Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Provisioning a group attribute value onto a member's LDAP object

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Provisioning a group attribute value onto a member's LDAP object

Chronological Thread 
  • From: David Langenberg <>
  • To: Paul Engle <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Provisioning a group attribute value onto a member's LDAP object
  • Date: Tue, 7 Jan 2014 10:25:30 -0700

Hi Paul,

I don't think scripting the attribute would help much in this case.  The Membership does seem to be the better place for the attribute.  Have you considered using Grouper Rules ( to automate the application of the attribute on the membership?


On Tue, Jan 7, 2014 at 9:18 AM, Paul Engle <> wrote:

Hi all,
  I'm very close to moving forward and upgrading our 1.6.3
infrastructure to 2.1.5. I have the psp configuration mostly where I
need it to be (and it is sooooo much faster). But there is one thing
that I'm trying to do that is failing.

Basically, I've defined an attribute with the new framework, and
assigned that attribute to a group. I'd like the provisioner to be able
to take that attribute value and assign it to a group member's LDAP
object as a custom LDAP attribute. Similar to the way the
memberIsMemberOf attribute is done in the psp-resolver.xml for the
psp-example-grouper-to-openldap example.

The problem I'm running into is that, since this attribute doesn't exist
on all groups (unlike the 'name' attribute for the memberIsMemberOf
example), I get an 'operation not permitted' error when I try to define
the attribute thusly:

  <resolver:Dependency ref="MemberDataConnector" />
  <grouper:Attribute id="etc:attribute:vpn:name" />

Would defining the attribute as a script be the way to go?
Alternatively, should I be thinking about this some other way? I have
successfully gotten the LDAP attribute provisioned by putting the
etc:attribute:vpn:name on the Membership, rather than the group itself,
but that entails many more steps for the end user. (Add person to group,
add attribute to user as a group member, and then assign the value,
using the same value for every group member). Or maybe I'm not
understanding the new attribute framework very well.


Paul D. Engle              |  Rice University
Sr. Systems Administrator  |  Information Technology - MS119
(713)348-4702              |  PO Box 1892
           |  Houston, TX 77252-1892

David Langenberg
Identity & Access Management
The University of Chicago

Archive powered by MHonArc 2.6.16.

Top of Page