Grouper Users - Open Discussion List

[Gasperowicz Jérémy <>]

Hi,

Ok, thanks everybody for all your explanations.

Its possible in the future that a group could be a special group where it is 
dynamic and could be queried via WS (e.g. is this person a member, or list 
the members), which would do the background ldap query, but it wouldn't be 
able to be added to other groups or privileges...  is that what you are 
looking for?

Exactly

If I'm not clear we can always talk in French if you prefer ;~)

C'est très clair Sébastien, donc actuellement, j'ai :

<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>
<param>
<param-name>filter</param-name>
<param-value>
            (&amp; (cn=%TERM%) (objectclass=groupOfNames))
</param-value>
</param>

et en fait quand j'ai <type>person</type>, le groupe LDAP est ajouté en 
tant que membre direct, mais ses membres (visibles dans les détails du 
groupe) ne sont pas listés en tant qu'membres indirects. Je croyais donc 
qu'avec <type>group</type>, le groupe LDAP aurait été bien référencé en 
tant que groupe et ses membres, listés en tant que membres indirects 
avec une requête vers le LDAP quand on interroge le groupe mais ça 
marche pas. Pour l'instant, je suis obligé de rapatrier les groupes LDAP 
dans grouper et les synchroniser une fois par jour pour pouvoir les 
ajouter à des groupes crées dans Grouper, ce qui nous pose également des 
problèmes de performances, du fait du grand nombre de groupes notamment 
et des doublons que cela engendre.

Thanks,
Merci,
Jérémy Gasperowicz

Le 30/01/2013 21:24, Chris Hyzer a écrit :
> Just so everyone is clear as to the reasoning here... groups can be chained 
> together as members and/or composites of arbitrary length.  These groups can 
> be added as privileges also, and all these effective memberships and 
> permissions need to be able to be queried in one query for Grouper to 
> function (e.g. show me all the groups I am a member of that I have privileges 
> to read).  If Grouper had to go to external sources to resolve memberships 
> along the way, the performance would be too slow.  So if you want an external 
> group, it needs to be synced to be a group in Grouper.
>
> Its possible in the future that a group could be a special group where it is 
> dynamic and could be queried via WS (e.g. is this person a member, or list 
> the members), which would do the background ldap query, but it wouldn't be 
> able to be added to other groups or privileges...  is that what you are 
> looking for?
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: 
>
>  
> [mailto:]
>  On Behalf Of Shilen Patel
> Sent: Wednesday, January 30, 2013 11:40 AM
> To: Gagné Sébastien; Gasperowicz Jérémy
> Cc: 
>
> Subject: Re: [grouper-users] LDAP groups in sources.xml
>
> I think if you do that, you may be able to treat LDAP groups as entities
> that can be added as members of Grouper groups, but that may not produce
> the desired result since the LDAP groups wouldn't really be treated as
> groups with *members*.  For instance, viewing the members of a Grouper
> group that contains the LDAP group as a member wouldn't show the indirect
> memberships.  Also, if a member gets added to the LDAP group and new
> indirect memberships are effectively created, then Grouper wouldn't send
> out notifications since it wouldn't have known about the LDAP update.
>
> Thanks!
>
> -- Shilen
>
>
>
>
> On 1/30/13 10:39 AM, "Gagné 
> Sébastien"<>
> wrote:
>
> > To understand correctly you want to have a Grouper Group which the
> > members are users and/or groups from the ldap ?
> >
> > I'm not sure if "<type>person</type>" does anything
> >
> > What I would check is that your LDAP groups have subject ID with this
> > part (maybe CN in your case) :
> > <init-param>
> >       <param-name>SubjectID_AttributeType</param-name>
> >       <param-value>sAMAccountName</param-value>
> >     </init-param>
> >
> >
> > And that the searches have filters that can see groups, something like :
> >
> > <param-name>filter</param-name>
> >             <param-value>
> >
> > (&amp;(sAMAccountName=%TERM%)(|(objectclass=user)(objectclass=group)))
> >             </param-value>
> >
> > If I'm not clear we can always talk in French if you prefer ;~)
> >
> > -----Message d'origine-----
> > De : 
> >
> > [mailto:]
> >  De la part de Gasperowicz
> > Jérémy
> > Envoyé : 30 janvier 2013 10:30
> > À : Shilen Patel
> > Cc : 
> >
> > Objet : Re: [grouper-users] LDAP groups in sources.xml
> >
> > Hi,
> >
> > I want to reference a group which exists in LDAP as a group in grouper
> > without to sync with loader LDAP. In sources.xml, with
> > <type>person</type>, a LDAP group is taken such a member, not a group
> > with his own members, that's the problem. I thought<type>group</type>
> > could solve this with a direct connection to ou=groups
> >
> > Thanks
> >
> > Le 30/01/2013 15:58, Shilen Patel a écrit :
> > > Hi,
> > >
> > > Are you trying to reference a group in Grouper that's sourced out of
> > > LDAP instead of locally in Grouper's database?  I think you'll want to
> > > sync the group from LDAP to Grouper using the Grouper loader or PSP.
> > > If I'm misunderstanding, can you elaborate on your use case?
> > >
> > > Thanks!
> > >
> > > -- Shilen
> > >
> > > On 1/29/13 4:46 AM, "Gasperowicz Jérémy"
> > > <>
> > >    wrote:
> > >
> > > > Hi,
> > > >
> > > > I've tried to add a JNDI group resolver in order to add members from
> > > > a group in the LDAP but doesn't work, i've the error : Cant find
> > > > group by
> > > > uuid: 2IIGAC211
> > > > Is it possible to add members directly from LDAP group without
> > > > retrieve this group in grouper, with a JNDI group resolver
> > > > (<type>group</type>) and if it is, how ?
> > > >
> > > > Thanks a lot,
> > > >
> > > > Jérémy Gasperowicz