Skip to Content.
Sympa Menu

grouper-dev - RE: [grouper-dev] fyi : provisioning wish list

Subject: Grouper Developers Forum

List archive

RE: [grouper-dev] fyi : provisioning wish list


Chronological Thread 
  • From: Gagné Sébastien <>
  • To: "Tom Zeller" <>
  • Cc: "Grouper Dev" <>
  • Subject: RE: [grouper-dev] fyi : provisioning wish list
  • Date: Tue, 13 Mar 2012 13:28:10 -0400

I'm not totally sure about the AD changelog, but it seems we can get the
latest change by using the uSNChanged attribute. You'd have to save the
latest value and search for higher values. Oracle's AD connector for OIM
seems to be doing it that way, saving each new value for the next scheduler
run.

http://www.windowsitpro.com/article/tips/what-options-exist-for-tracking-active-directory-ad-changes-
http://support.microsoft.com/?kbid=891995

It seems that each LDAP would require its own connector to support changelog
import.

If someone really needed that feature, he could register a custom module in
AD the receive all change. It then could replicate them in Grouper using the
API or the Web Service. Oracle also does something like that where a module
captures password change in AD (before encryption) and sends them to OIM to
update its password.


-----Message d'origine-----
De :


[mailto:]
De la part de Tom Zeller
Envoyé : 9 mars 2012 16:27
À : Gagné Sébastien
Cc : Grouper Dev
Objet : Re: [grouper-dev] fyi : provisioning wish list

> We're looking into LDAP to Grouper synchronisation. As I see it there's two
> way of doing it (loader and psp); which one will be the future for Grouper
> ? Which one would you suggest ? Will both ways be supported or will one of
> them phase out ?

I have an action item to review the loader which might make for a good
comparison. We haven't talked about phasing anything out or dropping support,
especially since the psp has not even been released yet.

> I haven't seen how the PSP LDAP-to-Grouper works but does it do
> incremental/changelog provisioning also ? Or is it a cron based full sync
> (like the loader) ? I believe Active Directory has a changelog, could it
> eventually be used to import changes in Grouper ?

As of now, psp-ldap-to-grouper is cron based full sync. However, just as the
psp is triggered by the grouper changelog, it seems reasonable to trigger the
psp via an ldap changelog, e.g. an openldap audit log.

Do you know what the AD changelog looks like ? ldif ?

TomZ



Archive powered by MHonArc 2.6.16.

Top of Page