Grouper Users - Open Discussion List

["Michael R. Gettes" <>]

+1

Please. 

/mrg


-------- Original message --------
From: Tom Barton <>
Date: 06/03/2013 18:22 (GMT-05:00)
To: Jeff McCullough <>
Cc: ,CalNet Administration <>
Subject: Re: [grouper-users] Design question

Jeff,

There isn't an extant plan, but there is renewed development of PSP now ramping up. I have a feeling that a use case like this will prove to be valuable to a fair number of deployers, and if so that should help to put it on the sooner rather than later part of the roadmap.

Tom

On 3/6/2013 4:46 PM, Jeff McCullough wrote:

Tom,

I like your feature of using the custom attribute to determine where a group is to be provisioned. In PSP, that sort of granularity doesn't currently exist, and you mention wanting to move to PSP. Do your groups that need to be targeted to a particular system live in separate branches of your organizational tree? I'm guessing they don't, so am wondering if there is a plan for PSP to use something like your custom attribute to know where to provision a group?

Thanks,

Jeff

On Mar 2, 2013, at 4:10 PM, Tom Barton <> wrote:

Earl,

At UChicago we selectively provision some groups to LDAP and some to AD. There is only a little overlap between them. Furthermore, many groups are not pushed out to either, or to anywhere else, for a variety of reasons. The general principle we try to follow in this is to put the info where it is needed, but only there.

As to how, we have used locally developed provisioning tools for quite some time. These look for custom attribute values on a group to know whether to provision it to a given target. Distinct OUs in an LDAP or AD service are different targets, as is an isMemberOf-only, no actual group object style. We also provision some groups into our person registry system to support associated applications, and to several other application-specific databases.

We look forward to replacing some of these with PSP in the not distant future.

Tom

On 3/1/2013 11:45 AM, Earl Lewis wrote:

[Edit]

I assume others out there are in similar circumstances so I'm wondering what you're doing and how you're doing it? 

Earl

801-581-3635 (office)

801-554-3596 (mobile)

On 3/1/13 9:53 AM, "Earl Lewis" <> wrote:

We had an interesting discussion yesterday concerning Grouper and it's provisioning to multiple LDAPs. We're in the middle of a limited pilot for our IT department. Our thinking is that we are going to have Grouper provisioning groups on an OpenDJ and ActiveDirectory. Obviously these are two different beasts and need to have their own connector/configurations so updates in Grouper can be reflected in the directories. 

The question came when we started talking about provisioning to one directory OR the other, I.e. push some groups to one directory flavor and some to the other. In other words not just arbitrarily pushing all updates to both. Is targeting specific directories for specific groups the norm, or the exception? 

I assume others out there are in similar circumstances so I'm wondering what you're doing and you're doing it? 

Earl

801-581-3635 (office)

801-554-3596 (mobile)