Grouper Users - Open Discussion List

["Coleman, Erik C" <>]

We have a slightly similar model with an extended attribute “uiucEduUIN” that requires users to be in a special AD group with extra privs to see the attribute. I don’t foresee a problem here, as the group creation LDIF is doing nothing more than establishing an entry in the link-table between the group and user, and would be using the same bind credentials as the loader job.

 

--

Erik Coleman

University of Illinois at Urbana-Champaign

 

 

From: <> On Behalf Of Guenther, Dean R.
Sent: Tuesday, June 12, 2018 1:10 PM
To:
Subject: [grouper-users] using AD extended schema attribute for anchor

 

I have an Active Directory extended schema attribute wsuExternalSystemID which contains a unique ID for each person. Its similar to what you might find in employeeID. This attribute is a confidential attribute, and I have granted my ldap.pspng_activedirectory.user to have full access to this extended AD attribute. For my Grouper groups I build them with the SQL query

 

            select wsuExternalSystemID as subject_id from oraclepersonregistry where employeerole like ‘%Hourly%’

 

and this successfully builds my group in Grouper. And each person it finds has the Unique ID with their wsuExternalSystemID as I’d expect.

 

My question is, am I going to have any problem with using PSPNG to build a group in AD when the users are being referenced by an extended schema AD attribute? These are my userSearch values:

 

changelog.consumer.pspng_activedirectory.userSearchBaseDn = ou=people,dc=testingAD,dc=wsu,dc=edu

changelog.consumer.pspng_activedirectory.userSearchFilter = wsuExternalSystemID=${subject.id}

changelog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,wsuexternalsystemid,userprincipalname,objectclass

 

 

 

 

Dean Guenther                          
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager