A Division of Information Services
Identity Management Services
Grouper LDAP Group Management
There are two LDAP directories managed by Identity Management
Services. The primary directory, directory.ku.edu is used
for our person directory, authentication, and email alias
translation.
The secondary directory, directory.net.ku.edu is used by
Networking and Telecommunications Services (NTS) for managing DHCP,
ANSR, Wireless access, and various other services.
This page describes managing LDAP groups for both directories.
Setting up an LDAP Group
Just create a group in the stem assigned to you by Identity
Management and check the ldapGroup box.
Once you add some members to the group, it will be created and
populated in the branch
ou=automatic, ou=groups, dc=ku, dc=edu
The stem names, minus the initial ku will be used to create
a hierarchy of organizational units in which your group will be
created.
For example, if your group's name is
ku:myDivision:myUnit:myGroup
the group will have the distinguished name (DN)
cn=myGroup, ou=myUnit, ou=myDivision, ou=automatic, ou=groups, dc=ku, dc=edu
and the description attribute for the LDAP group will
be generated from the displayExtension and the description for the
Grouper group.
As you add and remove members from your group, the group membership
will automatically be provisioned and deprovisioned via a process
that can take up to two minutes to complete.
Bugs
Currently, if the group already has members when you check the
ldapGroup box, the current members will not be provisioned into
LDAP. You will need to remove and re-add each immediate member to
get them added. Essentially, the current process only captures
membership changes, not group type changes. This will be addressed
in the near future.
Copyright
© 2005 by the University of Kansas