Grouper Users - Open Discussion List

[David Langenberg <>]

Hi Joshua,

Yes, you can easily have grouper create / maintain groups whereby the membership is based on an attribute's value in LDAP.  See 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP

You'll want a GrouperLoaderLDAPType of LDAP_GROUPS_FROM_ATTRIBUTES

Dave

On Wed, Aug 13, 2014 at 2:42 PM, Joshua Riffle <> wrote:

I am in the midst of a project to hammer some sense out of an OpenLDAP directory structure and one of the topics of interest for our use-case is:

Why can't we just identify user groupings by a value in one of their person attributes?

For example a person entry in our LDAP directory has an attribute with a value of "edu:person:affil:staff" we could say they are in the "Staff" group via the ldap filter (objectclass=person)(attribute=edu:person:affil:staff). A person would be added to this group by applying this value to their person entry or removed from this group by removing this value from their person entry. This allows us to avoid maintaining a group object named "edu:person:affil:staff" and does not require us to worry about referential integrity between "member" and "memberOf" attributes. One down-side is that it eliminates our ability to meaningfully nest these groupings of attribute but that may not be an issue for our use-case.

That all being said, I am struggling to determine whether or not Grouper is capable of understanding "Groups" by Groupings of persons with a specific attribute value or if it is architected to only understand groups as objects with a list of members?

Joshua Riffle

Software Engineer

Azusa Pacific University

--
David Langenberg

Identity & Access Management

The University of Chicago