There are two LDAP use cases from University of Michigan that will be ready in Grouper v2.5.40
Outdated wiki
To do for 2.5.42
- Directory for pems to get added to trust store
- Incrementals based on your current config
- Update the labels and descriptions in LDAP config to be more descriptive (describe entity link and translations better)
- Compare provisioning configs and see what difference is
- Diagnostics page?
- Add example filter for "entity search filter" / "entity search all" (the "group search" equivalents have examples) in the provisioning setup
Provision to AD, users exist
Two use cases:
- Software distribution management (dozens of groups)
- Printing (couple hundred groups)
Category | Requirement | Description |
---|---|---|
Memberships | provisioningType | groupAttributes |
Entities | entity link | look up entities to get DN to use in group members attribute value |
ldap is not subject source | subject source is somewhere else | |
should include all subjects | do not create subjects not found, should not error out. full sync will fix | |
there is no eligibility group | provision all subjects | |
select which sources to provision | ||
Subjects | subject link | look up subjects to get netId |
try to use subjectIdentifer0 | if the grouper member table has subject identifier0, use that, otherwise resolve the subject | |
does USDU update subject identifier0? | check that USDU updates that value. or is it updated during provisioning from members table? | |
do not provision subjects without a netId | fixed in full sync | |
Groups | grouper provisions to one OU | specify an OU for flat provisioning |
cn is group name | cn is group name | |
if group name is more than 64, then skip | this should not be marked as error since it shouldnt retry. will try at next full sync? | |
groups and folders will be selected for provisioning | ||
groups can have no members or can have no member attribute | ||
delete groups in ldap which arent in grouper | ||
group attributes: objectClass, dn, cn, member,, sAMAccountName | ||
group uuid mapped to ldap attribute umichDirectoryID | instead of idIndex |
Provision to difference AD, not all users exist
Similar to above but create users that dont exist
Category | Requirement | Description |
---|---|---|
Entities | createIfNotFound | |
create in one OU | ||
attributes to use when creating |
|