grouper-dev - RE: [grouper-dev] fyi : provisioning wish list
Subject: Grouper Developers Forum
List archive
- From: Nathan Kopp <>
- To: Grouper Dev <>
- Subject: RE: [grouper-dev] fyi : provisioning wish list
- Date: Tue, 13 Mar 2012 14:45:09 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
If you're looking to capture password changes from AD, you could use
PasswdHk. It's the same basic technology that OIM uses.
http://passwdhk.sourceforge.net/
This is a DLL that installs into AD and can run any command-line program,
sending it all password changes. For more information about the concept of
how this DLL plugs into AD, search the web for "Active Directory Custom
Password Filter."
I'm not sure if this is triggered for any change, though. I think it's only
triggered for password changes, since the purpose of this AD extension point
was originally to enforce custom password policies.
-Nathan
-----Original Message-----
From:
[mailto:]
On Behalf Of Gagné Sébastien
Sent: Tuesday, March 13, 2012 1:28 PM
To: Tom Zeller
Cc: Grouper Dev
Subject: RE: [grouper-dev] fyi : provisioning wish list
I'm not totally sure about the AD changelog, but it seems we can get the
latest change by using the uSNChanged attribute. You'd have to save the
latest value and search for higher values. Oracle's AD connector for OIM
seems to be doing it that way, saving each new value for the next scheduler
run.
http://www.windowsitpro.com/article/tips/what-options-exist-for-tracking-active-directory-ad-changes-
http://support.microsoft.com/?kbid=891995
It seems that each LDAP would require its own connector to support changelog
import.
If someone really needed that feature, he could register a custom module in
AD the receive all change. It then could replicate them in Grouper using the
API or the Web Service. Oracle also does something like that where a module
captures password change in AD (before encryption) and sends them to OIM to
update its password.
-----Message d'origine-----
De :
[mailto:]
De la part de Tom Zeller
Envoyé : 9 mars 2012 16:27
À : Gagné Sébastien
Cc : Grouper Dev
Objet : Re: [grouper-dev] fyi : provisioning wish list
> We're looking into LDAP to Grouper synchronisation. As I see it there's two
> way of doing it (loader and psp); which one will be the future for Grouper
> ? Which one would you suggest ? Will both ways be supported or will one of
> them phase out ?
I have an action item to review the loader which might make for a good
comparison. We haven't talked about phasing anything out or dropping support,
especially since the psp has not even been released yet.
> I haven't seen how the PSP LDAP-to-Grouper works but does it do
> incremental/changelog provisioning also ? Or is it a cron based full sync
> (like the loader) ? I believe Active Directory has a changelog, could it
> eventually be used to import changes in Grouper ?
As of now, psp-ldap-to-grouper is cron based full sync. However, just as the
psp is triggered by the grouper changelog, it seems reasonable to trigger the
psp via an ldap changelog, e.g. an openldap audit log.
Do you know what the AD changelog looks like ? ldif ?
TomZ
- [grouper-dev] fyi : provisioning wish list, Tom Zeller, 03/08/2012
- RE: [grouper-dev] fyi : provisioning wish list, Gagné Sébastien, 03/09/2012
- RE: [grouper-dev] fyi : provisioning wish list, Chris Hyzer, 03/09/2012
- RE: [grouper-dev] fyi : provisioning wish list, Gagné Sébastien, 03/09/2012
- Re: [grouper-dev] fyi : provisioning wish list, Tom Zeller, 03/09/2012
- RE: [grouper-dev] fyi : provisioning wish list, Gagné Sébastien, 03/09/2012
- Re: [grouper-dev] fyi : provisioning wish list, Tom Zeller, 03/09/2012
- RE: [grouper-dev] fyi : provisioning wish list, Gagné Sébastien, 03/13/2012
- RE: [grouper-dev] fyi : provisioning wish list, Nathan Kopp, 03/13/2012
- Re: [grouper-dev] fyi : provisioning wish list, Colin Hudler, 03/13/2012
- RE: [grouper-dev] fyi : provisioning wish list, Gagné Sébastien, 03/13/2012
- RE: [grouper-dev] fyi : provisioning wish list, Chris Hyzer, 03/09/2012
- RE: [grouper-dev] fyi : provisioning wish list, Gagné Sébastien, 03/09/2012
Archive powered by MHonArc 2.6.16.