Grouper Developers Forum

[Tom Zeller <>]

>> Will you be choosing a "flat" or "bushy" provisioning structure for groups 
>> ?
>
> This is just teminology, but the only real reference to these terms I
> found in this context/community is the venerable LDAP recipe, in which
> these both refer to the same DIT model:
>
>  This is the "flat *and* bushy" model as opposed to "tall and spikey".
>  http://middleware.internet2.edu/dir/docs/ldap-recipe.htm#DIT
>  (my emphasis)
>
> Another canonical text (Howes et al., 2003, 2nd ed.) calls this
> dichotomy "flat" vs. "hierarchical" (p.315ff). Jfyi.
>
> As for provisioning plans: Our current -- and to be replaced in a
> later project, if things go well -- group management system provisions
> groups in hierarchies (cn=group, ou=folder/stem, ...). Not sure we'll
> stick with this, so undecided.

Great link. Terminology and a configuration option. The attribute
resolver attribute definition which converts grouper names to ldap dns
supports a structure of flat or bushy.

  <!-- The LDAP DN of a group. For example,
"cn=groupExtension,ou=stem,ou=testgroups,dc=edu". -->
  <resolver:AttributeDefinition
    id="groupDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="bushy"
    sourceAttributeID="name"
    rdnAttributeName="cn"
    base="ou=testgroups,${edu.vt.middleware.ldap.base}">
    <!-- Dependencies which return a "name" attribute whose value is
the group name. -->
    <resolver:Dependency ref="GroupDataConnector" />
    <resolver:Dependency ref="DeleteGroupChangeLogDataConnector" />
    <resolver:Dependency ref="UpdateGroupChangeLogDataConnector" />
  </resolver:AttributeDefinition>

 <complexType name="LdapDnFromGrouperNamePSOIdentifier">
    <annotation>
      <documentation>
        A Shibboleth Attribute Definition extension which returns a
PSO Identifier whose ID is an LDAP DN.
      </documentation>
    </annotation>
    <complexContent>
      <extension base="resolver:BaseAttributeDefinitionType">
        <attribute
          name="structure"
          use="required">
          <annotation>
            <documentation>
              The Grouper DN structure.
            </documentation>
          </annotation>
          <simpleType>
            <restriction base="string">
              <enumeration value="flat">
                <annotation>
                  <documentation>
                    Provisions objects to a single container.
                  </documentation>
                </annotation>
              </enumeration>
              <enumeration value="bushy">
                <annotation>
                  <documentation>
                    Provisions objects to a tree hierarchy.
                  </documentation>
                </annotation>
              </enumeration>
            </restriction>
          </simpleType>
        </attribute>
        <attribute
          name="base"
          type="string"
          use="required">
          <annotation>
            <documentation>
              The LDAP DN base.
            </documentation>
          </annotation>
        </attribute>
        <attribute
          name="rdnAttributeName"
          type="string"
          use="required">
          <annotation>
            <documentation>
              The LDAP RDN attribute name.
            </documentation>
          </annotation>
        </attribute>
      </extension>
    </complexContent>
  </complexType>

(From the psp-grouper-ldap module.)