Grouper Developers Forum

[Tom Barton <>]

<CCing grouper-users, where this question best belongs.>

Ldappc provisions permissions for all subject types using the same LDAP
schema, so to use the stored-as=string method you'll need to endow your
LDAP group entries with an appropriate objectclass (like eduPerson). If
I recall correctly, if you declare a 'string-object-class' value, then
ldappc will attempt to add that value to the entry's 'objectclass'
attribute if it is missing. If so, then you can use an auxiliary
objectclass containing a permissions-listing attribute (like eduPerson
containing eduPersonEntitlement) so that subjects' LDAP entries need
have no prior permissions-related objectclass.

Tom

Allen Chen wrote:
> I have a question, if I authorize a group some privileges, how can I 
> provision the permission infomation about the group to ldap?
>
> The following configuration is copied from comanage recommended config:
>  <signet>
>     <permissions-listing stored-as="string"
>       string-object-class="eduPerson"
>       string-attribute="eduPersonEntitlement"
>       string-prefix="urn:mace:internet2-nlr.edu:permission" />
>       <permissions-queries>
>         <subsystem-queries>
>           <subsystem-list>
>             <subsystem id="i2nlr" />
>           </subsystem-list>
>         </subsystem-queries>
>  <!--
>         <function-queries>
>           <function-list>
>             <function id="" />
>           </function-list>
>         </function-queries>
>  -->
>       </permissions-queries>
>   </signet>
>  
> But if I want to deal with the permission of a group, what's the 
> correct configuration?
> I know the group in signet is also treated as a 
> subject. Should those attributes in ldappc.xml be changed? Such as  
> string-object-class, string-attribute?
>
> And since I haven't succeed in provisioning groups permission into 
> LDAP, I want to know how permission of a group present in LDAP?  Is the 
> permission of  group in the attrbutes of the group entry?