Grouper Users - Open Discussion List

[Tom Zeller <>]

Please see response below.

On Tue, Oct 20, 2009 at 4:49 PM, Raymond D Walker 
<>
 wrote:
> On Oct 20, 2009, at 1:52 PM, Tom Zeller wrote:
>
>>>> -Ability to attribute multiple object classes to provisioned groups.
>>>> Unless I missed how this could be done, I did not see any ability to
>>>> do this.
>>
>> Could you explain further please ?
>
> Bear with my explanation... ;)
>
> Currently we have a custom "groups" object class (nauEduManagedGroup)
> in our LDAP implementation that is not based off of posixGroup but
> rather groupOfUniqueNames. Since we do similar work with our LDAP
> groups as we do with our "Enterprise groups" (grouper provisioned
> groups) we've decided to stick with the custom class. We also plan on
> making our grouper provisioned "enterprise groups" also be posixGroups
> (for upcoming NSS functionality) therefore we run into an issue of
> what the provisioned group's objectclass will be. Options are:
>
> A: Create a new subclass of posixGroup that copy our attribute tree
> from our custom group object class and use that as our provisioned
> object class. This solution is a 'fudge' of sorts... as if anything
> were dependent on the old objectclass, issues would arise... I've
> checked most of our code that deals with this and find that we can
> overcome any complications. Though not optimal, it's doable.
>
> B: We could go the other route and include the only required
> posixGroup attribute "gidnumber" as an optional attribute on our
> custom object class, but I'm pretty sure NSS checks object class type.
> Most likely not an option.
>
> C: Have the ability to apply multiple object classes to provisioned
> groups. Most graceful option that doesn't yet exist.
>
>> Do you want multiple object classes to support multiple
>> <group-attribute-map> elements ?
>
> Yes, I was thinking of different ways this could be accomplished...
>
> <group-attribute-mapping ldap-object-class="nauEduManagedGroup">
>  <group-attribute-map
>     group-attribute="description"
>     ldap-attribute="description"
>     />
>  <group-attribute-map
>     group-attribute="nauEduFilter"
>     ldap-attribute="nauEduGroupFilter"
>     />
> </group-attribute-mapping>
>
> <group-attribute-mapping ldap-object-class="posixGroup">
>  <group-attribute-map
>     group-attribute="nauEduGidNumber"
>     ldap-attribute="gidnumber"
>     />
> </group-attribute-mapping>
>
> OR...
>
> <group-attribute-mapping
>    ldap-object-class="nauEduManagedGroup"
>    ldap-object-class="posixGroup" >
>  <group-attribute-map
>     group-attribute="description"
>     ldap-attribute="description"
>     />
>  <group-attribute-map
>     group-attribute="nauEduFilter"
>     ldap-attribute="nauEduGroupFilter"
>     />
>  <group-attribute-map
>     group-attribute="nauEduGidNumber"
>     ldap-attribute="gidnumber"
>     />
> </group-attribute-mapping>
>
> -Ray Walker

I ended up implementing ldap-object-class as a whitespace separated
list of objectclasses, so you should be good to go for 1.5.0.

<group-attribute-mapping
   ldap-object-class="nauEduManagedGroup posixGroup"
 <group-attribute-map
    group-attribute="description"
    ldap-attribute="description"
    />
 <group-attribute-map
    group-attribute="nauEduFilter"
    ldap-attribute="nauEduGroupFilter"
    />
 <group-attribute-map
    group-attribute="nauEduGidNumber"
    ldap-attribute="gidnumber"
    />
</group-attribute-mapping>