Grouper Developers Forum

[David Langenberg <>]

Hi David,

Yes, your approach should work just fine.

Dave

On Thu, Sep 25, 2014 at 4:55 PM, David Vezzani <> wrote:

My current assignment is to use Grouper to synchronize group memberships between an LDAP and an Active Directory (AD).  Even though AD is very much like an LDAP, it is not.  What's more we don't have control over making changes to AD because we are using the Microsoft Cloud.

We want to be able to use a single tool to handle group management and make those groups available via LDAP and AD.  The AD server we are using does not support dynamic groups to the degree that we need, so we plan on including DN values explicitly for each group.  Our LDAP does support dynamic groups, which we are currently using.

Some applications connect to LDAP while others must connect to AD. We need a solution that handles the following:

1. AD groups are provisioned with explicit lists of DN values
2. LDAP DN values differ slightly from AD DN values and will require a transformation from “uid=dvezzani,...” to “cn=dvezzani,...”

In order to achieve this goal, we plan on primarily using the grouper-loader to pull in DN values from LDAP and psp to provision groups to AD using the transformed DN values.

LDAP and AD subjects are being populated by separate means, but they both contain the same logical set of subjects. Is this the right approach to accomplish our goals?  

See http://lowly-tech.blogspot.com/2014/09/using-grouper-to-synchronize-ldap-with.html for diagrams.

David Vezzani

(c) 209-756-9688

(o) 209-228-4516

--
David Langenberg

Identity & Access Management

The University of Chicago