Grouper Users - Open Discussion List

[Julio Polo <>]

If AD behaves like other LDAP servers, you could specify the base as 'DC=campus,DC=ncl,DC=ac,DC=uk' and change the ACI for the LDAP/AD account you configured Grouper with so that it only has access to the two branches you want (OU=Campus Users and OU=Other Users)

Julio Polo
Enterprise Middleware, Identity and Access Management
Information Technology Services
University of Hawaii

On Fri, Nov 4, 2016 at 1:33 AM, Philip Harle <> wrote:

Inside of sources.xml we specify the path to the base OU in Active Directory containing the majority of our user accounts. However, we have a scenario where our subject user accounts exist across two separate locations in AD.

We currently use the following:
    <search>
        <searchType>searchSubjectByIdentifier</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp;(cn=%TERM%)(objectclass=person))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>SUBTREE_SCOPE</param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>OU=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
        </param>
    </search>

Is it possible to specify a secondary location, for example 'OU=Other Users,DC=campus,DC=ncl,DC=ac,DC=uk' in addition to the one specified above?

I've attempted to construct a search block in sources.xml using numParameters to allow us to query a second location if the subject is not found in the first, but I've not had much success.

I realise this could be achieved by specifying the base as 'DC=campus,DC=ncl,DC=ac,DC=uk', however our domain contains a number of other root OU's that we'd rather not have Grouper search through in order to maintain performance of the service.

Thanks,

---
Phil Harle
IT Service
Newcastle University