> How do I go about mapping the eduperson atrtributes to attributes in
> Active directory
> eduPersonTargetID
A common place to start with this is objectSID - this has the correct
attributes for what you need in terms of resuse. Beware however that it is
binary, http://www.ukfederation.org.uk/content/Documents/EPTIDDefnProblem
not only describes how to get around that, it has some XML you can use.
> eduPersonPrincipalName
Very rarely needed. Source it from sAMAccountName
So that leaves you with EpSA and EpE. EpE is likely to be harder, but OTOH
it is less widespread.
People often have a lot of the stuff that EpSA needs in their AD but it is
hidden as "memberOf" or inside different domains. For instance quite a lot
of sites put staff into one domain and students into another. If you do
have these sorts of distinctions your best bet is to describe them here and
someone will be able to come up with a suggestion (or better still an
example XML file) to help you.
If you find EpE you will need to get more cunning, but the basic rule is the
same.
1) Work out what it is that defines that a user needs this or not
2) Work out how it is stored in the AD
3) If it isn't you need to go elsewhere
4)
In case it helps, here is a template resolver file. It has a very
simplistic approach to EpSA (if you can log in you are a member and thats
all I can say), but it has some example code of how to exploit AD groups to
be smarter. You don't have to use it, and indeed I would prefer that you
think of it as guidance, but if you are like me an example file can help a
lot (and you are alreadying using the arp from the same source :-)
Nigel,
> We already had the SQL database as it was our existing meta-directory and
> is used to populate our AD
FWIW it is suprising easy (I was very pleasantly suprised) to connect to
SQLServer and suck out attributes....
Rod
|