Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem

Chronological Thread 
  • From: Tom Barton <>
  • To: Graham Seaman <>
  • Cc: Kathryn Huxtable <>, Grouper Dev <>,
  • Subject: Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem
  • Date: Tue, 12 Aug 2008 07:25:41 -0500

Graham Seaman wrote:
My final requirement is to to be able to take some groups created in grouper and other groups already existing in the LDAP directory and assign them permissions using signet, feeding the permissions back into eduPermission attributes of individual person objects. Once set up these permissions will then be fed through to applications via Shibboleth on individual login.

So it seems likely that I will need to have grouper know about all my groups, including the externally created ones, and not only in order to stop existing isMemberOf values being deleted.
I had the impression before that my final requirement was quite achievable with current versions of signet/grouper/ldappc, but reading the conversation in the 'Proposal for ldappc provision scoping behavior' I'm no longer quite so sure. What do you think? Is this goal achievable with the current versions of grouper/signet/ldappc?

I don't think so. The show-stopper is the lack of ability to assign privileges to members of groups in the current release of signet. It can assign privs to a group, but not to each member of a group.

And although you might finesse it, I suspect that having two substantial and independent group management and group provisioning activities will prove difficult over the long term.

The ldap log show ldappc search through the 16k entries in the directory one by one, finding the members of the test group, and continuing; eg.

[12/Aug/2008:11:13:01 +0100] conn=115 op=12706 SRCH base="cn=XXXX,ou=Flame Users,dc=lse,dc=ac,dc=uk" scope=0 filter="(objectClass=*)" attrs="isMemberOf objectClass"^M
[12/Aug/2008:11:13:01 +0100] conn=115 op=12706 RESULT err=0 tag=101 nentries=1 etime=0
[12/Aug/2008:11:13:01 +0100] conn=115 op=12707 SRCH base="cn=XXXY,ou=Flame Users,dc=lse,dc=ac,dc=uk" scope=0 filter="(objectClass=*)" attrs="isMemberOf objectClass"

where 'XXXX' is a member of test1. I don't understand the filter value, given the filter defined in ldappc.xml. Although this is similar to the setup I had issues with a few month ago on grouper-users, some of the ldap details have since changed.

I'll leave Kathryn to puzzle this out. Weird indeed.

fn:Tom Barton
org:University of Chicago;Networking Services & Information Technologies
title:Sr. Director for Integration
tel;work:+1 773 834 1700

Archive powered by MHonArc 2.6.16.

Top of Page