releasing AD group names

Cantor, Scott cantor.2 at osu.edu
Fri Apr 8 22:29:21 UTC 2022


> Is this a common requirement?

It's not safe, those names aren't unique. Consider two groups called CN=admin but with different OUs. Obvious problem there in the event if a mistake in configuration somewhere.

>    I have not figured out a release policy and/or attribute rule that would do that - perhaps not surprising given
> the name and function of  attribute-filter.xml (i.e., to filter resolved attributes, not manipulate values). But
> perhaps I’ve missed something clever using a combination of policy requirement and attribute rule with 
> regex?

Filtering cannot change values, ever. The resolver has ample capability, between Mapped, RegexSplit, Scripted, etc. Mapped would probably be the simplest for this kind of thing, it can match on a regex and then produce the value based on the matching portion.

-- Scott




More information about the users mailing list