[GAP] RenameGroup not supported

Michael R Gettes gettes at gmail.com
Fri Jan 29 12:39:48 EST 2016 

here’s my recall - i am sure jeaton will correct whatever i may get wrong.

as we were developing this code we were considering the problems we were going to solve and what issues we would have.  We knew we wanted to use GAP to provision into AD.  The “right” way to do AD is your stem components get broken down into OU components.  cn=apps:servicenow:foo,ou=groups,dc=blah as a normal LDAP group would be cn=foo,ou=servicenow,ou=apps,dc=blah in AD.  Tall and spiky vs. flat and bushy LDAP DIT.  As jeaton notes, a modrdn is easy in normal LDAP where DIT is tall and spiky.  a group name change in AD is less so. i hope this explains why GAP is where it is right now.  Figuring out an effective way of fixing the AD problem would allow for a group rename all around for LDAP-ish settings.  What other environments might have a similar problem?  Google?  MS O-365?  Box?  remember, while GAP does LDAP/AD now, it’s intended design is to be for any app.

/mrg

> On Jan 29, 2016, at 9:39 AM, Jeffrey Eaton via Identity-services-gap <identity-services-gap at lists.andrew.cmu.edu> wrote:
> 
> I believe we had some concerns with allowing group renames, and how to best implement it cross-platform.
> 
> You could do a modrdn operation if your LDAP server supports it, or just create a new group and delete the old one.  Each has its advantages/diadvantages - for example, if you delete and recreate in AD, the SID will change.  That may or may not be what you want in that case. 
> 
> In general, we have just decided to err on the side of not renaming groups.  If a group needs to change, we create a new group, and then delete the old.
> 
> -jeaton
> 
> 
>> On Jan 28, 2016, at 9:27 PM, Jeff McCullough via Identity-services-gap <identity-services-gap at lists.andrew.cmu.edu> wrote:
>> 
>> 
>> I just noticed that renameGroup isn’t supported. Does anyone know why that is the case?
>> 
>> 		elsif ( $data->{"operation"} eq "renameGroup" ) {
>> 			$log->info("Rename not handled...Skipping ActiveMQ message");
>> 		}
>> 
>> Thanks,
>> Jeff
>> 
>> _______________________________________________
>> Identity-services-gap mailing list
>> Identity-services-gap at lists.andrew.cmu.edu
>> https://lists.andrew.cmu.edu/mailman/listinfo/identity-services-gap
> 
> _______________________________________________
> Identity-services-gap mailing list
> Identity-services-gap at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/identity-services-gap

More information about the Identity-services-gap mailing list