Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] ldappc provisioning permission infomation about groups

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] ldappc provisioning permission infomation about groups

Chronological Thread 
  • From: Tom Barton <>
  • To: Allen Chen <>
  • Cc: grouper-dev <>, Grouper Users <>
  • Subject: Re: [grouper-dev] ldappc provisioning permission infomation about groups
  • Date: Sat, 29 Dec 2007 11:10:31 -0600

<CCing grouper-users, where this question best belongs.>

Ldappc provisions permissions for all subject types using the same LDAP
schema, so to use the stored-as=string method you'll need to endow your
LDAP group entries with an appropriate objectclass (like eduPerson). If
I recall correctly, if you declare a 'string-object-class' value, then
ldappc will attempt to add that value to the entry's 'objectclass'
attribute if it is missing. If so, then you can use an auxiliary
objectclass containing a permissions-listing attribute (like eduPerson
containing eduPersonEntitlement) so that subjects' LDAP entries need
have no prior permissions-related objectclass.


Allen Chen wrote:
> I have a question, if I authorize a group some privileges, how can I
> provision the permission infomation about the group to ldap?
> The following configuration is copied from comanage recommended config:
> <signet>
> <permissions-listing stored-as="string"
> string-object-class="eduPerson"
> string-attribute="eduPersonEntitlement"
> string-prefix="" />
> <permissions-queries>
> <subsystem-queries>
> <subsystem-list>
> <subsystem id="i2nlr" />
> </subsystem-list>
> </subsystem-queries>
> <!--
> <function-queries>
> <function-list>
> <function id="" />
> </function-list>
> </function-queries>
> -->
> </permissions-queries>
> </signet>
> But if I want to deal with the permission of a group, what's the
> correct configuration?
> I know the group in signet is also treated as a
> subject. Should those attributes in ldappc.xml be changed? Such as
> string-object-class, string-attribute?
> And since I haven't succeed in provisioning groups permission into
> LDAP, I want to know how permission of a group present in LDAP? Is the
> permission of group in the attrbutes of the group entry?

Archive powered by MHonArc 2.6.16.

Top of Page