Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] using Grouper and ldappc to manage posix groups

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] using Grouper and ldappc to manage posix groups


Chronological Thread 
  • From: Scott Koranda <>
  • To: Kathryn Huxtable <>
  • Cc:
  • Subject: Re: [grouper-users] using Grouper and ldappc to manage posix groups
  • Date: Wed, 2 Jul 2008 17:08:27 -0500

Hi,

> Did you really mean for the DN to be ou=s5, or should it have been cn=s5?

I was just reading off of the definition of "Bushy" in the
RFQ:

Bushy - Each Grouper group's corresponding LDAP OU is
determined by the group's "stem" attribute. A group's stem
value is translated into a DN for the containing OU by
starting with a configured DN for the root of an LDAP OU
hierarchy containing group objects and using the stem elements
(delimited by ":" separator characters) to form successive
RDNs of OU down the hierarchy. If the identified LDAP group
entry does not exist, it is created by Auth2LDAP. If an LDAP
group exists in this OU that is not associated with a group in
the Groups Registry, it is deleted by Auth2LDAP. For example,
with a configured hierarchy root DN of
"ou=groups,dc=example,dc=edu", a Grouper group with stem
"fin_depts:44:550" will be located in the OU whose DN is
"ou=550,ou=44,ou=fin_depts,ou=groups,dc=example,dc=edu". The
RDN is to be formed using the group's "extension" attribute.

Is the ou=550 a typo and this should be cn=550?

What does ldappc actually do when it is configured to be
"bushy"? Does it create

"ou=550,ou=44,ou=fin_depts,ou=groups,dc=example,dc=edu"

or

"cn=550,ou=44,ou=fin_depts,ou=groups,dc=example,dc=edu"

cn would be fine for our uses...just curious.

>
> If the latter, then yes, ldappc can do this. use the
> group-members-name-list
> element in ldappc.xml as follows:
>
> <group-members-name-list list-object-class="posixGroup"
> list-attribute="memberUid">
> <source-subject-name-mappings>
> <source-subject-name-map source="MYSOURCE"
> subject-attribute="uid"/>
> </source-subject-name-mappings>
> </group-members-name-list>
>
> where MYSOURCE is the name of your source configuration in ldappc.xml and
> uid is whatever the subject API uses for the attribute you're populating
> into memberUid.

Thanks. I hope to try this early next week.

>
> I'm going to include examples of this kind of usage in the next version of
> Ldappc, so any suggestions along these lines are helpful.

I think a "recipes" section with some examples would be quite
helpful. If I get our configuration going I will send in our
final configuration to be included if that would help.

Cheers,

Scott

>
> -K
>
> On Jul 2, 2008, at 3:57 PM, Scott Koranda wrote:
>
> > Hi,
> >
> > Is anyone using Grouper and ldappc to manage posix groups in
> > LDAP?
> >
> > To be specific, suppose I want this group to appear in my
> > LDAP:
> >
> > dn: ou=s5,ou=data,ou=groups,dc=ligo,dc=org
> > objectClass: posixGroup
> > objectClass: top
> > cn: s5
> > gidNumber: 550
> > memberUid: jeff.minelli
> > memberUid: diego.menendez
> > memberUid: scott.koranda
> > memberUid: shannon.roddy
> > memberUid: warren.anderson
> >
> > Is the Grouper/ldappc combination capable of creating and
> > managing that posixGroup for us in our LDAP?
> >
> > If so, and anyone is doing something similar, would you mind
> > sharing your ldappc.xml configuration file?
> >
> > Sincerely,
> >
> > Scott
> >



Archive powered by MHonArc 2.6.16.

Top of Page