Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] ldappc real time provisioning

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] ldappc real time provisioning

Chronological Thread 
  • From: Raymond Drew Walker <>
  • To: Tom Zeller <>, LLG5 <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] ldappc real time provisioning
  • Date: Wed, 13 Jul 2011 22:25:02 +0000
  • Accept-language: en-US

I'd like to chime in on this as well, showing interest in real-time
provisioning, and answering the questions from our Grouper experience in

- Existing: We currently provision independently using Grouper 1.4.2 to
both SunOne LDAP & Microsoft Active Directory
- Current groups: ~100 expected to grow tenfold (memberships to the order
of 10) over the next year with the implementation of CMS & other resources.
- Not sure what is meant by one target, but we provision from one instance
of grouper to 2 endpoints (LDAP & AD)
- Intentions: To provision Grouper information to SunOne LDAP & Microsoft
AD in the known future

Interest in realtime provisioning stems from the fact that we run a
retro-changelog on our SunOne LDAP (reads all incoming LDAP changes and
makes appropriate subsequent changes in LDAP) The initialization of
Grouper provisioning causes a LOT of traffic on our retro-changelog,
potentially slowing other LDAP feeds, processes, etc.

As an aside, though I think this has been taken care of since v1.4.2...
For Active Directory provisioning=, we have users in multiple AD DOMAINS,
and need to provision group memberships for users (potentially) in both
DOMAINS. Currently we run a second provisioner with modified code to
handle this.

Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University

-----Original Message-----
From: Tom Zeller
Date: Wed, 13 Jul 2011 16:53:34 -0500
To: LLG5
Cc: Grouper Dev
Subject: Re: [grouper-dev] ldappc real time provisioning

>Long story, but I do not have a solid date for generic real-time
>provisioning via ldappcng right now. Perhaps a generic provisioner
>like ldappcng is not necessary, but a "simpler" solution using hooks
>may suffice.
>Some questions :
>- what do you intend to provision ? (Active Directory, OpenLDAP, both,
>others, etc.)
>- do you need to provision more than one target ?
>- roughly how many groups and memberships do you need to provision in
>real-time ?
>- what is your existing provisioning infrastructure ?
>That's all I can think of right now,
>> Hello All:
>> We were fortunate to have both Keith Hazelton and Chris Hyzer join our
>>IAM team at Penn State for an entire day of focusing on Access
>>Management (groups, privileges, permissions, provisioning, etc) Was a
>>great opportunity. At the end of the day, we are convinced that Grouper
>>will meet a lot of our requirements going forward. We'd like to be able
>>to state that we have chosen this open source community solution as part
>>of our strategy for Access Management at Penn State. The one
>>outstanding issue for us is the real time provisioning for ldappc.
>> Has a decision been made on the release date of the real-time
>>provisioning for ldappc? We will would like to include some milestones
>>for Grouper implementation in our project plan and timelines but again,
>>we cannot declare this as a final decision without this feature as part
>>of the Grouper software and the ability to conduct the testing.
>> Any information you can provide on projected timeframes for this will
>>be very helpful in our campus discussions.
>> Thanks!
>> Lynn

Archive powered by MHonArc 2.6.16.

Top of Page