grouper-users - Re: [grouper-users] Provisioning to AD via ldappc
Subject: Grouper Users - Open Discussion List
List archive
- From: Tom Zeller <>
- To:
- Cc: Grouper Users Mailing List <>
- Subject: Re: [grouper-users] Provisioning to AD via ldappc
- Date: Fri, 1 May 2009 10:10:38 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=nzYLzo3SQCJmepnQvWfii2Xu6WYOp5zm2v2bFtItJC1mybzfKbisf0cn6+4JQXLHSD eJ7MtD7yUtPNzzfcT7OPhChXawhLtHPyLXxQewyPegsZxX+XrgIw4kWfw1SkrD5zo1yW RkpqyfFbNp3HThC+bznkP6MCFt5D5pQLvrDhk=
I have a few questions about provisioning to AD using ldappc.
* Are people currently provisioning to AD with ldappc?
* If so, flat or bushy?
* If bushy, how is the uniqueness of the group name ensured?
* Are groups deleted in Grouper deleted in AD during provisioning or is
this prevented in AD to allow for some more caution deletion to take
place?
Without a built-in notion of disabled, deactivated, or expired, as there is with user objects in AD, it seems we would have to create our own way of gracefully deleting groups. A reasonably common approach is an attribute based ACL, however, my local AD admins have expressed uncertainty regarding potential effects on built-in applications. We're open to ideas or success stories. I assume that caution is desirable when deleting groups in order to preserve SIDs when recovering from accidental deletions.
I have had a look at
https://wiki.internet2.edu/confluence/display/GrouperWG/LDAPPC+Next
+Steps
but was wondering what the current status is.
We're still gathering feedback regarding priorities of desired features. I'm interested in what happened at the I2 meeting in DC this week. I also need to update the wiki :-)
TomZ
- Re: [grouper-users] Provisioning to AD via ldappc, Tom Zeller, 05/01/2009
Archive powered by MHonArc 2.6.16.