Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] LDAP groups in sources.xml

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] LDAP groups in sources.xml

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Shilen Patel <>, Gagné Sébastien <>, Gasperowicz Jérémy <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] LDAP groups in sources.xml
  • Date: Wed, 30 Jan 2013 20:24:30 +0000
  • Accept-language: en-US

Just so everyone is clear as to the reasoning here... groups can be chained
together as members and/or composites of arbitrary length. These groups can
be added as privileges also, and all these effective memberships and
permissions need to be able to be queried in one query for Grouper to
function (e.g. show me all the groups I am a member of that I have privileges
to read). If Grouper had to go to external sources to resolve memberships
along the way, the performance would be too slow. So if you want an external
group, it needs to be synced to be a group in Grouper.

Its possible in the future that a group could be a special group where it is
dynamic and could be queried via WS (e.g. is this person a member, or list
the members), which would do the background ldap query, but it wouldn't be
able to be added to other groups or privileges... is that what you are
looking for?


-----Original Message-----

On Behalf Of Shilen Patel
Sent: Wednesday, January 30, 2013 11:40 AM
To: Gagné Sébastien; Gasperowicz Jérémy

Subject: Re: [grouper-users] LDAP groups in sources.xml

I think if you do that, you may be able to treat LDAP groups as entities
that can be added as members of Grouper groups, but that may not produce
the desired result since the LDAP groups wouldn't really be treated as
groups with *members*. For instance, viewing the members of a Grouper
group that contains the LDAP group as a member wouldn't show the indirect
memberships. Also, if a member gets added to the LDAP group and new
indirect memberships are effectively created, then Grouper wouldn't send
out notifications since it wouldn't have known about the LDAP update.


-- Shilen

On 1/30/13 10:39 AM, "Gagné Sébastien"

>To understand correctly you want to have a Grouper Group which the
>members are users and/or groups from the ldap ?
>I'm not sure if "<type>person</type>" does anything
>What I would check is that your LDAP groups have subject ID with this
>part (maybe CN in your case) :
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
>And that the searches have filters that can see groups, something like :
> <param-value>
> </param-value>
>If I'm not clear we can always talk in French if you prefer ;~)
>-----Message d'origine-----
>De :
> De la part de Gasperowicz
>Envoyé : 30 janvier 2013 10:30
>À : Shilen Patel
>Cc :
>Objet : Re: [grouper-users] LDAP groups in sources.xml
>I want to reference a group which exists in LDAP as a group in grouper
>without to sync with loader LDAP. In sources.xml, with
><type>person</type>, a LDAP group is taken such a member, not a group
>with his own members, that's the problem. I thought <type>group</type>
>could solve this with a direct connection to ou=groups
>Le 30/01/2013 15:58, Shilen Patel a écrit :
>> Hi,
>> Are you trying to reference a group in Grouper that's sourced out of
>> LDAP instead of locally in Grouper's database? I think you'll want to
>> sync the group from LDAP to Grouper using the Grouper loader or PSP.
>> If I'm misunderstanding, can you elaborate on your use case?
>> Thanks!
>> -- Shilen
>> On 1/29/13 4:46 AM, "Gasperowicz Jérémy"
>> <>
>> wrote:
>>> Hi,
>>> I've tried to add a JNDI group resolver in order to add members from
>>> a group in the LDAP but doesn't work, i've the error : Cant find
>>> group by
>>> uuid: 2IIGAC211
>>> Is it possible to add members directly from LDAP group without
>>> retrieve this group in grouper, with a JNDI group resolver
>>> (<type>group</type>) and if it is, how ?
>>> Thanks a lot,
>>> Jérémy Gasperowicz

Archive powered by MHonArc 2.6.16.

Top of Page