Grouper Users - Open Discussion List

[Tom Barton <>]

Bill,

I'll let Tom Zeller respond authoritatively about ways that grouper can
provision groups to LDAP, though briefly I'll note that

* group LDAP entries can be put in a single OU or maintained in a
hierarchy that mirrors their structure in grouper

* the RDNs of LDAP groups maintained by grouper are highly configurable

* group memberships can be provisioned as attribute values in LDAP
entries of members, whether or not the groups they belong to are also
provisioned as group entries in LDAP

U Chicago's group naming plan might provide a starting point for your
thoughts about naming:

https://wiki.uchicago.edu/display/idm/Group+Names

Tom

On 9/24/2010 3:52 PM, 

 wrote:
> For a few years now we've been using Oracle's LDAP (OID) product
> for authentication.  It supports Oracle's own Single Sign-On
> product as well as a growing list of applications that directly
> use it for authentication.
> 
> Because of some new applications, we are just now starting to see
> a need for implementing groups in our LDAP and anticipate that
> this need could quickly explode.  So we are at the very beginning
> of planning how to deploy groups in our LDAP.  Our first
> tentative step will be to try using Oracle's 'dynamic' group
> feature to create role groups based on role data we already have
> stored in the LDAP account entries as a custom attribute.  It's a
> baby step.
> 
> While I would like to see us adopt Grouper, as verses an Oracle
> solution, we're still a ways away from that decision point.  In
> the meantime I have what I hope is a simple question.  Does
> Grouper require or suggest a particular LDAP structure and/or
> group naming convention?  I want to make sure we don't paint
> ourselves into a corner early on, so we can keep our options open
> for as long as possible.
> 
> Also, if anybody has a group naming convention that they are
> particularly proud of, I'd love to hear all about it!  :-)
> 
>                                                     ...BC
>