Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Design question

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Design question

Chronological Thread 
  • From: Tom Barton <>
  • To:
  • Subject: Re: [grouper-users] Design question
  • Date: Sat, 02 Mar 2013 18:10:10 -0600
  • Authentication-results:; dkim=neutral (message not signed) header.i=none


At UChicago we selectively provision some groups to LDAP and some to AD. There is only a little overlap between them. Furthermore, many groups are not pushed out to either, or to anywhere else, for a variety of reasons. The general principle we try to follow in this is to put the info where it is needed, but only there.

As to how, we have used locally developed provisioning tools for quite some time. These look for custom attribute values on a group to know whether to provision it to a given target. Distinct OUs in an LDAP or AD service are different targets, as is an isMemberOf-only, no actual group object style. We also provision some groups into our person registry system to support associated applications, and to several other application-specific databases.

We look forward to replacing some of these with PSP in the not distant future.


On 3/1/2013 11:45 AM, Earl Lewis wrote:
I assume others out there are in similar circumstances so I'm wondering what you're doing and how you're doing it? 

801-581-3635 (office)
801-554-3596 (mobile)

On 3/1/13 9:53 AM, "Earl Lewis" <> wrote:

We had an interesting discussion yesterday concerning Grouper and it's provisioning to multiple LDAPs. We're in the middle of a limited pilot for our IT department. Our thinking is that we are going to have Grouper provisioning groups on an OpenDJ and ActiveDirectory. Obviously these are two different beasts and need to have their own connector/configurations so updates in Grouper can be reflected in the directories. 

The question came when we started talking about provisioning to one directory OR the other, I.e. push some groups to one directory flavor and some to the other. In other words not just arbitrarily pushing all updates to both. Is targeting specific directories for specific groups the norm, or the exception? 

I assume others out there are in similar circumstances so I'm wondering what you're doing and you're doing it? 

801-581-3635 (office)
801-554-3596 (mobile)

Archive powered by MHonArc 2.6.16.

Top of Page