Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Re: using AD extended schema attribute for anchor

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Re: using AD extended schema attribute for anchor

Chronological Thread 
  • From: "Guenther, Dean R." <>
  • To: "Coleman, Erik C" <>, "" <>
  • Subject: [grouper-users] Re: using AD extended schema attribute for anchor
  • Date: Wed, 13 Jun 2018 14:46:28 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:uuS9kxQRAAWN3bGhZJxDa314wNpsv+yvbD5Q0YIujvd0So/mwa6zYhCN2/xhgRfzUJnB7Loc0qyK6/2mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbN/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHJhMJtkKJVrhGvpxJ9zIHaYYGaKPVxc7jHct8GQGpMRNpdWjZDD466coABD/ABPeFdr4TlqVcArAa+CheqBOPzyj9HmGX20bUn2OovDw7JxgogFM8SvnjOotn+KaAfUe+ozKbWyzXDc/NW1inn6IXTfBEhuuyMUahufsXM1EkiDgXIhUiTp4z9Jz6ZyP4Cv3SG4+dlSO6jlnMrpgR/ojWg2ssglozEhowLxV3L6Sl0xYM4KNykREFnedKpEZ9duzuHO4Z3Q84uWW5ltScgxrEbt5O3YDAGyJo5yBPcd/CKdo2F7x3hWeuRJDp1hHZodbKiiBu3/0WtzvDzWdOx3VtLsiZInNbBu3YQ3BLJ8MeHUOFy/kK51DaPyQ/T7uZELFgsm6fHLJAt3qM8moMOv0rbAyP6gUL2g7SIeUk+/eio9vjnba7hpp+BMY97lxvyMrw0msy4HeQ3LBQBX3Sa+eS70r3v50r5QKhWjv0ylanZt5PaKd4Hqa6+Bg9Zyocj6xChADe6yNkUg2MIIE5YdB+CkoTlJkzCLfX2Dfqwn1igjDJmx/7YMbDuHpnAK33Onbb9cblh80JczRA8zdFb55JaELEBJ/fzV1f+tNzFEBA5NRC0w+b5B9VnzY4fV3mPArKDPKzMrFCI+/ojI/OQa48NpDb9N/8l6ubhjX8jnl8dYLGp0oUNaHyhA/RmOFuWYWD3gtoaFWcKvxE+TPDxiFGcSzJTZnCyX74i6TEhDoKpE5vDSp63jLOfwSi7A84eWmcTQHuLFXrtfoPAE9oWaSHaCYUpxjEPXpCgT4sg0xavr0n3x6cxaqKe9TcfqIruzp1o/ODJjjkz8yB5FcKQzzvLQm1p1CtcSCUxwbhyuwlg0VqZyoB5heBVD9pe+6kPXwsnY83y1et/XprdRw/HYteEUhLubtivB3kLCJh5l9ATbkBhG9i4pg/YwmynD6JDxO/DP4A97q+Jhyu5HM160XuTjKQ=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Thanks Eric, this is helpful – Dean





Dean Guenther                          
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager



From: "Coleman, Erik C" <>
Date: Tuesday, June 12, 2018 at 8:04 PM
To: "" <>, "" <>
Subject: RE: using AD extended schema attribute for anchor


We have a slightly similar model with an extended attribute “uiucEduUIN” that requires users to be in a special AD group with extra privs to see the attribute. I don’t foresee a problem here, as the group creation LDIF is doing nothing more than establishing an entry in the link-table between the group and user, and would be using the same bind credentials as the loader job.



Erik Coleman

University of Illinois at Urbana-Champaign



From: <> On Behalf Of Guenther, Dean R.
Sent: Tuesday, June 12, 2018 1:10 PM
Subject: [grouper-users] using AD extended schema attribute for anchor


I have an Active Directory extended schema attribute wsuExternalSystemID which contains a unique ID for each person. Its similar to what you might find in employeeID. This attribute is a confidential attribute, and I have granted my ldap.pspng_activedirectory.user to have full access to this extended AD attribute. For my Grouper groups I build them with the SQL query


            select wsuExternalSystemID as subject_id from oraclepersonregistry where employeerole like ‘%Hourly%’


and this successfully builds my group in Grouper. And each person it finds has the Unique ID with their wsuExternalSystemID as I’d expect.


My question is, am I going to have any problem with using PSPNG to build a group in AD when the users are being referenced by an extended schema AD attribute? These are my userSearch values:


changelog.consumer.pspng_activedirectory.userSearchBaseDn = ou=people,dc=testingAD,dc=wsu,dc=edu

changelog.consumer.pspng_activedirectory.userSearchFilter = wsuExternalSystemID=${}

changelog.consumer.pspng_activedirectory.userSearchAttributes = dn,cn,wsuexternalsystemid,userprincipalname,objectclass





Dean Guenther                          
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager


Archive powered by MHonArc 2.6.19.

Top of Page