Grouper Developers Forum

[Tom Barton <>]

Great feedback Jim, and a fair amount of work behind your brief 
summaries, it looks like.

I wonder if you'd consider contributing some things back to the project 
that are probably useful to a wide range of adopters, notably the JNDI 
source adapter that uses the vatech ldap library and the ePPN subject 
adapter.

As you get into it, I'm also very interested to hear about 
re-implementing your current webservice using the java api. Both to 
confirm whether the java api and your restful one line up well enough 
without requiring one or other to change, and if so, to see, over a 
little time, the range of application of its clients. I'm curious about 
how much can be done with what I think is a substantially simpler 
restful interface than the one packaged with grouper.

Tom

Jim Fox wrote:
> (this is my initial look, not RLBob's)
>
> We are looking at Grouper as a possibly registry for our groups service,
> presently supported by an LDAP directory and a RESTful webservice. We're
> testing and planning, not yet installing.  These are some random issues
> we've encountered.  Not complaining, just thought I'd let you know.
>
> 1) Jndi source adapter
>
> The jndi classes from Sun do not support ldap connections using ssl or
> tls very well.  They do not support connection pooling, thereby causing
> a lot of connection overhead.  We wrote a source adapter using the ldap
> library from virginia tech - the one used by shibboleth.  It works quite
> a bit more efficiently.
>
> 2) updates to group memberships
>
> Many of our groups come from other processes via simple xml
>
>    <group name=...>
>       <member id=...>
>       ...
>     </group>
>
> There are thousands of these; some have upwards of 100K members; and the
> daily updates add or subtract only a few members from the groups.  The
> xmlImport tool is not feasible for these updates, as it tends to remove
> and replace whole memberships.  It was quite easy though to write an
> efficient reconciler using the java api that just updates the
> differences.
>
> 3) ldap provisioning
>
> The ldappc tool needs small but necessary modifications to provision our
> group directories.  
>
>   - drop the dashes from the uuid when making rdns. 
>   - convert the colons in group names to underscores
>   - add a preface string to member values.
>   - possibly some others.
>
> Don't know if we will use a slightly modified ldappc or make up
> something that can accomplish more timely provisioning using group and
> member hooks.
>
>
> 4) External members 
>
> Our present service allows foreigners (ePPNs) to be members and
> administrators of groups.  I expect we'll implement some sort of ePPN
> source adapter to accommodate these people.  (ditto DNS name [by
> certificate] members)
>
> 5) webservice
>
> We will probably re-implement our present webservice,
> https://wiki.cac.washington.edu/x/ESBy, using the java api. 
>
> 6) GUI
>
> Our present service has a somewhat popular GUI that we might like to
> re-implement for a grouper registry.  That's a bit more work.
>
> Jim