Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] eduMember objectclass definition

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] eduMember objectclass definition


Chronological Thread 
  • From: "Klug, Lawrence" <>
  • To: Keith Hazelton <>, "" <>
  • Cc: mace-dir <>
  • Subject: RE: [grouper-users] eduMember objectclass definition
  • Date: Fri, 8 Jun 2012 17:47:33 +0000
  • Accept-language: en-US

Hi Keith,

I have a possible naïve response to your initial question. Are OIDs
typically used in LDAP schema for identifiers? I've seen them used in
Shibboleth configuration files, and that makes sense since Shibboleth
typically traverses federations. I spoke with one of our architects and he
wasn't sure about this. Let's keep the conversation going...

Thanks,

Lawrence

-----Original Message-----
From: Keith Hazelton
[mailto:]

Sent: Tuesday, June 05, 2012 12:11 PM
To: Klug, Lawrence;

Cc: mace-dir
Subject: Re: [grouper-users] eduMember objectclass definition

Lawrence,

Sometimes coincidence is spooky. I just had an exchange of emails with Tom
Zeller about this issue earlier today, and it was the first time I had
thought about it in a long time.


We could revive that draft, which is still on the shelf, though a little
dusty. There are counter-arguments having to do with the need to support both
eduIsMemberOf and isMemberOf, and distinguish them with different OIDs. I'd
like to see a little discussion on the Grouper and MACE-Dir mailing lists
before going ahead.


One perhaps naive starter question from me: Since the isMemberOf attribute
has a unique OID, 1.3.6.1.4.1.5923.1.5.1.1, does it really matter what name
you associate with it in your LDAP schema? I believe that you could give it a
custom name in your directory, and as long as the OID is as above, nothing
bad happens. If you are expressing group memberships in federated contexts,
then there is a SAML profile for how to do this. Again, no impact on your
internal directory schema. Am I missing something?


--Keith


-----
On the eduMember object class and the isMemberOf and hasMember attributes,
see:


http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html
and
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-group-membership-200507.html
______________
On 06/05/12, "Klug, Lawrence" wrote:
>
>
>
>
> Hi,
>
>
>
> We recently upgraded to OUD for our enterprise directory. Unfortunately,
> the eduMember attribute isMemberOf has name conflict with a system
> attribute name. Our workaround has been a custom objectclass.
>
>
>
> I&#8217;m wondering if others in the community have faced this issue and
> what solutions they have used.
>
> There was a new draft on eduMember some time ago where this issue is
> addressed.
>
> isMemberOf changes name to eduIsMemberOf and hasMember changes name to
> eduHasMember.
>
> https://spaces.internet2.edu/download/attachments/2309/eduMember-201108-draft-00.html
>
> Has this been finalized?
>
>
>
> Thanks,
>
>
>
> Lawrence Klug
>
> IMS Platform Development
>
> 310 825-2061
>
> ext 52061



Archive powered by MHonArc 2.6.16.

Top of Page