Grouper Users - Open Discussion List

[Richard James <>]

Hi All, 

With some very much appreciated help from the community, we are able to 
successfully provision from grouper into our active directory, yet we do have 
an area which we would appreciate some advice on. 

Our current Grouper setup uses 

 as the subject identifier, this is to ensure that our Grouper install is 
future proof if we begin to allow multi institutional federated access. 

The issue we encounter is that within the active directory, there are no 
attributes attached to a user object which use the 

 scope. The attribute we would ideally like to be able to search is the 
sAMAccountName, which uses just the login id, without the @ncl.ac.uk. To 
currently be able to find subjects in the AD, we are setting the subject 
'name' attribute to be the login id so that we can use this is the 
ldap-search, 

<source-subject-identifiers>
    <source-subject-identifier source="jdbc" subject-attribute="name">
      <ldap-search
        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
        scope="onelevel_scope"
        filter="(sAMAccountName={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

What we are wondering is if there is any way to attach a custom attribute to 
the subject which we can define as sAMAccountName, and be able to use this in 
the LDAP search? Or alternatively be able to trim the @ncl.ac.uk from the ID 
for searching, similar to the process used for replacing colons for the 
sAMAccountName in the creation of a new group?

Any hints or possible approaches would be very much appreciated.

Regards

Richard James
ISS Middleware Team