Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Subject Identifiers for provisioning to Active Directory

Chronological Thread 
  • From: Tom Zeller <>
  • To: Richard James <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 09:23:53 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=mhIAdZ+zvdE2XZjCiSlbENe2h9ZclESeSswgBlBKIXge3bJkqspPoukwBRxYqI74Ie fQOS10/164v9dXNH/V8x2k2R85CqUOHO8/uF3HCebaTPYoJnHXQ/aeGdwknt4kyvEk+s gM1hMatA0PGcx0DqMDTLSnoH15HIrGLiomf/Y=

What Source/Subject adapter are you using ? Is it custom ? If not
custom, posting your (sanitized) sources.xml will help.


On Fri, Aug 6, 2010 at 8:59 AM, Richard James
> Hi All,
> With some very much appreciated help from the community, we are able to
> successfully provision from grouper into our active directory, yet we do
> have an area which we would appreciate some advice on.
> Our current Grouper setup uses
> as the subject identifier, this is to ensure that our Grouper install is
> future proof if we begin to allow multi institutional federated access.
> The issue we encounter is that within the active directory, there are no
> attributes attached to a user object which use the
> scope. The attribute we would ideally like to be able to search is the
> sAMAccountName, which uses just the login id, without the To
> currently be able to find subjects in the AD, we are setting the subject
> 'name' attribute to be the login id so that we can use this is the
> ldap-search,
> <source-subject-identifiers>
>    <source-subject-identifier source="jdbc" subject-attribute="name">
>      <ldap-search
>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>        scope="onelevel_scope"
>        filter="(sAMAccountName={0})" />
>    </source-subject-identifier>
>  </source-subject-identifiers>
> What we are wondering is if there is any way to attach a custom attribute
> to the subject which we can define as sAMAccountName, and be able to use
> this in the LDAP search? Or alternatively be able to trim the
> from the ID for searching, similar to the process used for replacing colons
> for the sAMAccountName in the creation of a new group?
> Any hints or possible approaches would be very much appreciated.
> Regards
> Richard James
> ISS Middleware Team

Archive powered by MHonArc 2.6.16.

Top of Page