Grouper Call 22-Dec-2010
Tom Barton, U. Chicago, Chair
Chris Hyzer, U. Penn
Gary Brown, Bristol
Shilen Patel, Duke
Tom Zeller, U. Memphis
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)
New Action Items
[AI] (Shilen) will create a Jira for the stem set table work
[AI] (TomZ) will report on timing for Grouper demo work
Carry Over Action Items
[AI] (TomZ) will create a wiki page enumerating activities related to connectors.
[AI] (TomZ) will work with Chad in the process of proposing a Working Group to focus on provisioning.
[AI] (Gary) will send a note to Rob and the Grouper-users list regarding using pointers to or incorporating existing Grouper intro material in the Grouper book
[AI] (TomZ and Chris) will discuss/work on LDAP Grouper Loader for importing groups. JIRA 442
[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.https://spaces.at.internet2.edu/display/GrouperWG/GrouperBook
[AI] (TomB) will explore new international participation for work on the Grouper UI.
[AI] (Emily) will give suggestions to Ann KW on the community contributions page of wikihttps://spaces.at.internet2.edu/display/Grouper/Contributions
Grouper Wiki Status
Thanks to Chris for providing a database query for analyzing wiki pages for most currently updated. SteveO ran the query and provided the results to Ann KW, who is working on this. There is still a slow, manual process involved in ensuring the new wiki is correct in all cases. Ann KW says she is making good progress, and hasn't been getting many reports lately of broken pages.
Follow-up on External Members and Unique Identifiers
Following the discussion on the 8-Dec-2010 Grouper-dev call about external members and identifiers, Chris reached out to SURFnet to learn how they handle the unique identifier issue for external members in COIN, and to Benn Oshrin to learn the COmanage approach. Chris learned:
SURFnet requires EPPN or an external member can't use the COIN services.
Decisions aren't final with the COmanage approach, but they are not currently worried about the external member identifier issue.
Chris noted that the 12-Jan-2011 IAM online webinar on persistent identifiers in education and could be helpful in exploring the problems.
Thanks to Shilen for talking the lead on the patch fixing the security issue regarding the Grouper UI and audit logs.
The approach of providing a security patch without requiring Grouper users to do an upgrade is good. This works well when not much code is being altered.
Stem Set Table
A stem set table provides the benefit that with one query it would be possible to view the hierarchy of a namespace. One use case is to be able to see what the parent or children folders are without having to do a wildcard query, since SQL queries with wildcards can cause issues/are not dependable. The stem set table can help with notification when there is a need to notify descendents or ancestors.
(Shilen) will create a Jira for the stem set table work
LDAPPC-ng and the Grouper Demo
TomZ raised the question of how LDAPPC-ng should be depicted on the Grouper demo site. The provisioning capability needs to be hooked up to something to show off well in a demo. Issues include:
- Do we want users to have a web-based UI to review the results of the provisioning in LDAP or is a command line interface sufficient? Some may find a command line interface awkward.
- Do we want to enable query at random or do we just want to show what happened to LDAP as a result of the provisioning actions? In this case we could show just a log file.
- We could require a password to view the data if we use the web-based UI approach. Would need to consult with Internet2 TSG group. Provide temporary 30-day accounts?
- Could use a Java-based servier like ApacheDS.
- What about issues around keeping the Grouper demo, and its provisioning capabilities, up-to-date?
- A more long-term solution could involve bundling provisioning with Quickstart.
- Another approach is to move forward with a Grouper demo VM, as Rob has suggested. This VM would presumably include an LDAP directory.
- Decision – best solution is to provide an embedded JAVA-based LDAP server as part of the Quickstart and ship it with default configuration for LDAPPC-ng as part of the demo. User groups that are created on the demo will get provisioned to the Java based server.
(TomZ) will report on timing for Grouper demo work
Could have more than one config file to show off the permissions and attribute features. If running this on your own box, you can comment in or out the features you want to have working.
For later discussion: more on how to represent permissions in LDAP and show that on the demo.
Chris will work on the LDAP loader. The approach is to pick some attribute put people in a group based on that, or to use an LDAP filter to return a list of group members
TomZ: It would be good to have a nice tool in Java (or PhP) that was a web front end to view the results. Could be Shib protected. It would be read-only.
Wikipedia has a list of tools under list LDAP software. Perhaps ask folks on the IdM list for tool recommendations.
Q: Chris: Is it final that we are doing a Grouper VM?
A: TomB: No, need to discuss more with Rob on a call.
Chris reported on the FIFER project he is involved with. It is a group working to standardize and build a standard IdM API for various things. Starting with a groups API. Subject API should also be dealt with early on.
People on the monthly calls include representatives from Grouper, COmanage, Kuali, Uportal, Sakai, and more.
The group is starting looking at use cases. Chris created questions to help form the scope. Chris will continue to keep the Grouper-dev group and the paccman WG updated on progress.
Next Call: Wed 5-Jan-2011, Noon ET