.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_activedirectory.ldapPoolName = pennKiteAd
changeLog.consumer.pspng_activedirectory.memberAttributeName = member
changeLog.consumer.pspng_activedirectory.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_activedirectory.groupSearchBaseDn = OU=Grouper,OU=LocalAuth,DC=kite-dev,DC=upenn,DC=edu
changeLog.consumer.pspng_activedirectory.allGroupsSearchFilter = objectclass=group
changeLog.consumer.pspng_activedirectory.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name}))
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group
changeLog.consumer.pspng_activedirectory.userSearchBaseDn = DC=kite-dev,DC=upenn,DC=edu
changeLog.consumer.pspng_activedirectory.userSearchFilter = employeeID=${subject.id}
changeLog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,uid,mail,samAccountName, uidNumber,objectclass,employeeID
changeLog.psp.fullSync.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter
changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?
# This happens in the background, so should usually be enabled, and should _definitely_
# be enabled when new provisioners are added 
changeLog.psp.fullSync.runAtStartup = true

  5. Test LDAP connectivity via GSH, run a simple filter that returns a string

    edu.internet2.middleware.grouper.ldap.LdapSession.list(String.class, "pennKiteAd", "OU=UnivOfPennsylvania", LdapSearchScope.SUBTREE_SCOPE, "(CN=mchyzer)", "cn");

  6. Note, had to create the attributes for pspng

    GrouperSession grouperSession = GrouperSession.startRootSession();
long gshTotalObjectCount = 0L;
long gshTotalChangeCount = 0L;
long gshTotalErrorCount = 0L;
StemSave stemSave = new StemSave(grouperSession).assignName("etc:pspng").assignCreateParentStemsIfNotExist(true).assignDescription("Location for pspng-management objects.").assignDisplayName("etc:pspng");
stem = stemSave.save();
gshTotalObjectCount++;
if (stemSave.getSaveResultType() != SaveResultType.NO_CHANGE) { System.out.println("Made change for stem: " + stem.getName()); gshTotalChangeCount++;}
System.out.println(new Date() + " Done with folders, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date() + " Done with groups, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date() + " Done with composites, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
AttributeDefSave attributeDefSave = new AttributeDefSave(grouperSession).assignName("etc:pspng:do_not_provision_to_def").assignCreateParentStemsIfNotExist(true).assignToGroup(true).assignToStem(true).assignAttributeDefType(AttributeDefType.type).assignMultiAssignable(true).assignMultiValued(false).assignValueType(AttributeDefValueType.string);
AttributeDef attributeDef = attributeDefSave.save();
gshTotalObjectCount++;
if (attributeDefSave.getSaveResultType() != SaveResultType.NO_CHANGE) {System.out.println("Made change for attributeDef: " + attributeDef.getName()); gshTotalChangeCount++;}
AttributeDefSave attributeDefSave = new AttributeDefSave(grouperSession).assignName("etc:pspng:provision_to_def").assignCreateParentStemsIfNotExist(true).assignToGroup(true).assignToStem(true).assignAttributeDefType(AttributeDefType.type).assignMultiAssignable(true).assignMultiValued(false).assignValueType(AttributeDefValueType.string);
AttributeDef attributeDef = attributeDefSave.save();
gshTotalObjectCount++;
if (attributeDefSave.getSaveResultType() != SaveResultType.NO_CHANGE) {System.out.println("Made change for attributeDef: " + attributeDef.getName()); gshTotalChangeCount++;}
System.out.println(new Date() + " Done with attribute definitions, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date() + " Done with role hierarchies, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
attributeDef = AttributeDefFinder.findByName("etc:pspng:do_not_provision_to_def", false);
if (attributeDef != null) { int changeCount = attributeDef.getAttributeDefActionDelegate().configureActionList("assign"); gshTotalObjectCount+=1; if (changeCount > 0) { gshTotalChangeCount+=changeCount; System.out.println("Made " + changeCount + " changes for actionList of attributeDef: etc:pspng:do_not_provision_to_def");  } } else { gshTotalErrorCount++;  System.out.println("ERROR: cant find attributeDef: 'etc:pspng:do_not_provision_to_def'"); }
attributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", false);
if (attributeDef != null) { int changeCount = attributeDef.getAttributeDefActionDelegate().configureActionList("assign"); gshTotalObjectCount+=1; if (changeCount > 0) { gshTotalChangeCount+=changeCount; System.out.println("Made " + changeCount + " changes for actionList of attributeDef: etc:pspng:provision_to_def");  } } else { gshTotalErrorCount++;  System.out.println("ERROR: cant find attributeDef: 'etc:pspng:provision_to_def'"); }
System.out.println(new Date() + " Done with attribute actions, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date() + " Done with attribute action hierarchies, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
Subject subject = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", false);
if (subject == null) { gshTotalErrorCount++; System.out.println("Error: cant find subject: g:isa: GrouperSystem");  }
Privilege privilege = Privilege.listToPriv("stemAdmins", false);
Stem stem = StemFinder.findByName(grouperSession, "etc:pspng", false);
if (privilege != null) { if (subject != null) { if (stem != null) { boolean changed = stem.grantPriv(subject, privilege, false);   gshTotalObjectCount++;  if (changed) { gshTotalChangeCount++;  System.out.println("Made change for stem privilege: " + stem.getName() + ", privilege: " + privilege + ", subject: " + GrouperUtil.subjectToString(subject)); } } else { gshTotalErrorCount++; System.out.println("ERROR: cant find stem: 'etc:pspng'"); } }  } 
System.out.println(new Date() + " Done with memberships and privileges, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
AttributeDef attributeDef = AttributeDefFinder.findByName("etc:pspng:do_not_provision_to_def", false);
if (attributeDef != null) {  AttributeDefNameSave attributeDefNameSave = new AttributeDefNameSave(grouperSession, attributeDef).assignName("etc:pspng:do_not_provision_to").assignCreateParentStemsIfNotExist(true).assignDescription("Defines what provisioners should not process a group or groups within a folder. Since the default is already for provisioners to not provision any groups, this attribute is to override a provision_to attribute set on an ancestor folder. ").assignDisplayName("etc:pspng:do_not_provision_to");  AttributeDefName attributeDefName = attributeDefNameSave.save();  gshTotalObjectCount++;  if (attributeDefNameSave.getSaveResultType() != SaveResultType.NO_CHANGE) {gshTotalChangeCount++;  System.out.println("Made change for attributeDefName: " + attributeDefName.getName()); }   } else { gshTotalErrorCount++;  System.out.println("ERROR: cant find attributeDef: 'etc:pspng:do_not_provision_to_def'"); } 
AttributeDef attributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", false);
if (attributeDef != null) {  AttributeDefNameSave attributeDefNameSave = new AttributeDefNameSave(grouperSession, attributeDef).assignName("etc:pspng:provision_to").assignCreateParentStemsIfNotExist(true).assignDescription("Defines what provisioners should process a group or groups within a folder").assignDisplayName("etc:pspng:provision_to");  AttributeDefName attributeDefName = attributeDefNameSave.save();  gshTotalObjectCount++;  if (attributeDefNameSave.getSaveResultType() != SaveResultType.NO_CHANGE) {gshTotalChangeCount++;  System.out.println("Made change for attributeDefName: " + attributeDefName.getName()); }   } else { gshTotalErrorCount++;  System.out.println("ERROR: cant find attributeDef: 'etc:pspng:provision_to_def'"); } 
System.out.println(new Date() + " Done with attribute names, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date() + " Done with attribute name hierarchies, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date() + " Done with attribute definition scopes, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
Set attributeAssignIdsAlreadyUsed = new HashSet();
System.out.println(new Date() + " Script complete: total objects, objects: " + gshTotalObjectCount + ", expected approx total: 8, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);



  7. dsf
  • No labels