Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Design question

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Design question

Chronological Thread 
  • From: David Langenberg <>
  • To: Jeff McCullough <>
  • Cc: Tom Barton <>, "<>" <>, CalNet Administration <>
  • Subject: Re: [grouper-users] Design question
  • Date: Wed, 6 Mar 2013 23:19:02 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Hi Jeff,

The groups targeted at different systems do not live in different parts of the tree.  Any group anywhere in our group structure can be provisioned to LDAP, AD, our Person Registry, or any combination of the above.  When we do move to the PSP we will at a minimum need to maintain the current flexibility so I imagine we'll come up with a way (hook or crook) to make it work as desired.


David Langenberg
Identity & Access Management
The University of Chicago

On Mar 6, 2013, at 3:46 PM, Jeff McCullough <>


I like your feature of using the custom attribute to determine where a group is to be provisioned. In PSP, that sort of granularity doesn't currently exist, and you mention wanting to move to PSP. Do your groups that need to be targeted to a particular system live in separate branches of your organizational tree? I'm guessing they don't, so am wondering if there is a plan for PSP to use something like your custom attribute to know where to provision a group?


On Mar 2, 2013, at 4:10 PM, Tom Barton <> wrote:


At UChicago we selectively provision some groups to LDAP and some to AD. There is only a little overlap between them. Furthermore, many groups are not pushed out to either, or to anywhere else, for a variety of reasons. The general principle we try to follow in this is to put the info where it is needed, but only there.

As to how, we have used locally developed provisioning tools for quite some time. These look for custom attribute values on a group to know whether to provision it to a given target. Distinct OUs in an LDAP or AD service are different targets, as is an isMemberOf-only, no actual group object style. We also provision some groups into our person registry system to support associated applications, and to several other application-specific databases.

We look forward to replacing some of these with PSP in the not distant future.


On 3/1/2013 11:45 AM, Earl Lewis wrote:
I assume others out there are in similar circumstances so I'm wondering what you're doing and how you're doing it? 

801-581-3635 (office)
801-554-3596 (mobile)

On 3/1/13 9:53 AM, "Earl Lewis" <> wrote:

We had an interesting discussion yesterday concerning Grouper and it's provisioning to multiple LDAPs. We're in the middle of a limited pilot for our IT department. Our thinking is that we are going to have Grouper provisioning groups on an OpenDJ and ActiveDirectory. Obviously these are two different beasts and need to have their own connector/configurations so updates in Grouper can be reflected in the directories. 

The question came when we started talking about provisioning to one directory OR the other, I.e. push some groups to one directory flavor and some to the other. In other words not just arbitrarily pushing all updates to both. Is targeting specific directories for specific groups the norm, or the exception? 

I assume others out there are in similar circumstances so I'm wondering what you're doing and you're doing it? 

801-581-3635 (office)
801-554-3596 (mobile)

Archive powered by MHonArc 2.6.16.

Top of Page