grouper-dev - Re: [grouper-dev] LDAPpc scanning LDAP for non-provisioned groups
Subject: Grouper Developers Forum
List archive
- From: Tom Zeller <>
- To: James Cramton <>
- Cc:
- Subject: Re: [grouper-dev] LDAPpc scanning LDAP for non-provisioned groups
- Date: Mon, 3 Aug 2009 12:10:01 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=o2b7i9CJncQoGacgyGTiNswx3oJmG1356Il7THZk7LM5DQYswLKTd3wZvg3ymz7aLL kHZxcno7IhNzve1cw6G2JQBPAPOXq1qY+vhCpbrY///UF4UxIh6OQF68p+ai4VpDG6Oh NuQ7stbuzhhnFYPnq5g8/dq0LAg6MEWfxe9Tk=
What do you have defined in ldappc.xml for <group-queries> ?
Could you post or send off-list a sanitized ldappc.xml ?
TomZ
On Mon, Aug 3, 2009 at 12:04 PM, James
Cramton<>
wrote:
> Folks,
>
> At U of Arizona this week, our LDAPpc testing saw some unexpected behavior
> that I remember from Brown's testing of LDAPpc 1.0 back in 2006. Brown
> developed its own LDAP provisioning code that handled this work differently,
> so I'm now having to confront what I didn't resolve 3 years ago. The U of A
> is running the distribution version of LDAPpc 1.4.2.
>
> At both institutions, we have our registrar-provisioned course groups in a
> different stem than the course groups that are consumed by applications.
>
> For example:
>
> arizona.edu:courses-registration:2009fall:ACCT531:001:learner
> and
> arizona.edu:courses:2009fall:ACCT531:001:learner
>
> Members of the course-registration stem are members of a similarly named
> course group in the courses stem. This makes provisioned course group
> members indirect members of the course group in the courses stem, and any
> ad-hoc memberships created manually in Grouper are direct members in the
> course group in the courses stem. Evidently, at this point, we should
> perhaps call this "The Cramton Obfuscation Design Pattern." Perhaps it
> over-complicates things, but in both cases, there are sound business reasons
> to maintain a layer of abstraction between the provisioned course groups and
> the course groups consumed by applications.
>
> LDAPpc is configured to provision only the courses stem into LDAP. But in
> reviewing the LDAP traffic during LDAPpc provisioning, we see LDAPpc
> performing an LDAP search for the course groups in the courses-registration
> stem while it is provisioning the courses stem.
>
> Is there a way to configure LDAPpc to not scan LDAP for stems that are not
> provisioned into LDAP? Brown's design prevented this behavior, because it
> does not permit a truly incremental LDAP provisioning run. Or is this a bug
> I should open up in Jira?
>
> Thanks!
>
> --
> James Cramton
> The University of Arizona
>
> 520 777 1967
>
- LDAPpc scanning LDAP for non-provisioned groups, James Cramton, 08/03/2009
- Re: [grouper-dev] LDAPpc scanning LDAP for non-provisioned groups, Tom Zeller, 08/03/2009
- Re: [grouper-dev] LDAPpc scanning LDAP for non-provisioned groups, Tom Zeller, 08/03/2009
- Re: [grouper-dev] LDAPpc scanning LDAP for non-provisioned groups, James Cramton, 08/03/2009
Archive powered by MHonArc 2.6.16.