grouper-users - RE: [grouper-users] Is it possible to provision to both LDAP and AD using PSP?
Subject: Grouper Users - Open Discussion List
List archive
- From: Gagné Sébastien <>
- To: "Bryan E. Wooten" <>, <>
- Subject: RE: [grouper-users] Is it possible to provision to both LDAP and AD using PSP?
- Date: Wed, 27 Feb 2013 11:51:06 -0500
- Authentication-results: sfpop-ironport05.merit.edu; dkim=neutral (message not signed) header.i=none
I’m really interested in this too since it will be our situation soon : we are provisioning to AD and will have to add a second LDAP target What is your subject ID ? I believe the PSP does a lookup in the target to find the subject to get the full DN so if you have two different searches (one for LDAP, one for AD) it would each return the proper object, but looking at the openldap-multiple example I can’t find it. Another thing to take into consideration is if your directories have a different user set. As for the difference between openldap and AD, this might be due to doing things differently. The AD version won’t autosync many attributes and I believe the openldap one uses less script attributes. Are all the groups under the same stem or would AD groups be in a different then LDAP groups ? If they are separate you can have a filter in the GroupDataConnector that will check only a specific stem. Maybe there are other filter options that I’m not aware of. You would have something like : <resolver:DataConnector id="GroupDataConnectorForAD" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:GroupInStem" name="ADGroupStem” scope="SUB" /> </resolver:DataConnector> <resolver:DataConnector id="GroupDataConnectorForLDAP" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:GroupInStem" name="LDAPGroupStem” scope="SUB" /> </resolver:DataConnector> De : [mailto:] De la part de Bryan E. Wooten I was following the psp-example-grouper-to-openldap-multiple in hopes of modifying the example to provision LDAP and AD. But then I realized the my subject Id source was LDAP and the DN for a person (unid=u0000001,ou=people,o=Utah.edu) would not make any sense for AD where the DN for a person is cn=u0000001,ou=people,dc=Utah,dc=edu. So it seems I need to add AD as a subject source. Then I realized I don’t understand how to control (via the Web UI) which groups created in Grouper are provisioned to AD and which groups are provisioned to LDAP. I also noticed that the psp-resolver in psp-example-grouper-to-active-directory is significantly deferent than gouper-to-openldap version. Looking at the diffs I am not sure I really understand why. Anyway, has any successfully configured Grouper to provision both LDAP and AD using the PSP? Thanks, Bryan |
- [grouper-users] Is it possible to provision to both LDAP and AD using PSP?, Bryan E. Wooten, 02/27/2013
- <Possible follow-up(s)>
- RE: [grouper-users] Is it possible to provision to both LDAP and AD using PSP?, Gagné Sébastien, 02/27/2013
- RE: [grouper-users] Is it possible to provision to both LDAP and AD using PSP?, Bryan E. Wooten, 02/27/2013
Archive powered by MHonArc 2.6.16.