grouper-dev - Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem
Subject: Grouper Developers Forum
List archive
Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem
Chronological Thread
- From: Tom Barton <>
- To: Graham Seaman <>
- Cc: Kathryn Huxtable <>, Grouper Dev <>,
- Subject: Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem
- Date: Tue, 12 Aug 2008 07:25:41 -0500
Graham Seaman wrote:
My final requirement is to to be able to take some groups created in grouper and other groups already existing in the LDAP directory and assign them permissions using signet, feeding the permissions back into eduPermission attributes of individual person objects. Once set up these permissions will then be fed through to applications via Shibboleth on individual login.
So it seems likely that I will need to have grouper know about all my groups, including the externally created ones, and not only in order to stop existing isMemberOf values being deleted.
I had the impression before that my final requirement was quite achievable with current versions of signet/grouper/ldappc, but reading the conversation in the 'Proposal for ldappc provision scoping behavior' I'm no longer quite so sure. What do you think? Is this goal achievable with the current versions of grouper/signet/ldappc?
I don't think so. The show-stopper is the lack of ability to assign privileges to members of groups in the current release of signet. It can assign privs to a group, but not to each member of a group.
And although you might finesse it, I suspect that having two substantial and independent group management and group provisioning activities will prove difficult over the long term.
The ldap log show ldappc search through the 16k entries in the directory one by one, finding the members of the test group, and continuing; eg.
[12/Aug/2008:11:13:01 +0100] conn=115 op=12706 SRCH base="cn=XXXX,ou=Flame Users,dc=lse,dc=ac,dc=uk" scope=0 filter="(objectClass=*)" attrs="isMemberOf objectClass"^M
[12/Aug/2008:11:13:01 +0100] conn=115 op=12706 RESULT err=0 tag=101 nentries=1 etime=0
[12/Aug/2008:11:13:01 +0100] conn=115 op=12707 SRCH base="cn=XXXY,ou=Flame Users,dc=lse,dc=ac,dc=uk" scope=0 filter="(objectClass=*)" attrs="isMemberOf objectClass"
where 'XXXX' is a member of test1. I don't understand the filter value, given the filter defined in ldappc.xml. Although this is similar to the setup I had issues with a few month ago on grouper-users, some of the ldap details have since changed.
I'll leave Kathryn to puzzle this out. Weird indeed.
Tom
begin:vcard fn:Tom Barton n:Barton;Tom org:University of Chicago;Networking Services & Information Technologies email;internet: title:Sr. Director for Integration tel;work:+1 773 834 1700 version:2.1 end:vcard
- New ldappc snapshot fixes runner script problem, Kathryn Huxtable, 08/11/2008
- Re: [signet-dev] New ldappc snapshot fixes runner script problem, Graham Seaman, 08/11/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Kathryn Huxtable, 08/11/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Graham Seaman, 08/12/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Tom Barton, 08/12/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Graham Seaman, 08/12/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Tom Barton, 08/12/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Graham Seaman, 08/12/2008
- Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem, Kathryn Huxtable, 08/11/2008
- Re: [signet-dev] New ldappc snapshot fixes runner script problem, Graham Seaman, 08/11/2008
Archive powered by MHonArc 2.6.16.