Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Grouper and Active Directory?

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Grouper and Active Directory?


Chronological Thread 
  • From: Tom Zeller <>
  • To: Joy Veronneau <>, Grouper Dev <>, Grouper Users <>
  • Subject: Re: [grouper-dev] Grouper and Active Directory?
  • Date: Wed, 20 Feb 2008 12:53:46 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer:sender; b=lF9ts02gRN/UEhn0kU/4grMiLWl3SSGTKBElO6Y+BAfHtQmk1l+piVIu8cuQnlIo+iLRQRG9i2O49RnUVcQVLGnANNZevBOD+/joy1gTfdfalVSJuj73wi+96jqI9VJ/11wgri8L9b6cN1pEmauL7IlBjSgep3j0PAlyI+8oyTs=

The main issues we've faced are schema extensions and permissions to view person data.

Depending on what you plan on provisioning to Active Directory, I suggest being aware of your FERPA requirements. With the latest Active Directory (2007 ?), we've learned that Microsoft suggests using dynamic distribution lists instead of security groups to 'hide' group memberships, such as courses.

The Recipient Update Service (RUS) in the previous Active Directory (2003 ?) will sometimes update mail related attributes automagically, e.g. proxyAddresses.

A recent thread of interest may be 'Shibboleth and Active Directory' from Educause IDM :
http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind0802&L=idm

Tom

At Memphis we use a home-grown provisioner to manage Active Directory groups from Grouper.

On Feb 20, 2008, at 10:56 AM, caleb racey wrote:

At Newcastle the Active directory is our username/password store and
only institutional directory, most of our identity information however
reside in databases and SAP.

I'm afraid my hint on how grouper will play with the active directory is
for us it won't. Our opinion of the active directory is that it is best
left to it's main task of being a computer management system and a
username password store. The irrevocable nature of schema changes make
it unsuitable for use as a person directory. Also it's integration into
many Microsoft applications means that seemingly innocent updates may
well have knock on effects for these apps.

There may be the possibility of using "light weight directory services"
(which used to be called ADAM: active directory in application mode) to
create effectively a "view" onto your active directory which you can
then integrate data into without the risk of breaking your main active
directory. We have no experience of this but it was raised as a
possibility.

Cheers

Cal





-----Original Message-----
From: Joy Veronneau
[mailto:]
Sent: 20 February 2008 16:37
To: Grouper Dev; Grouper Users
Subject: [grouper-dev] Grouper and Active Directory?

Hi All,

Here at Cornell we are planning on deploying Grouper soon, with
provisioning of groups to our SunOne white pages directory. Also in
the works is a campus deployment of Active Directory, which will be
partially provisioned from our SunOne directory. I am very unfamiliar
with Active Directory, so I am wondering if there are any campuses out
there who have a similar setup and might be able to offer some hints
about how Grouper will play with Active Directory. As you can see,
I'm not really even sure what questions to ask here. What do we need
to investigate?

Thanks-

Joy




Archive powered by MHonArc 2.6.16.

Top of Page