Grouper Users - Open Discussion List

[Tom Barton <>]

Thanks - that's an interesting use case. It makes me wonder if it's best 
to retask grouper's security for another purpose, ie, whether adding new 
semantics to what READ or ADMIN mean, outside of grouper, might 
eventually suffer from conflicting interests. If you think that might 
become a problem, you could create a custom group type and add list-type 
attributes to that group type in which you list those Subjects to have 
corresponding privileges in your uPortal administration application.

To provision this info into LDAP would still require an enhancement to 
Ldappc - it can add string attribute "decorations" to an LDAP group, but 
not list attributes.

In addition, there would need to be an LDAP objectclass created that 
contains the appropriate attributes in which to list Subjects from those 
lists. Have you already created one?

There's a completely different approach that might be feasible in your 
context, and that's to have your uPortal administration application 
access the groups database directly using grouper's web services, 
cutting out the LDAP-provisioning step completely, at least as that 
would provision the info of who's been delegated which uPortal 
administrative privileges.

Tom

Arnaud Deman wrote:
> We are deploying an adaptation of uPortal in a multi-establishments 
> context. Actually the need is for an application developped here wich 
> allows to  delegate some administrations tasks (for instance, a local 
> administrator could have to reset the passwords for a group of 
> students). I think we will have this need also for channels/portlet 
> faily quicly. I am thinking about calendar's applications for instance.
>
> Arnaud.
>
> Tom Barton a écrit :
> > I see. So applications using ldap would implement appropriate group 
> > security, not the ldap DSA itself.
> >
> > Are there any particular applications you have in mind that would use 
> > grouper security info from ldap?
> >
> > Tom
> >
> > Arnaud Deman wrote:
> > > Hi Tom,
> > >
> > > For exemple, for the read privilege, we would like to have in the 
> > > groups entries the attributes reader for the readers' dn and 
> > > hasReader for their id. Ideally we would also like to have the 
> > > attribute isReaderOf for the subject entry. It would be te same idea 
> > > for the admin privilege.
> > >
> > > Arnaud.
> > >
> > >
> > > Tom Barton a écrit :
> > > > Ldappc does not have that capability, but I'm curious about how 
> > > > you'd want that info to appear in your ldap directory. What, 
> > > > precisely, would you want Ldappc to do? Maybe it can be arranged...
> > > >
> > > > Tom
> > > >
> > > > Arnaud Deman wrote:
> > > > > Hi,
> > > > >
> > > > > We are using Grouper and Ldappc and we wondered if there is a way 
> > > > > to provision the privileges (i.e. admin, read, etc.). We don't use 
> > > > > Signet for now.
> > > > >
> > > > > Thanks,
> > > > > Arnaud.