grouper-users - [grouper-users] Re: PSP sync: The "bushy" vs. "flat" debate
Subject: Grouper Users - Open Discussion List
List archive
- From: "Bee-Lindgren, Bert" <>
- To: "Coleman, Erik C" <>, "" <>
- Subject: [grouper-users] Re: PSP sync: The "bushy" vs. "flat" debate
- Date: Wed, 11 Jan 2017 17:07:11 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:jcbUHRKCcACxwn3zZ9mcpTZWNBhigK39O0sv0rFitYgfLPrxwZ3uMQTl6Ol3ixeRBMOAuq4C0bqd4vCocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDWwbalsIBi1ogncssobipZ+J6gszRfEvmFGcPlMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLDQheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2ThLjlSUJOCMj8GzPisJ+kr9VoA6vqRJ8zY7bYoCVO+Zxca7GZ9wWWXZNU9xNWyBdH4+xaZYEAeobPeZfqonwv1UCoAagCgayHe/hzD5Ihnnr0q01yeQuDwfG0BQ9FN8TrnvUtsn1OKkPWu2y16bH0y/Db+9M1Tjm9ofHbAktofWNXbJ2bMXRxlMvGB3DjliLrozlPi+V2v4Cs2eB8+pvS/6gi249pw5vvzev294hh4/UjYwW0lDJ7Th1zJo6KNGiR0N2Y8SoHZRNuy2AKod6XsMvT3l2tCs60LEKpJy2cSYQxJg6xxPSauaLf5WG7x79UuuaPC12i2h/eL2lgha/6UigxfP4VsmzyFtEtjZInN7Qun0DzhDd5M+JR/Vk8kemwjmAyRrf6uZZIUAojqXbLIMhwrgtmZYJqUTDBCj2mFnog6CKakUk+++o6+L9brXhu5+cK4t0igb5MqQtgMCwHeM4Mg0WU2ia/+SzyqHj8FXkTLlWgfA6iKbUvZLAKckUu6K1GRJZ3poj5hqnCjepytUYnX0JLFJffxKHipDkNErQL/DiEfezmU+jnyl1yPzfOr3hA5PNIWXMkLf7Y7l97VVRyA0yzdBD/Z5UBasOIO7tVUDttNzUFAE2PBGpw+r/EtVyypseWX6TAq+eKK7SvkWI5uUyI+mUeoAVoi/xK+U+5/Hwl385gkQQfa2o3ZsMdHC4BepqL1+YYXrqntcOD30KvgwgQ+z2llGOSyBcaGuvX/F02jZuQqmhCYrGT4bpyJGb3STzNdceMm1NAXiNFXPpcYKFQLEBZD/EZocrnSYDSKCsUco8zhy0ryf7zaZqNOzZ5ndeuJ7+npAh6PfUiAk/73lpFMmHyEmMSX15hGUFW2Vw0axi9x9T0FCGhOJSjvEdMd1V6/xTXwF+fbTR1fAwQ4T4VxjdON2ERROiQ9OqDis8SPo2wsNIbE9hFt6iyB3Pwnz5UPcui7WXCclsoern1H/rKpMlxg==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
I'm going to answer this for Groups PSPNG. If there are reasons you have to use PSP (old), then we can readdress that.
1) Regardless of whether you use a bushy or flat OU, you should name your groups uniquely. At Georgia Tech, we reverse the group's native name, so the most interesting part of the name is first... In other words, name your group webserveradmins:wiki:services:uiuc because AD users will be typing webserveradmins or will be looking at a truncated name of the group in some UI somewhere. You can either truncate the cn/samaccountname to the 64 allowed characters, or add a hash to the end.
2) There should not be any performance problems in maintaining a bushy hierarchy. Obviously, OUs need to be created, but that's a small fraction of the ldap changes and they're pretty quick. 4) Configuring multiple Base OUs would appear in PSPNGs config as different provisioners, sharing connectivity information, but with different group-selection criteria/grouper properties.
5) FWIW, at Georgia Tech, we have thousands of AD groups populated in a flat OU. It's hell to browse with Windows tools, but otherwise is great.
Hoping this helps,
Bert
From: <> on behalf of Coleman, Erik C <>
Sent: Monday, January 9, 2017 2:05 PM To: Subject: [grouper-users] PSP sync: The "bushy" vs. "flat" debate Our in-progress Grouper implementation project will become a major source of group membership info for our Active Directory instance (not so much the other way around). We plan to have a PSP configured to synchronize certain categories of groups into various OUs within the AD tree. Given that we already have a well-established and mature AD implementation, it would seem to make sense to lean toward a “bushy” model, whereas those that are used to organizing groups into sub-OUs in AD can continue to do so using Grouper. This also seems to open up some granularity in terms of leveraging AD access controls (assuming PSP has the necessary write rights) on certain sensitive groups/OUs. Our presumption is that these OUs (and descendants) will have Grouper be solely authoritative for the data and the ACLs of concern would be read-only or no access. One area of concern would be group naming and the potential for duplicates in different OUs, as the derived sAMAccountName has to be unique across the entire domain.
On the other hand, I have heard stories of slow sync times and that following a “flat” model would be far more efficient. And a concatenation of the path naming i.e., “uiuc:services:wiki:webserveradmins” would translate into the AD side group naming, providing uniqueness, even if all jammed into a single OU. As far as assigning ACLs, I recall Eric Kool-Brown and others going as far as having a post-sync script assigning it on a per-group basis, though that seems like more moving parts to me.
I’m curious what others may have done both with the bushy vs. flat sync topology, as well as their naming taxonomy and approach to granular access control in order to accommodate it. Have you tried both? A hybrid model with multiple syncs doing things differently? Do you see a major advantage over doing it one way vs. the other?
Thanks for sharing your experiences!
-- Erik Coleman Technology Services University of Illinois at Urbana-Champaign
|
- [grouper-users] PSP sync: The "bushy" vs. "flat" debate, Coleman, Erik C, 01/09/2017
- [grouper-users] Re: PSP sync: The "bushy" vs. "flat" debate, Bee-Lindgren, Bert, 01/11/2017
Archive powered by MHonArc 2.6.19.