Grouper Users - Open Discussion List

[Chris Hyzer <>]

Just so everyone is clear as to the reasoning here... groups can be chained 
together as members and/or composites of arbitrary length.  These groups can 
be added as privileges also, and all these effective memberships and 
permissions need to be able to be queried in one query for Grouper to 
function (e.g. show me all the groups I am a member of that I have privileges 
to read).  If Grouper had to go to external sources to resolve memberships 
along the way, the performance would be too slow.  So if you want an external 
group, it needs to be synced to be a group in Grouper.

Its possible in the future that a group could be a special group where it is 
dynamic and could be queried via WS (e.g. is this person a member, or list 
the members), which would do the background ldap query, but it wouldn't be 
able to be added to other groups or privileges...  is that what you are 
looking for?

Thanks,
Chris

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Shilen Patel
Sent: Wednesday, January 30, 2013 11:40 AM
To: Gagné Sébastien; Gasperowicz Jérémy
Cc: 

Subject: Re: [grouper-users] LDAP groups in sources.xml

I think if you do that, you may be able to treat LDAP groups as entities
that can be added as members of Grouper groups, but that may not produce
the desired result since the LDAP groups wouldn't really be treated as
groups with *members*.  For instance, viewing the members of a Grouper
group that contains the LDAP group as a member wouldn't show the indirect
memberships.  Also, if a member gets added to the LDAP group and new
indirect memberships are effectively created, then Grouper wouldn't send
out notifications since it wouldn't have known about the LDAP update.

Thanks!

-- Shilen




On 1/30/13 10:39 AM, "Gagné Sébastien" 
<>
wrote:

>To understand correctly you want to have a Grouper Group which the
>members are users and/or groups from the ldap ?
>
>I'm not sure if "<type>person</type>" does anything
>
>What I would check is that your LDAP groups have subject ID with this
>part (maybe CN in your case) :
><init-param>
>      <param-name>SubjectID_AttributeType</param-name>
>      <param-value>sAMAccountName</param-value>
>    </init-param>
>
>
>And that the searches have filters that can see groups, something like :
>
><param-name>filter</param-name>
>            <param-value>
>                
>(&amp;(sAMAccountName=%TERM%)(|(objectclass=user)(objectclass=group)))
>            </param-value>
>
>If I'm not clear we can always talk in French if you prefer ;~)
>
>-----Message d'origine-----
>De : 
>
>[mailto:]
> De la part de Gasperowicz
>Jérémy
>Envoyé : 30 janvier 2013 10:30
>À : Shilen Patel
>Cc : 
>
>Objet : Re: [grouper-users] LDAP groups in sources.xml
>
>Hi,
>
>I want to reference a group which exists in LDAP as a group in grouper
>without to sync with loader LDAP. In sources.xml, with
><type>person</type>, a LDAP group is taken such a member, not a group
>with his own members, that's the problem. I thought <type>group</type>
>could solve this with a direct connection to ou=groups
>
>Thanks
>
>Le 30/01/2013 15:58, Shilen Patel a écrit :
>> Hi,
>>
>> Are you trying to reference a group in Grouper that's sourced out of
>> LDAP instead of locally in Grouper's database?  I think you'll want to
>> sync the group from LDAP to Grouper using the Grouper loader or PSP.
>> If I'm misunderstanding, can you elaborate on your use case?
>>
>> Thanks!
>>
>> -- Shilen
>>
>> On 1/29/13 4:46 AM, "Gasperowicz Jérémy"
>> <>
>>   wrote:
>>
>>> Hi,
>>>
>>> I've tried to add a JNDI group resolver in order to add members from
>>> a group in the LDAP but doesn't work, i've the error : Cant find
>>> group by
>>> uuid: 2IIGAC211
>>> Is it possible to add members directly from LDAP group without
>>> retrieve this group in grouper, with a JNDI group resolver
>>> (<type>group</type>) and if it is, how ?
>>>
>>> Thanks a lot,
>>>
>>> Jérémy Gasperowicz
>