Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] are we using loader and psp correctly

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] are we using loader and psp correctly


Chronological Thread 
  • From: David Vezzani <>
  • To: David Langenberg <>
  • Cc: "" <>
  • Subject: Re: [grouper-dev] are we using loader and psp correctly
  • Date: Fri, 26 Sep 2014 22:31:55 +0000
  • Accept-language: en-US
David,

The examples for using the psp tool in much of the documentation and videos use GSH to update grouper with changes before manually kicking off the psp tool.  We want to use the grouper-loader to pull in changes and then use the psp tool in turn to pass those changes along to the target ldap.

Is the only way to get changes queued up for the psp via the GSH tool?  Or can the psp tool also pickup updates that happen after the grouper-loader runs?

David Vezzani
(c) 209-756-9688
(o) 209-228-4516



On Sep 26, 2014, at 1:30 PM, David Langenberg <> wrote:

Hi David,

Yes, your approach should work just fine.

Dave

On Thu, Sep 25, 2014 at 4:55 PM, David Vezzani <> wrote:

My current assignment is to use Grouper to synchronize group memberships between an LDAP and an Active Directory (AD).  Even though AD is very much like an LDAP, it is not.  What's more we don't have control over making changes to AD because we are using the Microsoft Cloud.

We want to be able to use a single tool to handle group management and make those groups available via LDAP and AD.  The AD server we are using does not support dynamic groups to the degree that we need, so we plan on including DN values explicitly for each group.  Our LDAP does support dynamic groups, which we are currently using.

Some applications connect to LDAP while others must connect to AD. We need a solution that handles the following:

  1. AD groups are provisioned with explicit lists of DN values
  2. LDAP DN values differ slightly from AD DN values and will require a transformation from “uid=dvezzani,...” to “cn=dvezzani,...”

In order to achieve this goal, we plan on primarily using the grouper-loader to pull in DN values from LDAP and psp to provision groups to AD using the transformed DN values.

LDAP and AD subjects are being populated by separate means, but they both contain the same logical set of subjects. Is this the right approach to accomplish our goals?  


David Vezzani






--
David Langenberg
Identity & Access Management
The University of Chicago


Archive powered by MHonArc 2.6.16.

Top of Page