Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Subject Identifiers for provisioning to Active Directory

Chronological Thread 
  • From: Richard James <>
  • To: "" <>
  • Subject: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 14:59:29 +0100
  • Accept-language: en-US, en-GB
  • Acceptlanguage: en-US, en-GB

Hi All,

With some very much appreciated help from the community, we are able to
successfully provision from grouper into our active directory, yet we do have
an area which we would appreciate some advice on.

Our current Grouper setup uses

as the subject identifier, this is to ensure that our Grouper install is
future proof if we begin to allow multi institutional federated access.

The issue we encounter is that within the active directory, there are no
attributes attached to a user object which use the

scope. The attribute we would ideally like to be able to search is the
sAMAccountName, which uses just the login id, without the To
currently be able to find subjects in the AD, we are setting the subject
'name' attribute to be the login id so that we can use this is the

<source-subject-identifier source="jdbc" subject-attribute="name">
filter="(sAMAccountName={0})" />

What we are wondering is if there is any way to attach a custom attribute to
the subject which we can define as sAMAccountName, and be able to use this in
the LDAP search? Or alternatively be able to trim the from the ID
for searching, similar to the process used for replacing colons for the
sAMAccountName in the creation of a new group?

Any hints or possible approaches would be very much appreciated.


Richard James
ISS Middleware Team

Archive powered by MHonArc 2.6.16.

Top of Page