Real-Time Provisioning Beta-Testing
Grouper Subject Sources
Institution |
Subject Source |
Number of Subjects |
Subject ID |
|---|---|---|---|
LIGO |
LDAP |
1,000 |
dn: employeeNumber=882,ou=people,dc=ligo,dc=org |
Penn State |
LDAP |
165,000 |
dn:uid=xyx123,dc=psu,dc=edu |
UCLA |
LDAP |
40,000 |
|
UMontreal |
LDAP |
120,000 |
sAMAccountName (value same as cn) |
UVienna |
Undecided |
155,000 |
cn, uid |
UWMadison |
|
|
|
Provisioning Targets
Institution |
Target |
Implementation |
|---|---|---|
LIGO |
LDAP |
OpenLDAP 2.4.x |
Penn State |
LDAP |
IBM Tivoli Directory Server |
UCLA |
LDAP |
Sun Java System Directory Server Enterprise Edition 6.3.1 |
UMontreal |
LDAP |
Active Directory |
UVienna |
LDAP |
Active Directory, OpenLDAP |
UWMadison |
|
|
Provisioning memberOf
The groups that a member is a member of may be provisioned to the memberOf attribute. Some LDAP implementations, such as Active Directory, automatically maintain the memberOf attribute. OpenLDAP maintains the memberOf attribute automatically via the memberOf overlay. The value of the memberOf attribute is typically a group DN.
Institution |
memberOf for members (people) |
memberOf for groups |
|---|---|---|
LIGO |
+ |
|
Penn State |
+ |
|
UCLA |
- |
|
UMontreal |
automatic (Active Directory) |
automatic (Active Directory) |
UVienna |
automatic (Active Directory), OpenLDAP+memberOf |
automatic (Active Directory), OpenLDAP+memberOf |
UWMadison |
+ |
|
Provisioning eduMember
The eduMember objectClass defines the isMemberOf and hasMember attributes, whose values are identifiers which are not DNs.
Institution |
isMemberOf |
hasMember |
|---|---|---|
LIGO |
+ |
+ |
Penn State |
+ |
+ |
UCLA |
uclaIsMemberOf |
uclaHasMember |
UMontreal |
- |
- |
UVienna |
- |
- |
UWMadison |
+ |
+ |
Provisioning eduCourse
The eduCourse objectClass defines course related attributes.
Institution |
eduCourse |
|---|---|
LIGO |
- |
Penn State |
- |
UCLA |
- |
UMontreal |
- |
UVienna |
- |
UWMadison |
+ |
Provisioning Structure
The group provisioning structure may be either flat or bushy. A flat structure provisions all groups into a single container. A bushy structure provisions groups hierarchically.
For example, the DN of a group with name 'edu:stem:group' in a flat structure looks like :
dn: cn=edu:stem:group,ou=groups,dc=example,dc=edu
while the DN of a group with name 'edu:stem:group' in a bushy structure looks like :
dn: cn=group,ou=stem,ou=edu,ou=groups,dc=example,dc=edu
Institution |
Structure (flat or bushy) |
|---|---|
LIGO |
bushy |
Penn State |
flat |
UCLA |
flat |
UMontreal |
bushy |
UVienna |
? |
UWMadison |
flat |
Membership Structure
Given groupA with memberA and groupB with memberB :
dn : cn=groupA,ou=groups member: cn=memberA,ou=people dn: cn=groupB,ou=groups member: cn=memberB,ou=people
If groupB is added as a member to groupA, how do you want groupA to be provisioned :
everything :
dn : cn=groupA,ou=groups member: cn=memberA,ou=people member: cn=memberB,ou=people member: cn=groupB,ou=people
immediate :
dn : cn=groupA,ou=groups member: cn=memberA,ou=people member: cn=groupB,ou=people
The everything membership structure handles applications which may not support nested groups and represents the nested structure of the group memberships.
The same membership structure applies to memberOf :
everything :
dn: cn=memberB,ou=people memberOf: cn=groupB,ou=groups memberOf: cn=groupA,ou=groups
immediate :
dn: cn=memberB,ou=people memberOf: cn=groupB,ou=groups
Institution |
member |
memberOf |
|---|---|---|
LIGO |
|
|
Penn State |
|
|
UCLA |
|
|
UMontreal |
|
|
UVienna |
|
|
UWMadison |
|
|