Skip to Content.
Sympa Menu

grouper-dev - [grouper-dev] are we using loader and psp correctly

Subject: Grouper Developers Forum

List archive

[grouper-dev] are we using loader and psp correctly

Chronological Thread 
  • From: David Vezzani <>
  • To: "" <>
  • Subject: [grouper-dev] are we using loader and psp correctly
  • Date: Thu, 25 Sep 2014 22:55:58 +0000
  • Accept-language: en-US

My current assignment is to use Grouper to synchronize group memberships between an LDAP and an Active Directory (AD).  Even though AD is very much like an LDAP, it is not.  What's more we don't have control over making changes to AD because we are using the Microsoft Cloud.

We want to be able to use a single tool to handle group management and make those groups available via LDAP and AD.  The AD server we are using does not support dynamic groups to the degree that we need, so we plan on including DN values explicitly for each group.  Our LDAP does support dynamic groups, which we are currently using.

Some applications connect to LDAP while others must connect to AD. We need a solution that handles the following:

  1. AD groups are provisioned with explicit lists of DN values
  2. LDAP DN values differ slightly from AD DN values and will require a transformation from “uid=dvezzani,...” to “cn=dvezzani,...”

In order to achieve this goal, we plan on primarily using the grouper-loader to pull in DN values from LDAP and psp to provision groups to AD using the transformed DN values.

LDAP and AD subjects are being populated by separate means, but they both contain the same logical set of subjects. Is this the right approach to accomplish our goals?  

David Vezzani
(c) 209-756-9688
(o) 209-228-4516

Archive powered by MHonArc 2.6.16.

Top of Page