No more patches, no more confusing upgrades, no more inconsistent environments, no more lengthy installsContainer redesign One servlet container, easier mounts, one directory structure, fewer processes, maven build, matchless Grouper installer installs container Grouper installer wizard walks through running Grouper in container Improve pagination in Is Cursor based paging allows fewer memory problems and paging which does not skip records Gantt chart for jobs See when jobs have executed, job overlap, how long jobs take, success or error Add new web services Get audit log Web Serviced point in time options for Is get members, get groups, group save, get memberships Attributes on memberships in UI Allow direct and indirect attributes on memberships in UI (see JIRA). See wiki documentation here Is and UI authentication Basic auth stored in database.
Grouper implementer are urged and welcome to subscribe to the following email lists: Grouper -Announce mailing list, for important announcements around security and releases.
Grouper -Users mailing list, which is an open support forum for deployment issues. Grouper -Developers mailing list, for those interested in discussion of development issues.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF). Provisioning's job is to reflect Groups and their Memberships in other systems.
Detected changes in Grouper via the change log are picked by PS PNG and evaluated for provisioning operations selectively. Over the years, dozens of provisioners have been created -- some focused on a single destination type and others with some generic functionality combined with a very wide variety of options and capabilities.
Starting in 2014, the Grouper Team and Users concluded that the provisioning priorities should change: less flexibility and increased simplicity and performance. PS PNG's Configuration is done via the cone/ grouper -loader.properties file, in the grouper API Binary, with a paragraph for each provisioning destination, as well as an additional paragraph that enables and configures Fully operation.
TrueTrue: the values of the attributes listed in attributesUsedInGroupSelectionExpression are the provisioner names. False: The attributes listed in attributesUsedInGroupSelectionExpression have different values than the provisioner.
Fully: Wait a bit before retrying a group that has failed. This prevents aggressive infinite loops.1 second pause before retrying a failed group.
Jell expression that refers to stem_attributes, group_attributes, or Groupon to find users in the Target System? This is small to avoid problems by default. Break the results of a large query into fairly tiny chunks.
Deprecated: use the more general targetSystemUserCacheSize. How many LDAP accounts can be kept in memory at a time, indexed by the Subject mapped to them? This is appended to the DN attribute produced by the userCreationLdifTemplate.userCreationLdifTemplatenullWarning: Grouper PS PNG is not a good provisioner for Accounts/Subjects.
What attribute represents a group's members in the Target System? Active Directory should just work. What value (typically based on Subject or TargetSystemUser information) is written into the memberAttributeName attribute of groups? Active Directory and GroupOfUniqueNames will typically work.
The DN of the LDIF will be combined with groupCreationBaseDn>For AD, limit to less than 1024 if sending description, like this: At group-creation time, this is appended to the DN that results from the groupCreationLdifTemplate. Groups are created starting at the top of the search Based.
If set to TRUE, groups under groupCreationBaseDn that are not in Grouper will be removed at the end of a full sync. During full syncs, groups are not removed if they do not match the allGroupsSearchFilter or groupSelectionExpression. This should not include the attribute which holds the group's members. Support common, basic singleGroupSearchFilters.
What values of the attribute is grouper authoritative for during a full sync? Null (default) or empty means that using will only process removals as memberships change, and won't clean up unknown attribute values. Warning: Grouper should have full control over the target attribute to avoid complications that come from sharing attributes with multiple provisioning tools.
This will return the full grouper “name” for the group that is part of the event.folder:folder:Folder:GroupDisplayName Where Active Directory is the target environment, make sure you are pointing to a FQDN with active/standby load balancing or to a primary node.
Other forms of load balancing can lead to inconsistent results or AD conflict CNF objects. At this time, the LDAP bindCredential cannot be encrypted via the Grouper morph string.
To learn more about what other LDAP properties are available, one simple example can be found here. Moving into more realistic examples will probably be helped by looking at the adaptive configuration classes and the setters available within them: connections, pooling, binding (sail, SSAP, x509, JCS, etc).
You may also wish to take a look at GRP-1306 to learn more about the differences between trap (the previously used LDAP library) vs adaptive. The groupSelectionExpression can be modified to look at different group characteristics or group/folder attributes.
These attribute definitions are auto-created by Grouper the very first time PS PNG runs. These attributes need to be assigned to Groups or Folders via the Lite UI.
More actions button (upper right corner of the working area) Attribute assignments (menu item) The value of the attribute MUST match the provisioner name that is defined in the grouper -loader.properties configuration (i.e. pspng_groupOfUniqueNames).
NOTE: PS PNG will evaluate whether a group or stem/folder qualifies for provisioning by running the group-selecting filter as a Jell expression. The expression is able to process and evaluate attribute definitions on a given group/folder and returns true/false to indicate whether PS PNG should continue with downstream provisioning.
And, even if all you need is name, username, and email address (which are probably in your subject mappings), you'll still run into problem (1) where Grouper offers no mechanism to update name and email address when they change in your subject source. In the background of PS PNG, there is always a full-sync-provisioning engine running which is automatically used when incremental provisioning finds conflicting changes or otherwise is unable to handle the change log events.
The full-sync items in grouper -loader.properties do not alter/configure the background engine but instead define quartz jobs that send all the groups marked for provisioning into the queues that drive the full-sync engine. Additionally, if a provisioner is “authoritative” (changeling.consumer.