Grouper Users - Open Discussion List

[Tom Zeller <>]

I thought you (Chris) wrote a uniqueness-mandater, but I only found
the attribute validator in grouper.properties

 #Attach a regex validator by attribute name
 #group.attribute.validator.attributeName.0=extension
 #group.attribute.validator.regex.0=^[a-zA-Z0-9]+$

The Memphis stuff, which predated hooks, queried our person registry
and ldap and active directory and grouper (but ignored postfix) for
name uniqueness. I thought about including all namespace sources in
grouper for uniqueness checking, but decided against it because I did
not want the overhead during grouper membership operations.

So, no hook.

TomZ

2012/1/20 Chris Hyzer 
<>:
> Yes, that is possible, I think memphis did this (aat least with group
> names), right TomZ?  Do you have the hook that made that possible?  If not
> we can add a new one…
>
>
>
> You can make sure no group extensions are the same as other extensions or
> subject ids, and then I assume when you create subjects you make sure there
> is another not another group with that extension…
>
>
>
> Thanks,
>
> Chris
>
>
>
>
>
> From: 
> 
> [mailto:]
>  On Behalf Of Gagné Sébastien
> Sent: Thursday, January 19, 2012 2:40 PM
> To: 
> 
> Subject: [grouper-users] Globally unique extension/identifier in Grouper
>
>
>
> Hi again,
>
> We have a requirement here that Groups should have their sAMAccountName
> equal to their CN. LDAPPCNG was configured to provision the sAMAccountName
> attribute to Groups in our Active Directory using the Extension attribute.
> We are using a bushy DN structure so we cannot have stem1:stem2:GroupName as
> the CN or sAMAccountName.
>
>
>
> This configuration causes problems because two groups can have the same
> extension (ID in the UI) if they are in different stems . In that case their
> name (ID Path in UI) will be different :
>
> -          Name: stem1:groupABC, extension : groupABC
>
> -          Name: stem2:groupABC, extiension: groupABC
>
>
>
> When trying to provision something like that to AD grouper will receive an
> error code from AD (LDAP: error code 68, ENTRY_EXISTS) since both of them
> will have “sAMAccountName=groupABC” even if they are in different OUs. This
> is also a problem if a group has the same ID as an AD user (sAMAccountName
> is our Subject ID).
>
>
>
> My question (or request) is : is it possible for Grouper to enforce an
> unique group extension throughout all of its stems and maybe even including
> the SubjectIDs ?
>
>
>
> I’m glad we have naming conventions here, but you never know when someone
> might manually create a conflicting entry
>
>
>
> Thank you
>
>
>
>
>
> Sébastien Gagné,     | Analyste en informatique
>
> 514-343-6111 x33844  | Université de Montréal,
>
>                      | Pavillon Roger-Gaudry, local X-100-11
>
>