Grouper Users - Open Discussion List

[Chris Hyzer <>]

Well, you could have two loader jobs… one for all the schools to make groups like this:

 

Group: community:schools:0591234A

-          Member: dupont

-          Member: robert

Group: community:schools:0595678B

-          Member: durand

etc

 

Then do a loder job for all the group attributes

 

Group:community:schoolAttribute:LP

-          Member: community:schools:0591234A

Group:community:schoolAttribute:PR

-          Member: community:schools:0591234A

-          Member: community:schools:0599101C

 

Then you can do your manual rollups (this part is not a loader job)

 

Group:community:schoolRollups:highSchool

-          Member: community:schoolAttribute:LP

-          Member: community:schoolAttribute:CLG

-          Member: community:schoolAttribute:LGT

Group:community:schoolRollups:privateHighSchool

-          Composite of Group:community:schoolAttribute:PR and Group:community:schoolRollups:highSchool

 

 

Is that ok, or do you need a way to do this in the loader?  Im not sure I have time to do much work on it, so Im trying to find a way to get this handled as is J

 

If you did want more with the loader, can you give a sample config of how you would configure your job to make it work?

 

Thanks,

Chris

 

From: SIAD [mailto:]
Sent: Wednesday, October 09, 2013 5:09 AM
To: Chris Hyzer
Subject: Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters

 

Not exactly, sorry english is not my best skill :-\

I'll try to explain more clearly.

We have two branches. RNE is the id that we use to identify, in the person (employee) branche, the school where employee works. Typensi is an multivalued attribute that carry the school type (public/private school, an elementary school, an high school...).

PU is for public
PR is for private
LP, CLG, LGT is for high school
EEPU, EMPU is for elementary school

For example :

person (employee)

     - uid = dupont
     - rne = 0591234A

     - uid = durand
     - rne = 0595678B

     - uid = dubois
     - rne = 0591112D

     - uid = martin
     - rne = 0599101C

     - uid = bernard
     - rne = 0591314E

     - uid = robert
     - rne = 0591234A

     - uid = dumont
     - rne = 0591314E

     - uid = fontaine
     - rne = 0591112D

school

    - rne = 0591234A
    - typensi = LP
    - typensi = PR

    - rne = 0595678B
    - typensi = CLG
    - typensi = PU

    - rne = 0599101C
    - typensi = EMPU
    - typensi = PR

    - rne = 0591112D
    - typensi = EEPU
    - typensi = PU

    - rne = 0591314E
    - typensi = LGT
    - typensi = PU


Let's say, i want all the person who works in public elementary school. For doing this, i need a first ldap query on the school branche like : (&(typensi=PU)|(typensi=EEPU)(typensi=EMPU)).

the result of this query will be :

    - rne = 0599101C
    - typensi = EMPU
    - typensi = PR

    - rne = 0591112D
    - typensi = EEPU
    - typensi = PU

now, i need rne attribute to query the person branche. (&(rne=0599101C)(rne = 0591112D)).

the result will be :

     - uid = dubois
     - rne = 0591112D

     - uid = martin
     - rne = 0599101C

     - uid = fontaine
     - rne = 0591112D

and finally result in two Grouper groups :

name = 0591112D
member = dubois
member = fontaine

name = 0599101C
member = martin

This is the process that i try to do with Grouper loader (and i did it, but it's not really clean...).

Thanks a lot for your help.
Yoann.
Le 08/10/2013 16:20, Chris Hyzer a écrit :

I think you can do this.

Focus on the second query to build the groups with the loader.

LDAP_GROUP_FROM_ATTRIBUTES

Person

  - id: abc

  - school: 12, 34

Person

  - id: bcd

  - school: 23, 34

There would be 3 groups from this, for schools 12, 23, 34

But you want the name from another filter, right?

School

  - name: Something School

  - id: 12

I think you can write a simple java class that does the LDAP query, caches the results, and you can register this in _expression_ language, and use it in grouperLoaderLdapGroupDisplayNameExpression...  (or Name, Description, etc).

Can this work for you?  Do you need a proof of concept?

Thanks,

Chris

-----Original Message-----

From: SIAD [] 

Sent: Tuesday, October 08, 2013 5:21 AM

To: Chris Hyzer

Cc: 

Subject: Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters

Hmmmmm, i don't think so. I would extract a specific attribute value 

from the first request and reuse it for building the second filter.

Actually, i have a first loader job (LDAP_GROUPS_FROM_ATTRIBUTES) who 

initialize empty groups, based on several attributes LDAP (if it's a 

public/private school, an elementary school, an high school...) and the 

school LDAP branche.  There is an ID number for each school and i use it 

as the group name. This ID is the only thing that we have to identify, 

in the employee branche,  the school where employee works.

So, on each empty group (created with the first loader job), i have a 

second loader job (LDAP_SIMPLE) for querying the employee LDAP branche 

with an ldap filter base on each group's name.

It works but it's not really clean. That's why i try to find another 

solution...

I don't know if it's clear for you :-\

Anyway, thanks for your help !

Yoann.

Le 07/10/2013 17:12, Chris Hyzer a écrit :

Is this something you can do with two loader jobs and intersect the results to an overall group?

Thanks,

Chris

-----Original Message-----

From:  [] On Behalf Of SIAD

Sent: Monday, October 07, 2013 8:53 AM

To: 

Subject: [grouper-users] Grouper loader LDAP with 2 ldap filters

Hi,

I have a request, is it possible to improve the Grouper loader LDAP with

the possibility to use 2 ldap filters ?

Explication : in our LDAP, we have multiple branches. Especially one

with all schools and second with the employees.

i would query the school branche and extract a specific attribute value

in the results entries. Then, use this extract attribute in a second

filter to query the employee branche and finally create groups with the

result.

Pretty much the same behaviour than include_ldap_2level_query option in

SYMPA :

http://www.sympa.org/manual/parameters-data-sources#include_ldap_2level_query

Do you think this is possible ?

Thanks,

Yoann.