Grouper Users - Open Discussion List

[Paul Engle <>]

Slight correction to this. The property is actually
allProvisionedValuesPrefix for the attribute provisioner. I fixed it in
the wiki.

Thinking about this some more, I can understand the logic of wanting to
require a prefix when the authoritative switch is thrown to keep it from
blowing away values from other sources. But does it seem reasonable to
have a new boolean property, provisionedValuesPrefixIsNull or somesuch
to trigger the case when there really should be an empty prefix?  That
would prevent an admin from accidentally turning on the authoritative
behavior and not specifying a prefix explicitly. Either the prefix
property contains a string or the isNull property is true. Does that
make sense?

  -paul

On 2/20/2017 11:16 AM, Paul Engle wrote:
> 
> I understand how to make Grouper authoritative for prefixed values of an
> LDAP attribute using the LdapAttributeProvisioner and setting a value
> for the grouperIsAuthoritative & allProvisionedAttributePrefix
> properties. But how can I do so for _all_ values of an attribute,
> without a prefix?
> 
> Up to now, we've had isMemberOf populated from the group name, so they
> don't all share a common prefix. Introducing a prefix at this stage
> would break several applications that are already using the existing
> values. I thought I could be clever and put in a string like '*:',
> making the resultant LDAP filter be (isMemberOf=*:*). But apparently
> later on during the reconciliation, the prefix is made part of a regex,
> so the asterisk blows it up.
> 
> Is there any way to specify an empty string for the property? If not,
> can that be a feature request? If I can get this one issue solved, then
> I think I will have a fully functional pspng equivalent of our existing
> psp config.
> 
>   -paul
> 
> 

-- 
Paul Engle
Office of Information Technology

713-348-4702