Grouper Developers Forum

[Arnaud Deman <>]

oops , sorry I have forgotten the adresse of the liste in the previous 
message...

--

Arnaud Deman - Développeur
GIP RECIA
Parc d'activités les Aulnaies
151 rue de la Juine - 45160 OLIVET
Tel : 02 38 42 79 60 - Fax : 02 38 42 79 70

--- Begin Message ---

• From: Arnaud Deman <>
• To: "GW Brown, Information Systems and Computing" <>,
• Subject: Re: [grouper-dev] Re: [grouper-users] Dynamics groups in grouper
• Date: Wed, 20 Feb 2008 15:43:11 +0100
• Organization: GIP RECIA

GW Brown, Information Systems and Computing a écrit :

Hi Arnaud,

One of the major features of Grouper is that all group memberships are `flattened` in the database so that complex nesting and group math do not need to be calculated at run time. A `dynamic` group would pose problems in Grouper because you could not work out the indirect memberships if you tried to make it a member of another group.

Yes, I haven't seen it and after few tests and a look at the tables I think I undestand.

What you could have is a loader which examines all subjects and applies a set of rules to assign them to static groups. How often you need to run the loader would depend on how often attributes change. Ideally the loader would be able to query for subjects which had actually changed since the last run.

I don't think we could use this approach because of the size of ou information system: we intend to deploy the portal for hundreds of schools (may be 200 or 300) and I don't if there is a way to determine the changes between two runs (I would say there isn't).

Another approach would be for Grouper to have a `dynamic` type, which would prevent that Group from being used for membership calculations - or as a subject for privilege assignment, but which could be provisioned to LDAP where it could be represented as a dynamic group. However, this would likely be a big change to the API and make it more difficult for client code.

This approach might be appropriate to our problem. In fact my idea was the following :


1 - add search entries in the Subject API configuration, one for each kind of dynamic group.
for exemple :
(...)
<search>
<searchType>esco-pags.ElevesParEnseignement</searchType>
<param>
<param-name>filter</param-name>
<param-value>(&amp; (ENTEleveEnseignements=%TERM%)(objectclass=inetOrgPerson))</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>ONELEVEL_SCOPE </param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=people,dc=esco-centre,dc=fr</param-value></param>
</search>
(...)
2 - Extends the JNDISourceAdapter to be able to use these Search instances, with
a method like : Set search(final String searchType, String searchValue)

3 - Use a custom Group type whith 3 fields, to specify i) the source, ii) the Search type, iii) the criteria.

4 - Use the Aspect oriented programmation to extends some methods of the Group class.
The responsability of the aspect would be to compute, for this custom groups, the memberships associated to the criteria
and to add them to those returned by the Group method.
Additionaly to adress the problem of indirect memberships you have hilighted, it could compute the memberships to the sub groups. For this point I think we would have to assume that a dynamic group can only be a member of another dynamic group.


To see if this is not completly unrealistic I am trying it on the method :
Set getImmediateMemberships(Field);

Currently I am finishing the point 4 and I have also to see if it is possible to handle the indirect memberships...

Do you think this could work ?

Regards Arnaud.

I have CC`ed this response to the dev list so we can carry on the discussion there.

Gary

--On 20 February 2008 11:54 +0100 Arnaud Deman <> wrote:

Hi Gary,

Thanks for your quick answer.

This mix was our first idea but now we as the uPortal applications
(Moodle for instance) access the groups via LDAP we would like to have
also the PAGS groups in our LDAP. The second point is that we are
thinking about using Grouper as the group manager of the whole
information system and not only for uPortal. The fact that we can't list
the members of PAGS groups can also be a problem.

I think I will try to write an extension of Grouper to handle this kind
of groups. I don't know if someone else could be Interested by this.
I may switch the the grouper devel list to ask the question.

Have a good day,
Arnaud.




GW Brown, Information Systems and Computing a écrit :

Hi Arnaud,

Grouper does not support dynamic groups. You can, however, mix and
match group stores in uPortal so you should be able to use a
combination of PAGS (Person Attribute Group Store) for dynamic groups
and Grouper for static groups.

Gary

----------------------
GW Brown, Information Systems and Computing

--

Arnaud Deman - Développeur
GIP RECIA
Parc d'activités les Aulnaies
151 rue de la Juine - 45160 OLIVET
Tel : 02 38 42 79 60 - Fax : 02 38 42 79 70




--- End Message ---