Grouper Developers Forum

[Nathan Kopp <>]

If you're looking to capture password changes from AD, you could use 
PasswdHk.  It's the same basic technology that OIM uses.
http://passwdhk.sourceforge.net/

This is a DLL that installs into AD and can run any command-line program, 
sending it all password changes.  For more information about the concept of 
how this DLL plugs into AD, search the web for "Active Directory Custom 
Password Filter."

I'm not sure if this is triggered for any change, though.  I think it's only 
triggered for password changes, since the purpose of this AD extension point 
was originally to enforce custom password policies.

-Nathan


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Gagné Sébastien
Sent: Tuesday, March 13, 2012 1:28 PM
To: Tom Zeller
Cc: Grouper Dev
Subject: RE: [grouper-dev] fyi : provisioning wish list

I'm not totally sure about the AD changelog, but it seems we can get the 
latest change by using the uSNChanged attribute. You'd have to save the 
latest value and search for higher values. Oracle's AD connector for OIM 
seems to be doing it that way, saving each new value for the next scheduler 
run.

http://www.windowsitpro.com/article/tips/what-options-exist-for-tracking-active-directory-ad-changes-
http://support.microsoft.com/?kbid=891995

It seems that each LDAP would require its own connector to support changelog 
import.

If someone really needed that feature, he could register a custom module in 
AD the receive all change. It then could replicate them in Grouper using the 
API or the Web Service. Oracle also does something like that where a module 
captures password change in AD (before encryption) and sends them to OIM to 
update its password.


-----Message d'origine-----
De : 

 
[mailto:]
 De la part de Tom Zeller
Envoyé : 9 mars 2012 16:27
À : Gagné Sébastien
Cc : Grouper Dev
Objet : Re: [grouper-dev] fyi : provisioning wish list

> We're looking into LDAP to Grouper synchronisation. As I see it there's two 
> way of doing it (loader and psp); which one will be the future for Grouper 
> ? Which one would you suggest ? Will both ways be supported or will one of 
> them phase out ?

I have an action item to review the loader which might make for a good 
comparison. We haven't talked about phasing anything out or dropping support, 
especially since the psp has not even been released yet.

> I haven't seen how the PSP LDAP-to-Grouper works but does it do 
> incremental/changelog provisioning also ? Or is it a cron based full sync 
> (like the loader) ? I believe Active Directory has a changelog, could it 
> eventually be used to import changes in Grouper ?

As of now, psp-ldap-to-grouper is cron based full sync. However, just as the 
psp is triggered by the grouper changelog, it seems reasonable to trigger the 
psp via an ldap changelog, e.g. an openldap audit log.

Do you know what the AD changelog looks like ? ldif ?

TomZ