grouper-users - Re: [grouper-users] Expected behaviors for provisioning
Subject: Grouper Users - Open Discussion List
List archive
- From: Raymond D Walker <>
- To: Tom Zeller <>
- Cc: "" <>
- Subject: Re: [grouper-users] Expected behaviors for provisioning
- Date: Tue, 20 Oct 2009 14:49:14 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
On Oct 20, 2009, at 1:52 PM, Tom Zeller wrote:
>>> -Ability to attribute multiple object classes to provisioned groups.
>>> Unless I missed how this could be done, I did not see any ability to
>>> do this.
>
> Could you explain further please ?
Bear with my explanation... ;)
Currently we have a custom "groups" object class (nauEduManagedGroup)
in our LDAP implementation that is not based off of posixGroup but
rather groupOfUniqueNames. Since we do similar work with our LDAP
groups as we do with our "Enterprise groups" (grouper provisioned
groups) we've decided to stick with the custom class. We also plan on
making our grouper provisioned "enterprise groups" also be posixGroups
(for upcoming NSS functionality) therefore we run into an issue of
what the provisioned group's objectclass will be. Options are:
A: Create a new subclass of posixGroup that copy our attribute tree
from our custom group object class and use that as our provisioned
object class. This solution is a 'fudge' of sorts... as if anything
were dependent on the old objectclass, issues would arise... I've
checked most of our code that deals with this and find that we can
overcome any complications. Though not optimal, it's doable.
B: We could go the other route and include the only required
posixGroup attribute "gidnumber" as an optional attribute on our
custom object class, but I'm pretty sure NSS checks object class type.
Most likely not an option.
C: Have the ability to apply multiple object classes to provisioned
groups. Most graceful option that doesn't yet exist.
> Do you want multiple object classes to support multiple
> <group-attribute-map> elements ?
Yes, I was thinking of different ways this could be accomplished...
<group-attribute-mapping ldap-object-class="nauEduManagedGroup">
<group-attribute-map
group-attribute="description"
ldap-attribute="description"
/>
<group-attribute-map
group-attribute="nauEduFilter"
ldap-attribute="nauEduGroupFilter"
/>
</group-attribute-mapping>
<group-attribute-mapping ldap-object-class="posixGroup">
<group-attribute-map
group-attribute="nauEduGidNumber"
ldap-attribute="gidnumber"
/>
</group-attribute-mapping>
OR...
<group-attribute-mapping
ldap-object-class="nauEduManagedGroup"
ldap-object-class="posixGroup" >
<group-attribute-map
group-attribute="description"
ldap-attribute="description"
/>
<group-attribute-map
group-attribute="nauEduFilter"
ldap-attribute="nauEduGroupFilter"
/>
<group-attribute-map
group-attribute="nauEduGidNumber"
ldap-attribute="gidnumber"
/>
</group-attribute-mapping>
-Ray Walker
- Expected behaviors for provisioning, Raymond D Walker, 10/19/2009
- Re: [grouper-users] Expected behaviors for provisioning, Tom Zeller, 10/19/2009
- Re: [grouper-users] Expected behaviors for provisioning, Tom Zeller, 10/20/2009
- Re: [grouper-users] Expected behaviors for provisioning, Raymond D Walker, 10/20/2009
- Re: [grouper-users] Expected behaviors for provisioning, Tom Zeller, 10/21/2009
- Re: [grouper-users] Expected behaviors for provisioning, Raymond D Walker, 10/20/2009
- Re: [grouper-users] Expected behaviors for provisioning, Raymond D Walker, 10/20/2009
- Re: [grouper-users] Expected behaviors for provisioning, Tom Zeller, 10/21/2009
- Re: [grouper-users] Expected behaviors for provisioning, Tom Zeller, 10/20/2009
- Re: [grouper-users] Expected behaviors for provisioning, Tom Zeller, 10/19/2009
Archive powered by MHonArc 2.6.16.