Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Very early stages of deploying groups in LDAP...

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Very early stages of deploying groups in LDAP...

Chronological Thread 
  • From: Tom Barton <>
  • To:
  • Subject: Re: [grouper-users] Very early stages of deploying groups in LDAP...
  • Date: Sat, 25 Sep 2010 14:43:53 -0500


I'll let Tom Zeller respond authoritatively about ways that grouper can
provision groups to LDAP, though briefly I'll note that

* group LDAP entries can be put in a single OU or maintained in a
hierarchy that mirrors their structure in grouper

* the RDNs of LDAP groups maintained by grouper are highly configurable

* group memberships can be provisioned as attribute values in LDAP
entries of members, whether or not the groups they belong to are also
provisioned as group entries in LDAP

U Chicago's group naming plan might provide a starting point for your
thoughts about naming:


On 9/24/2010 3:52 PM,

> For a few years now we've been using Oracle's LDAP (OID) product
> for authentication. It supports Oracle's own Single Sign-On
> product as well as a growing list of applications that directly
> use it for authentication.
> Because of some new applications, we are just now starting to see
> a need for implementing groups in our LDAP and anticipate that
> this need could quickly explode. So we are at the very beginning
> of planning how to deploy groups in our LDAP. Our first
> tentative step will be to try using Oracle's 'dynamic' group
> feature to create role groups based on role data we already have
> stored in the LDAP account entries as a custom attribute. It's a
> baby step.
> While I would like to see us adopt Grouper, as verses an Oracle
> solution, we're still a ways away from that decision point. In
> the meantime I have what I hope is a simple question. Does
> Grouper require or suggest a particular LDAP structure and/or
> group naming convention? I want to make sure we don't paint
> ourselves into a corner early on, so we can keep our options open
> for as long as possible.
> Also, if anybody has a group naming convention that they are
> particularly proud of, I'd love to hear all about it! :-)
> ...BC

Archive powered by MHonArc 2.6.16.

Top of Page