Grouper Developers Forum

[Kathryn Huxtable <>]

On Aug 14, 2008, at 9:59 AM, Graham Seaman wrote:

> Michael R. Gettes wrote:
> > Sorry if the LSE case was discussed here before and I
> > wasn't paying attention.  But from this I glean LSE
> > is using a flat namespace.  I think LSE needs to
> > consider using some simple hierarchy.  Doing things
> > completely flat, to me, is a sign of poor planning.
> > Sorry, but that's how I feel about it.  If this is
> > a "common" problem, then maybe we need to discuss
> > a strategy - but if it is LSE and LSE alone at this
> > point - I think LSE needs to consider changing.
> This isn't the LSE institutional setup, but a provisional test  
> directory I'm working on to find if it's practical to do what we  
> need with signet/grouper. 'Flat' was my own choice, partly dictated  
> by lack of experience with ldap and a desire to keep things as  
> simple as possible; I simply modelled my externally derived groups  
> on the groups provisioned by grouper using the 'flat' option. I've  
> now understood that if I want to do this with grouper I need to move  
> to 'bushy'. Since this is test/development work, I can do that  
> without any institutional impact at all.
>
> It might be helpful  if some words warning people about the  
> potential downside of using a 'flat' group structure were added to  
> the wiki.

I wouldn't use "bushy". But I *would* put the groups provisioned by  
Grouper into a sub-ou of the main groups.

I've reviewed what we did at KU when I was there. We had a top-level  
ou=groups,dc=ku,dc=edu branch, but the groups were actually  
provisioned in sub-ou branches, e.g.

        ou=grouper,ou=automatic,ou=groups,dc=ku,dc=edu

There were several squirrelly processes that automatically provisioned  
groups and they were each in their own branch under  
ou=automatic,ou=groups,dc=ku,dc=edu.

Any manually provisioned groups were under other branches under  
ou=groups,dc=ku,dc=edu to keep them separate.

But the grouper groups were flat under ou=grouper,...

-K