grouper-users - Re: [grouper-users] Provisioning group membership to AD
Subject: Grouper Users - Open Discussion List
List archive
- From: "Tom Zeller" <>
- To:
- Cc:
- Subject: Re: [grouper-users] Provisioning group membership to AD
- Date: Tue, 25 Nov 2008 20:30:54 -0600
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=Ar9IASKIPqkDqljYcZv/D0rQ2RjjjaZ0mkBW3n+OBjt2w98qDYtzXg7U2sYElVEBwt r/1bbj/YGp8t0LbdLkdQ+TXZs9uOerAnDFsWr3xyEpdf3rqfNK3Bfl6de2Mbr5rZ4Mb7 k/aL+TX4YuyySZvRTSQQ9DyCitc7ZAis2uUyk=
Hi Ray,
We haven't seen any issues with removing non-alpha-numeric characters from group names for sAMAccountName, e.g. we have groups like "Business & Finance" whose sAMAccountName is "BusinessFinance". However, there may just be a windows admin somewhere on campus suffering dearly - but I haven't heard from them.
It might be nice if ldappc could pattern replace (s/://g) attribute values...
We opted to use displayExtension as cn (we enforce uniqueness external to Grouper), which I think ldappc doesn't allow. This may have not been the right choice, however, it made migration to using Grouper easy for us.
TomZ
On Tue, Nov 25, 2008 at 5:26 PM, <> wrote:
In trying to provision flat group membership to both LDAP and AD it seems that the grouper naming convention "stem:group" would fail when provisioning groups to the AD.
This looks like when AD auto-populates the "pre windows2000" group name, or more specifically the sAMAccountName and has no way of handling the ":" I was thinking of generating a converted group name and storing as an attribute with the group, then when provisioning trying the "group-attribute-mapping" to workaround this...
<group-attribute-mapping ldap-object-class="">
<group-attribute-map group-attribute="groupsAMAccountNameConversion" ldap-attribute="sAMAccountName" />
</group-attribute-mapping>
This way, the AD group would still hold the correct CN in relation to grouper... but I'm curious of what issues a non-matching pre-windows 2000 name would create.
...but before I go barking up the wrong/right tree... has anyone else encountered something similar and had any success with other solutions?
TIA,
Ray W.
- Provisioning group membership to AD, ray . walker, 11/25/2008
- Re: [grouper-users] Provisioning group membership to AD, Tom Zeller, 11/25/2008
Archive powered by MHonArc 2.6.16.