Skip to Content.
Sympa Menu

grouper-users - [grouper-users] configuring psp target != subject source

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] configuring psp target != subject source


Chronological Thread 
  • From: Tibor Rudas <>
  • To: "" <>
  • Subject: [grouper-users] configuring psp target != subject source
  • Date: Thu, 11 Apr 2013 16:08:32 +0200
  • Authentication-results: sfpop-ironport05.merit.edu; dkim=pass (signature verified)
Dear List

I'm currently setting up grouper 2.1.3 to be our new group-management
tool. However I would need some help in my configuration as I need to
provision group-Information to systems which are not the subject-source
for the individual members.

Here is my basic setup:

We have a central database which is our authoritative source for all
identity-management-relevant information. All active accounts are
automatically replicated into an openldap-server which some applications
use as their source.
We are now adding an active directory to the mix... and now we would
like to have a single point to define groups which can then be used by
as many applications (including the AD) as possible. As a first step we
would like to sync the groups into the AD - but eventually we will also
need them in our LDAP-server.

But: when I use the DB as subject-source no memberships are synced to
the AD since none of the subjects (and thus the DNs) are resolvable via
the AD as it is no datasource. Configuring both DB and AD as
subject-source is not practical and will lead to problems as all
subjectIDs would no longer be unique among these sources (they all can
be resolved by both sources). Using the AD as subject-source and target
works.

So ideally I would like to have the DB as subject source and configure
the PSP so that memberships of subjects from the DB are synced. I guess
for this I'll have to configure the attribute resolver so that the PSP
will accept that 'ldap' is the target but not configured as subject
source. And secondly I'll have to configure the attribute resolver so
that the PSP knows the DN of the given subject in the AD (probably via a
ResolverTemplateAttributeDefinition).

So is this feasible at all? If yes: could someone point me to
documentation or an example on how to configure the above (as I am quite
new to the shibboleth attribute-resolver syntax)?

And is it possible to use the PSP to sync the groups to two different
LDAP-targets (openldap/AD). I guess I could use two different
grouper-daemons using two different psp-configs - but would they both
see all changes in the ChangeLog or will one process them and the other
will then never see them?

Thanks in advance (and sorry for the long post),
Tibor Rudas

Archive powered by MHonArc 2.6.16.

Top of Page