Skip to Content.
Sympa Menu

grouper-dev - RE: [grouper-dev] Grouper 1.2.0 in production at Brown

Subject: Grouper Developers Forum

List archive

RE: [grouper-dev] Grouper 1.2.0 in production at Brown


Chronological Thread 
  • From: "Cramton, James" <>
  • To: "Joy Veronneau" <>, "Grouper Dev" <>
  • Subject: RE: [grouper-dev] Grouper 1.2.0 in production at Brown
  • Date: Tue, 4 Sep 2007 09:59:26 -0400

We're thinking of writing a scrubber script that would remove any group
members that are not active in the person registry. For our provisioned
groups, this is already handled, but our population of non-provisioned
groups will grow as Grouper is used more extensively, and these ad-hoc
groups will need to be cleaned up under current design. It would be nice
if Grouper did this cleanup natively. We'll be looking into this issue
in more detail during the coming semester.

James

-----Original Message-----
From: Joy Veronneau
[mailto:]

Sent: Tuesday, September 04, 2007 9:39 AM
To: Grouper Dev
Subject: Re: [grouper-dev] Grouper 1.2.0 in production at Brown


Hi,

We will have this same problem at Cornell (group members who get
removed from the directory and then can't be deleted from a group.)
Our applicants will also be members of at least one group. In addition,
we have employees in our ldap directory who are deleted twice a year as
they leave Cornell. While we could try to remember to delete people
from groups before we remove them from the directory, I suspect that
won't always happen.

Thanks,

Joy

> It's worth noting, however, that we encountered an architectural issue
> under the jndi person registry that we avoid by the design of our sql
> person registry. We saw java exceptions in Grouper for groups that
> referenced person objects that have been purged from our LDAP
> directory.
> It seems the subject API needs to instantiate the subject before it
> can
> remove a member of a group. But if the subject does not exist in the
> directory, Grouper produces a runtime exception when it tries to
> instantiate the subject. We get around this with our sql person
> registry
> by never deleting people from our sql registry, even if they are
> deleted
> from our LDAP registry. We simply change their status in the sql
> registry whenever it changes in the LDAP directory, so the last known
> status of a deleted LDAP user is typically "deleted" in our sql
> registry. For the time being, this is acceptable, but with each
> passing
> year, our person registry will grow by 40,000 people (mostly deleted
> applicants). We would prefer to use our LDAP registry as our person
> source in Grouper, but before we can realistically use an LDAP person
> source, we will need a means of deleting people from a group if the
> person object does not exist in the directory.




Archive powered by MHonArc 2.6.16.

Top of Page