Grouper Users - Open Discussion List

[Tom Barton <>]

Tom Zeller wrote:
> Greetings,
>
> I'm experimenting with an LDAP adapter for person subjects. When I
> try to create a stem via
>
>  GrouperStem ns = GrouperStem.create(s, Grouper.NS_ROOT, "uMemphis");
>
> I get a runtime exception "This subject cannot create at root-level".
>
> I've modified grouper.properties so that member.system is no longer  
> GrouperSystem, but rather my LDAP person object.

As a sanity check, can your LDAP subject create that namespace using the 
GUI?

> Do I need to add GrouperSystem to LDAP and leave member.system =  
> GrouperSystem ? Do I need to modify my person adapter so that  
> GrouperSystem doesn't have to exist in LDAP ?

Blair can comment on the extent to which GrouperSystem remains "special" 
within the 0.6 release of the API. One workaround for now is to 
configure two 'person' subject sources - the JDBCSourceAdapter pointed 
at the Group Registry, and your LDAP one. Keep GrouperSystem in the 
former, just as it ships in the distribution.

In the 0.6 release it is necessary for all subjects, including 
GrouperSystem, to have 'description' and 'loginid' subject attributes in 
order the the GUI work properly. Any others are gravy, used to enhance 
searching. This is likely to change somewhat over the next 6-8 weeks or so.

> How do I tell Grouper that my LDAP person object has the appropriate  
> privilege ?

We're contemplating using a special group akin to the "wheel" group from 
BSD unix which would list the subjects that can act with the privilege 
of GropuerSystem. That is slated to make it into the 0.9 release.

Tom