...
LDAP attributes are grouped into collections called object classes. The LDAP Provisioning Plugin supports several object classes, and various attributes within those object classes. Depending on the object class, it may possible to select some (but not all) attributes within an object class for export. The Plugin assumes full control over any enabled attribute within an object class.
Prior to v1v2.10.0, the Plugin assumed that if an object class is enabled, it controls all attributes within that object class are within its control, even if they are not configured. However, this can cause problems (eg: if you are using an older version of an object class than what the Plugin supports, or if you have another application that you want to manage an attribute). As of v1v2.10.0, two modes are supported, selected via the Unconfigured Attribute Mode setting:
- Ignore: Unconfigured (disabled) attributes within an enabled object class are ignored. Note that if you subsequently disable an attribute after having previously enabled it, existing values of that attribute will not be removed. You will need to manually clean them up. This is the default behavior beginning with Registry v1v2.10.0.
- Remove: Unconfigured attributes within an enabled object class are removed. This is the default behavior prior to Registry v1v2.10.0.
Regardless of this setting, attributes associated with object classes not enabled are left alone (except as described in Operations, below).
...
Versions prior to Registry v1v2.10.0 may not be consistent with this documentation.
...
- Attributes enabled for export, within object classes enabled for export.
- Attributes defined by LDAP Schema Plugins and enabled for export.
- If Unconfigured Attribute Mode is Remove, all other defined attributes within object classes enabled for export (including those defined by Schema Plugins).
| Note |
|---|
When removing an objectclass (whether via configuration or by disabling LDAP Schema Plugins), keep in mind you may receive schema compliance errors from the LDAP server. This can happen because (eg)
In this scenario, it will be necessary to manually clean up the LDAP records to remove |
Registry CO Person Transaction | LDAP Action | Externally Managed Attributes |
|---|---|---|
Add | Add entry to LDAP (if entry already exists it will be deleted and replaced) | Deleted |
Edit | Update configured attributes only | Untouched |
Status Set To Grace Period | No changes (unless attributes change as part of grace period) | Untouched |
Status Set To Expired or Suspended | Update entry to maintain only Person attributes for referential integrity (no Role or Group attributes) | Untouched |
Status Set Back To Active | Restore Role and Group attributes, or add entry to LDAP if not present | Untouched |
Delete, or Status Set To Deleted (or any other status not specified above) | Remove entry from LDAP | Deleted |
Manual Provision | If entry exists: Update configured attributes only
| Untouched |
...
Attribute | Object Class | Data Model | Multiple Values Exported? | Introduced |
|---|---|---|---|---|
cn | person | Only the primary name attached to the CO Person is exported | v0.8 | |
cn | groupOfNames | cm_co_groups name |
| v0.8.2 |
| description | groupOfNames | cm_co_groups description |  | v0.8.2 |
| displayName | inetOrgPerson | cm_names | | v1v2.10.0 |
eduPersonAffiliation | eduPerson | cm_co_person_roles affiliation (possibly mapped via cm_co_extended_types) |
| v0.8 |
| eduPersonEntitlement | eduPerson | cm_co_services (according to member cm_co_groups) |  | v1v2.10.0 |
| eduPersonNickname | eduPerson | cm_names | | v1v2.10.0 |
| eduPersonOrcid | eduPerson | cm_identifiers identifier where type is orcid | | v1v2.10.0 |
eduPersonPrincipalName | eduPerson | cm_identifiers identifier |
| v0.8 |
| eduPersonPrincipalNamePrior | eduPerson | cm_identifiers identifier | | v1v2.10.0 |
| eduPersonScopedAffiliation | eduPerson | cm_co_person_roles affiliation (possibly mapped via cm_co_extended_types, with scope appended) | | v1v2.10.0 |
| eduPersonUniqueId | eduPerson | cm_identifiers identifier (with scope appended) | | v1v2.10.0 |
employeeNumber | inetOrgPerson | cm_identifiers identifier |
| v0.8 |
employeeType | inetOrgPerson | cm_co_person_roles affiliation |
| v0.9.2 |
facsimileTelephoneNumber | organizationalPerson |
| v0.8 | |
gecos | posixAccount |
| v0.9 | |
gidNumber | posixAccount | cm_identifiers identifier where type is |
| v0.9 |
givenName | inetOrgPerson | cm_names given | Only the primary name attached to the CO Person is exported | v0.8 |
hasMember | eduMember | cm_identifiers identifier |
| v0.8.2 |
homeDirectory | posixAccount | cm_identifiers identifier where type is |
| v0.9 |
isMemberOf | eduMember | cm_co_groups name |
| v0.8 |
l | organizationalPerson | cm_addresses locality |
| v0.8 |
loginShell | posixAccount | Currently hard coded |
| v0.9 |
inetOrgPerson | cm_email_addresses mail |
| v0.8 | |
member | groupOfNames |
| v0.8.2 | |
mobile | inetOrgPerson |
| v0.8 | |
o | inetOrgPerson |
| v0.8 | |
ou | organizationalPerson |
| v0.8 | |
| owner | groupOfNames | cm_co_ldap_provisioner_dns DN | | v0.8.2 |
postalCode | organizationalPerson | cm_addresses postal_code |
| v0.8 |
| pwdAccountLockedTime | n/a (see pwdPolicy) | cm_co_people status (set when status is Expired or Suspended) | | v1v2.10.0 |
| roomNumber | inetOrgPerson | cm_addresses room | | v0.9.4 |
sshPublicKey | ldapPublicKey |
| v0.9 | |
sn | person | cm_names family | Only the primary name attached to the CO Person is exported | v0.8 |
st | organizationalPerson | cm_addresses state |
| v0.8 |
street | organizationalPerson | cm_addresses street |
| v0.8 |
telephoneNumber | organizationalPerson |
| v0.8 | |
title | organizationalPerson | cm_co_person_roles title |
| v0.8 |
uid | inetOrgPerson, posixAccount | cm_identifiers identifier |
| v0.8 |
uidNumber | posixAccount | cm_identifiers identifier where type is |
| v0.9 |
...
Adding Additional ObjectClasses
As of Registry v1v2.10.0, populating object classes and attributes other than those described above is supported via LDAP Schema Plugins.
...