Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: [signet-dev] Proposal for ldappc provision scoping behavior

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: [signet-dev] Proposal for ldappc provision scoping behavior

Chronological Thread 
  • From: Tom Barton <>
  • To: "Michael R. Gettes" <>
  • Cc: Grouper Dev <>,
  • Subject: Re: [grouper-dev] Re: [signet-dev] Proposal for ldappc provision scoping behavior
  • Date: Mon, 11 Aug 2008 16:34:11 -0500

Michael R. Gettes wrote:
Your reflection (view) is reasonable if you only consider
things like group or permission objects going into a directory
but if you think about my person entry having attributes also
showing membership or privilege then I think your position
fails - there is only one person object representing you
so how will you manage multiple chefs cooking YOU?!?!?!
LDAPPC in the past properly handled groups in my entry
with the handling of IsMemberOf but it failed on the
eduPersonEntitlement. If this problem is fixed, then
I agree - as I noted in my response - the group and
permission objects should be in their own portion of
the tree - largely for reasons of access control at the
directory level.

My advice is to not configure multiple ldappc instances to all handle the same membership attribute (ie, using ldappc's "-memberships" parameter). Can you think of a scenario in which it is required to do so, ie, in which having a single ldappc instance provision all -memberships does not meet needs?

fn:Tom Barton
org:University of Chicago;Networking Services & Information Technologies
title:Sr. Director for Integration
tel;work:+1 773 834 1700

Archive powered by MHonArc 2.6.16.

Top of Page