Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-275

ldappc must be run twice to correctly provision groups whose members include other groups

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2
    • Fix Version/s: 1.5.0
    • Component/s: provisioning
    • Labels:
      None

      Description

      Groups which have yet-to-be-provisioned groups as members require more than one invocation of ldappc to be correctly provisioned.

      Provisioning Active Directory will likely require ldappc to first provision all groups without any members, then once all groups exist, provision memberships. I think that this methodology is safer than running ldappc multiple times.

      A potential drawback to provisioning skeleton groups before memberships is that during an ldappc run groups might be seen as 'incorrect' to consuming applications because memberships haven't been provisioned yet. To ameliorate confusion we might provision the member attribute as "TBD" or somesuch, depending on what the target ldap schema allows.

        Smart Checklist

          Attachments

            Activity

              People

              Assignee:
              tom.zeller@at.internet2.edu Tom Zeller
              Reporter:
              tom.zeller@at.internet2.edu Tom Zeller
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: