Grouper Developers Forum

[Peter Schober <>]

* Tom Zeller 
<>
 [2012-01-10 17:49]:
> (1) Will your provisioned membership structure for groups (the member
> attribute) be immediate or everything ?

ATM we're doing "everything" ("flat" if you want, to add some confusion ;)

Since I don't know if all systems that should eventually connect
support nested groups I *guess* flattening out the memberships in LDAP
is a service we will continue to provide. (Might change if systems
change to interact with Grouper directly or get everything they need
via SAML during SSO).

> (2) Will your provisioned membership structure for members (the
> memberOf attribute) be immediate or everything ?
> 
> For example, given groupA with memberA and groupB with memberB :
> 
>  dn : cn=groupA,ou=groups
>  member: cn=memberA,ou=people
> 
>  dn: cn=groupB,ou=groups
>  member: cn=memberB,ou=people
> 
> If groupB is added as a member to groupA, how do you want groupA to be
> provisioned :
> 
> everything :
> 
>  dn : cn=groupA,ou=groups
>  member: cn=memberA,ou=people
>  member: cn=memberB,ou=people
>  member: cn=groupB,ou=people

Why still have cn=groupB as member of cn=groupA, if you already
included all of cn=groupB's members in cn=groupA?

> And, do you want to provision memberOf with the same structure ?

If memberOf is maintained by the DSA itself there really is no choice
what's written there, I would assume?

cheers,
-peter