Grouper Users - Open Discussion List

[Tom Barton <>]

For completeness, the ldappc config snippet I gave assumed that Steve 
*knew* he wanted ou as the RDN. :-)

It's a little simpler if RDN is cn. Exercise left to the reader...

Tom

Kathryn Huxtable wrote:
> The RDN should be cn; the internal ones will be ou.
>
> Tom's comments are completely correct as well, though you don't 
> *absolutely* need a custom attribute. I would recommend one, though. We 
> used them at KU quite successfully, though not quite for the same purpose.
>
> -K
>
> On Jul 2, 2008, at 5:08 PM, Scott Koranda wrote:
>
> > Hi,
> >
> > > Did you really mean for the DN to be ou=s5, or should it have been 
> > > cn=s5?
> >
> > I was just reading off of the definition of "Bushy" in the
> > RFQ:
> >
> > Bushy - Each Grouper group's corresponding LDAP OU is
> > determined by the group's "stem" attribute. A group's stem
> > value is translated into a DN for the containing OU by
> > starting with a configured DN for the root of an LDAP OU
> > hierarchy containing group objects and using the stem elements
> > (delimited by ":" separator characters) to form successive
> > RDNs of OU down the hierarchy. If the identified LDAP group
> > entry does not exist, it is created by Auth2LDAP. If an LDAP
> > group exists in this OU that is not associated with a group in
> > the Groups Registry, it is deleted by Auth2LDAP. For example,
> > with a configured hierarchy root DN of
> > "ou=groups,dc=example,dc=edu", a Grouper group with stem
> > "fin_depts:44:550" will be located in the OU whose DN is
> > "ou=550,ou=44,ou=fin_depts,ou=groups,dc=example,dc=edu". The
> > RDN is to be formed using the group's "extension" attribute.
> >
> > Is the ou=550 a typo and this should be cn=550?
> >
> > What does ldappc actually do when it is configured to be
> > "bushy"? Does it create
> >
> > "ou=550,ou=44,ou=fin_depts,ou=groups,dc=example,dc=edu"
> >
> > or
> >
> > "cn=550,ou=44,ou=fin_depts,ou=groups,dc=example,dc=edu"
> >
> > cn would be fine for our uses...just curious.
> >
> > > If the latter, then yes, ldappc can do this. use the 
> > > group-members-name-list
> > > element in ldappc.xml as follows:
> > >
> > > <group-members-name-list list-object-class="posixGroup"
> > > list-attribute="memberUid">
> > >     <source-subject-name-mappings>
> > >         <source-subject-name-map source="MYSOURCE" 
> > > subject-attribute="uid"/>
> > >     </source-subject-name-mappings>
> > > </group-members-name-list>
> > >
> > > where MYSOURCE is the name of your source configuration in ldappc.xml 
> > > and
> > > uid is whatever the subject API uses for the attribute you're populating
> > > into memberUid.
> >
> > Thanks. I hope to try this early next week.
> >
> > > I'm going to include examples of this kind of usage in the next 
> > > version of
> > > Ldappc, so any suggestions along these lines are helpful.
> >
> > I think a "recipes" section with some examples would be quite
> > helpful. If I get our configuration going I will send in our
> > final configuration to be included if that would help.
> >
> > Cheers,
> >
> > Scott
> >
> > > -K
> > >
> > > On Jul 2, 2008, at 3:57 PM, Scott Koranda wrote:
> > >
> > > > Hi,
> > > >
> > > > Is anyone using Grouper and ldappc to manage posix groups in
> > > > LDAP?
> > > >
> > > > To be specific, suppose I want this group to appear in my
> > > > LDAP:
> > > >
> > > > dn: ou=s5,ou=data,ou=groups,dc=ligo,dc=org
> > > > objectClass: posixGroup
> > > > objectClass: top
> > > > cn: s5
> > > > gidNumber: 550
> > > > memberUid: jeff.minelli
> > > > memberUid: diego.menendez
> > > > memberUid: scott.koranda
> > > > memberUid: shannon.roddy
> > > > memberUid: warren.anderson
> > > >
> > > > Is the Grouper/ldappc combination capable of creating and
> > > > managing that posixGroup for us in our LDAP?
> > > >
> > > > If so, and anyone is doing something similar, would you mind
> > > > sharing your ldappc.xml configuration file?
> > > >
> > > > Sincerely,
> > > >
> > > > Scott