grouper-dev - some provisioning questions
Subject: Grouper Developers Forum
- From: John Ballem <>
- Subject: some provisioning questions
- Date: Mon, 12 Sep 2005 10:59:43 -0400
I was wondering how folks are intending on handling some basic provisioning issues.
Especially as we have many of the same issues on both the loader and connector sides.
1) Is anyone concerned with latency?
Is a 24 hour turnaround sufficient for a group membership or not?
Or are more real time updates a requirement. Message queue requests perhaps.
2) What would you consider the smallest unit of update in such a system?
For example, subject, group, subtree or acl updates, or all/any of the above.
3) What do you perceive as the flow of business rules?
For example, is there to be a signet rule to provision a certain department?
4) Ldap group access acls. Here at Brown we only use two methods 'ismember' and 'members'.
Is that to be controlled by application or more broader ldap bind administrative accounts.
5) As related to #3 how to we turn on ldap group population. Signet or another gui.
Should there be a push process that populates on demand as in #1.
Is anyone intending on using dynamic groups such as iplanet, client considerations.
6) Groups DIT naming.
Organization uniqueness or federated uniqueness?
Are folks planning on aggregating groups bases on client considerations or access.
So a group branch that is populated with unique dn's for use by lists.
What about groups that may do lookups on login string or username?
7) Any pitfalls encountered already such as AD group membership exceeded.
These questions are a concern (for me) as 0.6 is nearing release.
- some provisioning questions, John Ballem, 09/12/2005
- Re: [grouper-dev] some provisioning questions, Tom Barton, 09/12/2005
Archive powered by MHonArc 2.6.16.