Skip to Content.
Sympa Menu

grouper-users - Expected behaviors for provisioning

Subject: Grouper Users - Open Discussion List

List archive

Expected behaviors for provisioning

Chronological Thread 
  • From: Raymond D Walker <>
  • To: "" <>
  • Subject: Expected behaviors for provisioning
  • Date: Mon, 19 Oct 2009 10:16:47 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

I have three queries concerning provisioning groups:

-Provisioning groups and membership back to the source where members
were sourced from (SunOne LDAP in our case,) obviously works fine
since all members "exist". For our attempt at enterprise groups
rollout, we are also provisioning to Active Directory (via running a
second LDAPPC,) where some group members originally sourced from LDAP
do not necessarily exist in Active Directory. The behavior we see is
the provisioner failing when trying to add a non-existend AD user to a
group provisioned to AD. We've modified some of the code to
essentially "ignore" this, but thought it was an appropriate topic to
bring up. Is there a different way to be doing this which would avert
code modifications?

-Our Active Directory environment consists of two sub-OU's (faculty/
staff & student domains) where some persons play dual roles, and
therefore have two accounts with the same uid under both domains. We
experienced an issue with adding these people to provisioned
enterprise groups as they would be found as "duplicates" and thus halt
the provisioner with an error. The intended outcome would be to have
any and all accounts be added to these provisioned enterprise groups.
Our workaround has been to modify the lookup code and allow for
multiple users to be looked up and then provisioned into the group.

-Ability to attribute multiple object classes to provisioned groups.
Unless I missed how this could be done, I did not see any ability to
do this.

Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University

Archive powered by MHonArc 2.6.16.

Top of Page