edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Nick Roy <nroy AT internet2.edu>
- To: Sten Aus <sten.aus AT eenet.ee>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] eduPerson schema in Active Directory
- Date: Fri, 15 Dec 2017 18:58:12 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=nroy AT internet2.edu;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
MACE-Dir depends on those who actually use the LDIF to make updates to
it and share it back to MACE-Dir. If no one does this, the versions of
the LDIF fall behind eduPerson.latest.
So - if you make use of the AD or other schemas, please contribute
changes back to MACE-Dir.
Thanks,
Nick
On 12/14/17 10:48 AM, Sten Aus wrote:
> Hi
>
> Thank you all for your fast and very good feedback!
> I think the most effective solution would be dynamic creation with
> simpleSAMLphp (which they are using).
>
> Best regards
> Sten
>
> On 14/12/2017 14:14, Peter Schober wrote:
>> Hi Sten,
>>
>> TL;DR: What Davide said. I'll just expand a bit on that.
>>
>> * Sten Aus <sten.aus AT eenet.ee> [2017-12-14 10:46]:
>>> I wanted to ask if some of you know (or can ask) how your IdPs
>>> handle eduPerson schema in their Active Directory Services?
>> I don't think /any/ of our institutions extended their LDAP schema in
>> order to join and fully interoperate within the federation. (Well, I
>> did that myself, back when I was running Univie's LDAP and Shibboleth
>> infrastructure, but that was because I wanted to make use of these
>> data structures also within the institution via LDAP, not just SAML.)
>>
>> E.g. here's our documentation on how to create the most common
>> attributes used in eduID.at and eduGAIN, and *none* of these require
>> the addition of the eduPerson (or any other) schema to your LDAP DSA:
>> https://wiki.univie.ac.at/display/federation/IDP+3+Attribute+resolution
>>
>>> If I understand correctly eduPerson is not supported "out of the
>>> box" in AD schema?
>> It's certainly not included in the products as shipped by M$. It
>> should work just fine, though, if you manage to find a current version
>> of it that's in a format you can feed to AD:
>>
>> MACE-Dir (the curator of the eduPerson schema) depends on community
>> contributions to keep the collected schemas up to date and this is not
>> the case with the MS-AD format, it seems:
>> https://spaces.internet2.edu/display/macedir/LDIFs
>> https://spaces.internet2.edu/display/macedir/Active+Directory+eduPerson
>> (Current is 201602, cf. http://macedir.org/specs/eduperson/ )
>>
>> But again, you'll only need this if you decided you want to make use
>> of those data structures via LDAP / within your MS-AD system.
>>
>> Cheers,
>> -peter
>
- [eduGAIN-discuss] eduPerson schema in Active Directory, Sten Aus, 14-Dec-2017
- Re: [eduGAIN-discuss] eduPerson schema in Active Directory, Davide Vaghetti, 14-Dec-2017
- Re: [eduGAIN-discuss] eduPerson schema in Active Directory, Peter Schober, 14-Dec-2017
- Re: [eduGAIN-discuss] eduPerson schema in Active Directory, Sten Aus, 14-Dec-2017
- Re: [eduGAIN-discuss] eduPerson schema in Active Directory, Nick Roy, 12/15/2017
- Re: [eduGAIN-discuss] eduPerson schema in Active Directory, Sten Aus, 14-Dec-2017
Archive powered by MHonArc 2.6.19.