Grouper Users - Open Discussion List

["Coleman, Erik C" <>]

Our in-progress Grouper implementation project will become a major source of group membership info for our Active Directory instance (not so much the other way around).  We plan to have a PSP configured to synchronize certain categories of groups into various OUs within the AD tree.  Given that we already have a well-established and mature AD implementation, it would seem to make sense to lean toward a “bushy” model, whereas those that are used to organizing groups into sub-OUs in AD can continue to do so using Grouper.  This also seems to open up some granularity in terms of leveraging AD access controls (assuming PSP has the necessary write rights) on certain sensitive groups/OUs.  Our presumption is that these OUs (and descendants) will have Grouper be solely authoritative for the data and the ACLs of concern would be read-only or no access.  One area of concern would be group naming and the potential for duplicates in different OUs, as the derived sAMAccountName has to be unique across the entire domain.

 

On the other hand, I have heard stories of slow sync times and that following a “flat” model would be far more efficient. And a concatenation of the path naming i.e., “uiuc:services:wiki:webserveradmins” would translate into the AD side group naming, providing uniqueness, even if all jammed into a single OU. As far as assigning ACLs, I recall Eric Kool-Brown and others going as far as having a post-sync script assigning it on a per-group basis, though that seems like more moving parts to me.

 

I’m curious what others may have done both with the bushy vs. flat sync topology, as well as their naming taxonomy and approach to granular access control in order to accommodate it.  Have you tried both?  A hybrid model with multiple syncs doing things differently? Do you see a major advantage over doing it one way vs. the other?

 

Thanks for sharing your experiences!

 

--

Erik Coleman

Technology Services

University of Illinois at Urbana-Champaign