Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: using AD extended schema attribute for anchor

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: using AD extended schema attribute for anchor

Chronological Thread 
  • From: "Coleman, Erik C" <>
  • To: "Guenther, Dean R." <>, "" <>
  • Subject: [grouper-users] RE: using AD extended schema attribute for anchor
  • Date: Wed, 13 Jun 2018 03:04:36 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:Gql5fx2LR3LfSxs3smDT+DRfVm0co7zxezQtwd8ZseIRI/ad9pjvdHbS+e9qxAeQG9mDtrQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYwhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2ybIUPAOgAPelEoIbwvEEBoQeiCQS2GO/j1j1Fi3nr1qM6yeQhFgTG0RQuE98Qt3TUqMv6NKIIXuCz1KXD0DrNb+lX2Tf+9YPFbB4tquyLUL1ubcXe1VIiFwLBjlWUqIzlOTSV1uUWs2SB8eVvSP+vhnchpgpsoTav3t8hhpfVio8a0FzJ8St0zJwrKdGiS0N3ed6pHIdKuyyZKod6WN4uTm9otSogyLALuoa3fCYUx5kk2xLSbvmKfoyM7x39UeucICp3i2lhdb+6nRm97UutxfP5W8aqzFlGsCRIn9/RvX4XzRPT8NKISv5l80ehxzmP0wfT5/lFIUAwkarbKpghwrkxlpoIq0jMADL5mFjugK+XcEUr5PSo5vz5brn6qZKQLYt5hw/kPqgwgMCyAvw0Mg0UUGia/eS82qfj/Ur8QLhSkPI5jrXWvYvbJcQfoq65AglV0oEi6xakFTupzskXnWQfIFJfZB2Hl5TpO03JIP3gAve/mVOskCpzx//YJL3tG4jNLmPdn7f7ZrZw8EpcyAsozdBD/JJYFKsNIPP1Wk/tqtPYFBk5PBKow+r5EtlyyJ4RWX/cSpOeZen9rFKO+uIiOa3ESIIcvn7HbbJts/HzgHklmVIHVbaywN0aZG3uWrwsLF+efGLhmJIcCmoQpSI/SvDnkluPTWQVanqvFepo6Ss8FZqrF8LeXY23m5SA2ju2BJtbejoAB1yRRyTGbYKBDr0nbyafJ8Zn1nQpT7miA6RrnUWjvwTSyr5jL+zT+zZeuJ7+gosmr9bPnA0/oGQnR/+W1HuAGiQtxjsF
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

We have a slightly similar model with an extended attribute “uiucEduUIN” that requires users to be in a special AD group with extra privs to see the attribute. I don’t foresee a problem here, as the group creation LDIF is doing nothing more than establishing an entry in the link-table between the group and user, and would be using the same bind credentials as the loader job.



Erik Coleman

University of Illinois at Urbana-Champaign



From: <> On Behalf Of Guenther, Dean R.
Sent: Tuesday, June 12, 2018 1:10 PM
Subject: [grouper-users] using AD extended schema attribute for anchor


I have an Active Directory extended schema attribute wsuExternalSystemID which contains a unique ID for each person. Its similar to what you might find in employeeID. This attribute is a confidential attribute, and I have granted my ldap.pspng_activedirectory.user to have full access to this extended AD attribute. For my Grouper groups I build them with the SQL query


            select wsuExternalSystemID as subject_id from oraclepersonregistry where employeerole like ‘%Hourly%’


and this successfully builds my group in Grouper. And each person it finds has the Unique ID with their wsuExternalSystemID as I’d expect.


My question is, am I going to have any problem with using PSPNG to build a group in AD when the users are being referenced by an extended schema AD attribute? These are my userSearch values:


changelog.consumer.pspng_activedirectory.userSearchBaseDn = ou=people,dc=testingAD,dc=wsu,dc=edu

changelog.consumer.pspng_activedirectory.userSearchFilter = wsuExternalSystemID=${}

changelog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,wsuexternalsystemid,userprincipalname,objectclass





Dean Guenther                          
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager


Archive powered by MHonArc 2.6.19.

Top of Page