Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Provisioning group membership to AD

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Provisioning group membership to AD


Chronological Thread 
  • From: "Tom Zeller" <>
  • To:
  • Cc:
  • Subject: Re: [grouper-users] Provisioning group membership to AD
  • Date: Tue, 25 Nov 2008 20:30:54 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=Ar9IASKIPqkDqljYcZv/D0rQ2RjjjaZ0mkBW3n+OBjt2w98qDYtzXg7U2sYElVEBwt r/1bbj/YGp8t0LbdLkdQ+TXZs9uOerAnDFsWr3xyEpdf3rqfNK3Bfl6de2Mbr5rZ4Mb7 k/aL+TX4YuyySZvRTSQQ9DyCitc7ZAis2uUyk=

Hi Ray,

We haven't seen any issues with removing non-alpha-numeric characters from group names for sAMAccountName, e.g. we have groups like "Business & Finance" whose sAMAccountName is "BusinessFinance". However, there may just be a windows admin somewhere on campus suffering dearly - but I haven't heard from them.

It might be nice if ldappc could pattern replace (s/://g) attribute values...

We opted to use displayExtension as cn (we enforce uniqueness external to Grouper), which I think ldappc doesn't allow. This may have not been the right choice, however, it made migration to using Grouper easy for us.

TomZ

On Tue, Nov 25, 2008 at 5:26 PM, <> wrote:
In trying to provision flat group membership to both LDAP and AD it seems that the grouper naming convention "stem:group" would fail when provisioning groups to the AD.

This looks like when AD auto-populates the "pre windows2000" group name, or more specifically the sAMAccountName and has no way of handling the ":" I was thinking of generating a converted group name and storing as an attribute with the group, then when provisioning trying the "group-attribute-mapping" to workaround this...

<group-attribute-mapping ldap-object-class="">
 <group-attribute-map group-attribute="groupsAMAccountNameConversion" ldap-attribute="sAMAccountName" />
</group-attribute-mapping>

This way, the AD group would still hold the correct CN in relation to grouper... but I'm curious of what issues a non-matching pre-windows 2000 name would create.

...but before I go barking up the wrong/right tree... has anyone else encountered something similar and had any success with other solutions?

TIA,
Ray W.




Archive powered by MHonArc 2.6.16.

Top of Page