Subject: Grouper Users - Open Discussion List
Re: [grouper-dev] ldappc provisioning permission infomation about groups
- From: Tom Barton <>
- To: Allen Chen <>
- Cc: grouper-dev <>, Grouper Users <>
- Subject: Re: [grouper-dev] ldappc provisioning permission infomation about groups
- Date: Sat, 29 Dec 2007 11:10:31 -0600
<CCing grouper-users, where this question best belongs.>
Ldappc provisions permissions for all subject types using the same LDAP
schema, so to use the stored-as=string method you'll need to endow your
LDAP group entries with an appropriate objectclass (like eduPerson). If
I recall correctly, if you declare a 'string-object-class' value, then
ldappc will attempt to add that value to the entry's 'objectclass'
attribute if it is missing. If so, then you can use an auxiliary
objectclass containing a permissions-listing attribute (like eduPerson
containing eduPersonEntitlement) so that subjects' LDAP entries need
have no prior permissions-related objectclass.
Allen Chen wrote:
> I have a question, if I authorize a group some privileges, how can I
> provision the permission infomation about the group to ldap?
> The following configuration is copied from comanage recommended config:
> <permissions-listing stored-as="string"
> string-prefix="urn:mace:internet2-nlr.edu:permission" />
> <subsystem id="i2nlr" />
> <function id="" />
> But if I want to deal with the permission of a group, what's the
> correct configuration?
> I know the group in signet is also treated as a
> subject. Should those attributes in ldappc.xml be changed? Such as
> string-object-class, string-attribute?
> And since I haven't succeed in provisioning groups permission into
> LDAP, I want to know how permission of a group present in LDAP? Is the
> permission of group in the attrbutes of the group entry?
- Re: [grouper-dev] ldappc provisioning permission infomation about groups, Tom Barton, 12/29/2007
Archive powered by MHonArc 2.6.16.