Grouper Developers Forum

[John Ballem <>]

I was wondering how folks are intending on handling some basic 
provisioning issues.
Especially as we have many of the same issues on both the loader and 
connector sides.
For example.


1) Is anyone concerned with latency?
  Is a 24 hour turnaround sufficient for a group membership or not?
  Or are more real time updates a requirement. Message queue requests 
perhaps.

2) What would you consider the smallest unit of update in such a system?
    For example, subject, group, subtree or acl updates, or all/any of 
the above.

3) What do you perceive as the flow of business rules?
    For example, is there to be a signet rule to provision a certain 
department?


4) Ldap group access acls. Here at Brown we only use two methods 
'ismember' and 'members'.
    Is that to be controlled by application or more broader ldap bind 
administrative accounts.

5) As related to #3 how to we turn on ldap group population.  Signet or 
another gui.
   Should there be a push process that populates on demand as in #1.
   Is anyone intending on using dynamic groups such as iplanet, client 
considerations.

6) Groups DIT naming.
   Organization uniqueness or federated uniqueness?
   Are folks planning on aggregating groups bases on client 
considerations or access.
   So a group branch that is populated with unique dn's for use by lists.
   What about groups that may do lookups on login string or username?


7) Any pitfalls encountered already such as AD group membership exceeded.

These questions are a concern (for me) as 0.6 is nearing release.

Thanks,

-jpb