Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] UW's initial look at grouper

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] UW's initial look at grouper


Chronological Thread 
  • From: Tom Barton <>
  • To: Jim Fox <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] UW's initial look at grouper
  • Date: Thu, 16 Apr 2009 21:41:36 -0500

Great feedback Jim, and a fair amount of work behind your brief summaries, it looks like.

I wonder if you'd consider contributing some things back to the project that are probably useful to a wide range of adopters, notably the JNDI source adapter that uses the vatech ldap library and the ePPN subject adapter.

As you get into it, I'm also very interested to hear about re-implementing your current webservice using the java api. Both to confirm whether the java api and your restful one line up well enough without requiring one or other to change, and if so, to see, over a little time, the range of application of its clients. I'm curious about how much can be done with what I think is a substantially simpler restful interface than the one packaged with grouper.

Tom

Jim Fox wrote:
(this is my initial look, not RLBob's)

We are looking at Grouper as a possibly registry for our groups service,
presently supported by an LDAP directory and a RESTful webservice. We're
testing and planning, not yet installing. These are some random issues
we've encountered. Not complaining, just thought I'd let you know.

1) Jndi source adapter

The jndi classes from Sun do not support ldap connections using ssl or
tls very well. They do not support connection pooling, thereby causing
a lot of connection overhead. We wrote a source adapter using the ldap
library from virginia tech - the one used by shibboleth. It works quite
a bit more efficiently.

2) updates to group memberships

Many of our groups come from other processes via simple xml

<group name=...>
<member id=...>
...
</group>

There are thousands of these; some have upwards of 100K members; and the
daily updates add or subtract only a few members from the groups. The
xmlImport tool is not feasible for these updates, as it tends to remove
and replace whole memberships. It was quite easy though to write an
efficient reconciler using the java api that just updates the
differences.

3) ldap provisioning

The ldappc tool needs small but necessary modifications to provision our
group directories.
- drop the dashes from the uuid when making rdns. - convert the colons in group names to underscores
- add a preface string to member values.
- possibly some others.

Don't know if we will use a slightly modified ldappc or make up
something that can accomplish more timely provisioning using group and
member hooks.


4) External members
Our present service allows foreigners (ePPNs) to be members and
administrators of groups. I expect we'll implement some sort of ePPN
source adapter to accommodate these people. (ditto DNS name [by
certificate] members)

5) webservice

We will probably re-implement our present webservice,
https://wiki.cac.washington.edu/x/ESBy, using the java api.
6) GUI

Our present service has a somewhat popular GUI that we might like to
re-implement for a grouper registry. That's a bit more work.

Jim








Archive powered by MHonArc 2.6.16.

Top of Page