Grouper Developers Forum

["McDermott, Michael" <>]

We are doing some work here that might be of interest with using grouper hooks (soon the change log) and putting the changes on a message queue for processing.  As this evolves a bit more, it may be of general use.  It will not be realtime (we like to say event based), but as fast as grouper can put messages on a queue (fast), the queue can be read (fast) and the down stream system can be provisioned (variable).  Our current implementation is focused on Google's GAE groups.

I believe University of Washington has also done cool work in this area as well and is ahead of where we are, and if memory serves, they had some requirements that necessitated provisioning to happen in near instant time frames.

On Thu, Jul 14, 2011 at 9:21 AM, James A. Vuccolo <> wrote:

On 7/13/11 5:53 PM, Tom Zeller wrote:

Long story, but I do not have a solid date for generic real-time
provisioning via ldappcng right now. Perhaps a generic provisioner
like ldappcng is not necessary, but a "simpler" solution using hooks
may suffice.

Hi Tom, I am going to answer the LDAP questions for Lynn.

Some questions :
- what do you intend to provision ? (Active Directory, OpenLDAP, both,
others, etc.)

LDAP, we run IBM's Tivoli Directory Server version 6.2 on AIX.  We are configured with two masters and seven replicas.

- do you need to provision more than one target ?

No, not at this time.  LDAP is very important to us.  At a later date, we will need to worry about Active Directory.  Today we provision to LDAP and then do a sync to AD.

- roughly how many groups and memberships do you need to provision in
real-time ?

Today we have a large number of groups between 40K - 50K.  Changes to those groups need to be done in real-time as they are used for Email Delivery, course restrictions and access to file space.  Most of those groups have memberships that are less than 100.  We have a few groups that have large memberships > 20K.

- what is your existing provisioning infrastructure ?

Today all groups are provisioning using a custom "C" application that I wrote called ldapgroup, think of ldapmodify except for groups.  The application can either do one-offs or do things in bulk.

Thanks,
JimmyV.

That's all I can think of right now,
TomZ

Hello All:

We were fortunate to have both Keith Hazelton and Chris Hyzer join our IAM team at Penn State for an entire day of focusing on Access Management (groups, privileges, permissions, provisioning, etc)  Was a great opportunity.  At the end of the day, we are convinced that Grouper will meet a lot of our requirements going forward.  We'd like to be able to state that we have chosen this open source community solution as part of our strategy for Access Management at Penn State.  The one outstanding issue for us is the real time provisioning for ldappc.

Has a decision been made on the release date of the real-time provisioning for ldappc?  We will would like to include some milestones for Grouper implementation in our project plan and timelines but again, we cannot declare this as a final decision without this feature as part of the Grouper software and the ability to conduct the testing.

Any information you can provide on projected timeframes for this will be very helpful in our campus discussions.

Thanks!
Lynn

--
James "Jimmy" Vuccolo,
Technical Manager, Identity and Access Management
The Pennsylvania State University
215B Computer Building, University Park, PA 16802
Office: 814-865-5635
http://www.personal.psu.edu/jvuccolo/

--
Michael J. McDermott
Lead Developer, Identity and Access Management
Brown University