Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] some questions regarding ldap on grouperdemo

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] some questions regarding ldap on grouperdemo


Chronological Thread 
  • From: Tom Barton <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [grouper-dev] some questions regarding ldap on grouperdemo
  • Date: Fri, 02 Dec 2011 15:30:05 -0600

Understood. How we handle multiple sources on the demo site will
demonstrate our understanding of how that may need to be done in real
deployments, whether we intend it to or not. I doubt we'd ever recommend
to a deploying site to put prefixes on their established subjectIds, so
we shouldn't do that on the demo site. See what I mean?

Tom

On 12/2/2011 12:02 PM, Chris Hyzer wrote:
> Right, but for some things it searches all subject sources, like when you
> login to the UI or WS (if you don't configure that all logins come from a
> single source), so you don't *have* to have subjectIds unique across all
> subject sources, but I bet you will have less pain if you do. If someone
> registers the PennKey GrouperSystem (which is out of our namespace, but
> even so, lets say they do), there could be errors thrown when that is
> resolved across all sources and more than one is found...
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: Tom Barton
> [mailto:]
>
> Sent: Friday, December 02, 2011 12:18 PM
> To: Chris Hyzer
> Cc:
>
> Subject: Re: [grouper-dev] some questions regarding ldap on grouperdemo
>
> Isn't a subject ref in grouper the couple (sourceId, subjectId)? Ie,
> grouper doesn't require a single namespace across all Subjects that are
> presented to it, right?
>
> Tom
>
> On 12/2/2011 10:59 AM, Chris Hyzer wrote:
>> I don't think the demo server needs to be all that realistic, but I do
>> think it needs to show Grouper capabilities, and in my case, allow us to
>> develop and test our software. If we aren't going to phase out the non
>> vt-ldap source, lets add some people to a vtldap source, and some people
>> to a non-vt-ldap source... :)
>>
>> I think we should have them have prefixes or something so we don't have
>> the same subjectId in multiple sources
>>
>> Thanks,
>> Chris
>>
>>
>>
>> -----Original Message-----
>> From:
>>
>>
>> [mailto:]
>> On Behalf Of Tom Barton
>> Sent: Friday, December 02, 2011 10:19 AM
>> To:
>>
>> Subject: Re: [grouper-dev] some questions regarding ldap on grouperdemo
>>
>> Good questions. It'd be best to have both source technologies in the
>> demo. But then we also need to think about what circumstance they model.
>> I can think of two possibilities.
>>
>> 1. Multi-campus. Each source represents the people from a different
>> organization, but they share an access management instance. We might
>> also have a root stem for each org plus a root stem for activities
>> common among them.
>>
>> 2. Accounts != people. Source 1 is people and Source 2 is the accounts
>> people use. Each person might have more than one account, and access
>> privs for some apps are assigned to accounts. Might want a
>> loader-maintained stem in which each person is modeled as a group whose
>> members are the person's accounts, to enable a person's roles to be
>> inherited by their accounts when that's appropriate.
>>
>> Yes, allow demo users to browse ldap, if that's easy enough to do.
>>
>> Other thoughts?
>> Tom
>>
>> On 12/1/2011 5:02 PM, Tom Zeller wrote:
>>> Do we want to use an ldap subject source instead of jdbc ?
>>>
>>> Do we want to add an ldap subject source in addition to jdbc ?
>>>
>>> Do we want to allow authenticated users to browse the ldap directory ?
>>>
>>> Thats all for now. I have openldap and phpldapadmin almost configured.
>>>
>>> TomZ



Archive powered by MHonArc 2.6.16.

Top of Page