Skip to Content.
Sympa Menu

grouper-dev - UW's initial look at grouper

Subject: Grouper Developers Forum

List archive

UW's initial look at grouper

Chronological Thread 
  • From: Jim Fox <>
  • To: Grouper Dev <>
  • Subject: UW's initial look at grouper
  • Date: Thu, 16 Apr 2009 14:05:03 -0700

(this is my initial look, not RLBob's)

We are looking at Grouper as a possibly registry for our groups service,
presently supported by an LDAP directory and a RESTful webservice. We're
testing and planning, not yet installing. These are some random issues
we've encountered. Not complaining, just thought I'd let you know.

1) Jndi source adapter

The jndi classes from Sun do not support ldap connections using ssl or
tls very well. They do not support connection pooling, thereby causing
a lot of connection overhead. We wrote a source adapter using the ldap
library from virginia tech - the one used by shibboleth. It works quite
a bit more efficiently.

2) updates to group memberships

Many of our groups come from other processes via simple xml

<group name=...>
<member id=...>

There are thousands of these; some have upwards of 100K members; and the
daily updates add or subtract only a few members from the groups. The
xmlImport tool is not feasible for these updates, as it tends to remove
and replace whole memberships. It was quite easy though to write an
efficient reconciler using the java api that just updates the

3) ldap provisioning

The ldappc tool needs small but necessary modifications to provision our
group directories.

- drop the dashes from the uuid when making rdns.
- convert the colons in group names to underscores
- add a preface string to member values.
- possibly some others.

Don't know if we will use a slightly modified ldappc or make up
something that can accomplish more timely provisioning using group and
member hooks.

4) External members

Our present service allows foreigners (ePPNs) to be members and
administrators of groups. I expect we'll implement some sort of ePPN
source adapter to accommodate these people. (ditto DNS name [by
certificate] members)

5) webservice

We will probably re-implement our present webservice,, using the java api.

6) GUI

Our present service has a somewhat popular GUI that we might like to
re-implement for a grouper registry. That's a bit more work.


Archive powered by MHonArc 2.6.16.

Top of Page