Grouper Users - Open Discussion List

["Bryan E. Wooten" <>]

Thanks for the DataConnector filter tip. I am just getting my head around what all the config options are and what they really mean.

 

-Bryan

 

From: Gagné Sébastien [mailto:]
Sent: Wednesday, February 27, 2013 9:51 AM
To: Bryan E. Wooten;
Subject: RE: [grouper-users] Is it possible to provision to both LDAP and AD using PSP?

 

I’m really interested in this too since it will be our situation soon : we are provisioning to AD and will have to add a second LDAP target

 

What is your subject ID ? I believe the PSP does a lookup in the target to find the subject to get the full DN so if you have two different searches (one for LDAP, one for AD) it would each return the proper object, but looking at the openldap-multiple example I can’t find it.

 

Another thing to take into consideration is if your directories have a different user set.

 

As for the difference between openldap and AD, this might be due to doing things differently. The AD version won’t autosync many attributes and I believe the openldap one uses less script attributes.

 

Are all the groups under the same stem or would AD groups be in a different then LDAP groups ? If they are separate you can have a filter in the GroupDataConnector that will check only a specific stem. Maybe there are other filter options that I’m not aware of. You would have something like :

 

  <resolver:DataConnector

    id="GroupDataConnectorForAD"

    xsi:type="grouper:GroupDataConnector">

      <grouper:Filter

        xsi:type="grouper:GroupInStem"

        name="ADGroupStem”

        scope="SUB" />

  </resolver:DataConnector>

 

  <resolver:DataConnector

    id="GroupDataConnectorForLDAP"

    xsi:type="grouper:GroupDataConnector">

      <grouper:Filter

        xsi:type="grouper:GroupInStem"

        name="LDAPGroupStem”

        scope="SUB" />

  </resolver:DataConnector>

 

 

De : [] De la part de Bryan E. Wooten
Envoyé : 27 février 2013 11:34
À :
Objet : [grouper-users] Is it possible to provision to both LDAP and AD using PSP?

 

I was following the psp-example-grouper-to-openldap-multiple in hopes of modifying the example to provision LDAP and AD.

 

But then I realized the my subject Id source was LDAP and the DN for a person (unid=u0000001,ou=people,o=Utah.edu) would not make any sense for AD where the DN for a person is cn=u0000001,ou=people,dc=Utah,dc=edu.

 

So it seems I need to add AD as a subject source.

 

Then I realized I don’t understand how to control (via the Web UI) which groups created in Grouper are provisioned to AD and which groups are provisioned to LDAP.

 

I also noticed that the psp-resolver in psp-example-grouper-to-active-directory is significantly deferent than gouper-to-openldap version. Looking at the diffs I am not sure I really understand why.

 

Anyway, has any successfully configured Grouper to provision both LDAP and AD using the PSP?

 

Thanks,

 

Bryan