Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Provisioning attributes with LDAPpc

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Provisioning attributes with LDAPpc

Chronological Thread 
  • From: Tom Zeller <>
  • To: "Cramton, James" <>
  • Cc: Grouper Users Mailing List <>
  • Subject: Re: [grouper-users] Provisioning attributes with LDAPpc
  • Date: Mon, 22 Jun 2009 09:36:23 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=fNFiwGgPFw4GwM5pDUmo4BcvrO88sGZr3e8HfqCS6a1nz3R/bC9ii06sBaI61DatAj NkdVW362PdyPx+vLpiEB3OvnRQnGxboibD5j4Ullq8+gLw41LcxpPfr64LGh/xbKfDsR mBVSwCgUcxhlHSG43AJewKtEai9DsDfPOSXxY=

1.4 ldappc doesn't have any new attribute provisioning features. As always, you can map a grouper attribute to an ldap attribute, but you can't resolve the subject of a custom list member to an ldap dn (I assume you want to provision the owner of a group as a dn).

The ability to provision a single member of a list or privilege, like "owners", would be nice for Active Directory's managedBy attribute.

I don't have an ETA regarding attribute provisioning using shibboleth's attribute resolver. We could roll this out in phases, though.

I'm going through some attribute provisioning scenarios on paper, e.g. eduCourseMember (thanks Tim from Arizona), and find myself needing to access grouper data from shibboleth in more complicated ways than a sourceAttributeID. I started cooking up some xml, and remembered on the last grouper-dev call that we might want to access grouper via the API or WS during provisioning, so I'm looking at incorporating grouper-ws rest xml in data connectors used by shib. I have to get up to speed with grouper-ws.

Are you willing to share your custom code for provisioning attributes ? How does your approach compare to the shibboleth attribute resolver ?


On Mon, Jun 22, 2009 at 6:12 AM, Cramton, James <> wrote:

Greetings, folks,


My apologies for being out of the loop at a critical time in Grouper 1.4’s development. But I need clarification on the current capabilities of LDAPpc WRT provisioning group attributes from Grouper into LDAP. We have a use case where a Sympa mailing list or a Bedework calendar group needs to know a primary owner of a group. In the case of course groups, the logical choice might be an instructor group, except those groups tend to have multiple members, and that does not work well in the applications. We are weighing the benefits of creating an “owner” or “primary instructor” group vs. storing owner/primary instructor information in an attribute of the group in both Grouper and LDAP. We lean towards an attribute, because our custom LDAP provisioning code has good support for provisioning group attributes into LDAP. But we want to get back into the LDAPpc fold, so we want to be sure LDAPpc will support this functionality.


What are options for provisioning Grouper attributes into LDAP using the 1.4 version of LDAPpc?  I’ve seen chatter about support for this functionality via the attribute resolver in 1.5. What is the anticipated ETA for that?




James Cramton
Lead Programmer/Analyst
Brown University


Archive powered by MHonArc 2.6.16.

Top of Page