grouper-users - [grouper-users] Re: using AD extended schema attribute for anchor
Subject: Grouper Users - Open Discussion List
List archive
- From: "Guenther, Dean R." <>
- To: "Coleman, Erik C" <>, "" <>
- Subject: [grouper-users] Re: using AD extended schema attribute for anchor
- Date: Wed, 13 Jun 2018 14:46:28 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:uuS9kxQRAAWN3bGhZJxDa314wNpsv+yvbD5Q0YIujvd0So/mwa6zYhCN2/xhgRfzUJnB7Loc0qyK6/2mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbN/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHJhMJtkKJVrhGvpxJ9zIHaYYGaKPVxc7jHct8GQGpMRNpdWjZDD466coABD/ABPeFdr4TlqVcArAa+CheqBOPzyj9HmGX20bUn2OovDw7JxgogFM8SvnjOotn+KaAfUe+ozKbWyzXDc/NW1inn6IXTfBEhuuyMUahufsXM1EkiDgXIhUiTp4z9Jz6ZyP4Cv3SG4+dlSO6jlnMrpgR/ojWg2ssglozEhowLxV3L6Sl0xYM4KNykREFnedKpEZ9duzuHO4Z3Q84uWW5ltScgxrEbt5O3YDAGyJo5yBPcd/CKdo2F7x3hWeuRJDp1hHZodbKiiBu3/0WtzvDzWdOx3VtLsiZInNbBu3YQ3BLJ8MeHUOFy/kK51DaPyQ/T7uZELFgsm6fHLJAt3qM8moMOv0rbAyP6gUL2g7SIeUk+/eio9vjnba7hpp+BMY97lxvyMrw0msy4HeQ3LBQBX3Sa+eS70r3v50r5QKhWjv0ylanZt5PaKd4Hqa6+Bg9Zyocj6xChADe6yNkUg2MIIE5YdB+CkoTlJkzCLfX2Dfqwn1igjDJmx/7YMbDuHpnAK33Onbb9cblh80JczRA8zdFb55JaELEBJ/fzV1f+tNzFEBA5NRC0w+b5B9VnzY4fV3mPArKDPKzMrFCI+/ojI/OQa48NpDb9N/8l6ubhjX8jnl8dYLGp0oUNaHyhA/RmOFuWYWD3gtoaFWcKvxE+TPDxiFGcSzJTZnCyX74i6TEhDoKpE5vDSp63jLOfwSi7A84eWmcTQHuLFXrtfoPAE9oWaSHaCYUpxjEPXpCgT4sg0xavr0n3x6cxaqKe9TcfqIruzp1o/ODJjjkz8yB5FcKQzzvLQm1p1CtcSCUxwbhyuwlg0VqZyoB5heBVD9pe+6kPXwsnY83y1et/XprdRw/HYteEUhLubtivB3kLCJh5l9ATbkBhG9i4pg/YwmynD6JDxO/DP4A97q+Jhyu5HM160XuTjKQ=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
Thanks Eric, this is helpful – Dean Dean Guenther From: "Coleman, Erik C" <> We have a slightly similar model with an extended attribute “uiucEduUIN” that requires users to be in a special AD group with extra privs to see the attribute. I don’t foresee a problem here, as the group
creation LDIF is doing nothing more than establishing an entry in the link-table between the group and user, and would be using the same bind credentials as the loader job. -- Erik Coleman University of Illinois at Urbana-Champaign From: <>
On Behalf Of Guenther, Dean R. I have an Active Directory extended schema attribute wsuExternalSystemID which contains a unique ID for each person. Its similar to what you might find in employeeID. This attribute is a confidential
attribute, and I have granted my ldap.pspng_activedirectory.user to have full access to this extended AD attribute. For my Grouper groups I build them with the SQL query select wsuExternalSystemID as subject_id from oraclepersonregistry where employeerole like ‘%Hourly%’ and this successfully builds my group in Grouper. And each person it finds has the Unique ID with their wsuExternalSystemID as I’d expect. My question is, am I going to have any problem with using PSPNG to build a group in AD when the users are being referenced by an extended schema AD attribute? These are my userSearch values: changelog.consumer.pspng_activedirectory.userSearchBaseDn = ou=people,dc=testingAD,dc=wsu,dc=edu changelog.consumer.pspng_activedirectory.userSearchFilter = wsuExternalSystemID=${subject.id} changelog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,wsuexternalsystemid,userprincipalname,objectclass Dean Guenther |
- [grouper-users] using AD extended schema attribute for anchor, Guenther, Dean R., 06/12/2018
- [grouper-users] RE: using AD extended schema attribute for anchor, Coleman, Erik C, 06/13/2018
- [grouper-users] Re: using AD extended schema attribute for anchor, Guenther, Dean R., 06/13/2018
- [grouper-users] RE: using AD extended schema attribute for anchor, Coleman, Erik C, 06/13/2018
Archive powered by MHonArc 2.6.19.