Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Ldappc and Grouper privileges

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Ldappc and Grouper privileges

Chronological Thread 
  • From: Tom Barton <>
  • To:
  • Cc:
  • Subject: Re: [grouper-users] Ldappc and Grouper privileges
  • Date: Thu, 20 Nov 2008 09:18:54 -0600

Thanks - that's an interesting use case. It makes me wonder if it's best to retask grouper's security for another purpose, ie, whether adding new semantics to what READ or ADMIN mean, outside of grouper, might eventually suffer from conflicting interests. If you think that might become a problem, you could create a custom group type and add list-type attributes to that group type in which you list those Subjects to have corresponding privileges in your uPortal administration application.

To provision this info into LDAP would still require an enhancement to Ldappc - it can add string attribute "decorations" to an LDAP group, but not list attributes.

In addition, there would need to be an LDAP objectclass created that contains the appropriate attributes in which to list Subjects from those lists. Have you already created one?

There's a completely different approach that might be feasible in your context, and that's to have your uPortal administration application access the groups database directly using grouper's web services, cutting out the LDAP-provisioning step completely, at least as that would provision the info of who's been delegated which uPortal administrative privileges.


Arnaud Deman wrote:
We are deploying an adaptation of uPortal in a multi-establishments context. Actually the need is for an application developped here wich allows to delegate some administrations tasks (for instance, a local administrator could have to reset the passwords for a group of students). I think we will have this need also for channels/portlet faily quicly. I am thinking about calendar's applications for instance.


Tom Barton a écrit :
I see. So applications using ldap would implement appropriate group security, not the ldap DSA itself.

Are there any particular applications you have in mind that would use grouper security info from ldap?


Arnaud Deman wrote:
Hi Tom,

For exemple, for the read privilege, we would like to have in the groups entries the attributes reader for the readers' dn and hasReader for their id. Ideally we would also like to have the attribute isReaderOf for the subject entry. It would be te same idea for the admin privilege.


Tom Barton a écrit :
Ldappc does not have that capability, but I'm curious about how you'd want that info to appear in your ldap directory. What, precisely, would you want Ldappc to do? Maybe it can be arranged...


Arnaud Deman wrote:

We are using Grouper and Ldappc and we wondered if there is a way to provision the privileges (i.e. admin, read, etc.). We don't use Signet for now.


Archive powered by MHonArc 2.6.16.

Top of Page