The LDAP Provisioning Plugin is designed to provision Registry data into an LDAP server.
Operations
Registry CO Person Transaction | LDAP Action |
|---|---|
Add | Add entry to LDAP (if entry already exists, throw error; manual provisioning required) |
Edit | Update configured attributes only (other attributes will be left untouched) |
Enter Grace Period | No changes (unless attributes change as part of grace period) |
Expiration / Becomes Inactive | Remove entry from LDAP (or place into some sort of referential integrity state for archival purposes?) |
Unexpire / Becomes Active | Add entry to LDAP (if entry already exists, throw error; manual provisioning required) |
Delete | Remove entry from LDAP |
Manual Provision | If entry exists: Update configured attributes only |
Registry CO Group Transaction | LDAP Action |
|---|---|
Add | Write CO Group record (including memberships) to LDAP, but only if there is at least one member* |
Edit | Write CO Group record (not including memberships) to LDAP, but only if there is at least one member* |
Delete | Write CO Group record to changelog (attributes will be empty) |
Manual Provision | Write CO Group record (not including memberships) to LDAP, but only if there is at least one member* |
* The groupOfNames schema requires at least one member. If there are no members of a group, the Provisioner will delete the group.
Note that adding or deleting group memberships will trigger edit provisioning on both the affected CO Person and the affected CO Group.
Configuration
| Note |
|---|
When using this plugin, it is recommended to add database encryption for the |
The LDAP Provisioning Plugin automatically converts the internal Registry data model into the following LDAP object classes:
personorganizationalPersoninetOrgPersoneduPerson(must be enabled)eduMember(must be enabled)groupOfNames(must be enabled)posixAccount(experimental, must be enabled)ldapPublicKey(must be enabled)
When configuring the Plugin, you can select which object classes to use and which attributes within those object classes to export to LDAP. When attributes come from data model attributes that are typed, a specific type can be selected, or all types can be selected. When multiple values are not supported, the first obtained value will be exported. Unless otherwise noted, only attributes attached to the CO Person record are exported. (Org Identity attributes are not.)
Attributes are mapped as follows:
Attribute | Object Class | Data Model | Multiple Values Exported? |
|---|---|---|---|
cn | person | Only the preferred name attached to the CO Person is exported (CO-333) | |
cn | groupOfNames | cm_co_groups name | |
eduPersonAffiliation | eduPerson | cm_co_person_roles affiliation (possibly mapped via cm_co_extended_types) | |
eduPersonPrincipalName | eduPerson | cm_identifiers identifier | |
employeeNumber | inetOrgPerson | cm_identifiers identifier | |
employeeType | inetOrgPerson | cm_co_person_roles affiliation | |
facsimileTelephoneNumber | organizationalPerson | cm_telephone_numbers number | |
gecos | posixAccount | | |
gidNumber | posixAccount | cm_identifiers identifier where type is | |
givenName | inetOrgPerson | cm_names given | Only the preferred name attached to the CO Person is exported (CO-333) |
hasMember | eduMember | cm_identifiers identifier | |
homeDirectory | posixAccount | cm_identifiers identifier where type is | |
isMemberOf | eduMember | cm_co_groups name | |
l | organizationalPerson | cm_addresses locality | |
loginShell | posixAccount | Currently hard coded | |
inetOrgPerson | cm_email_addresses mail | | |
member | groupOfNames | | |
mobile | inetOrgPerson | cm_telephone_numbers number | |
o | inetOrgPerson | | |
ou | organizationalPerson | | |
postalCode | organizationalPerson | cm_addresses postal_code | |
sshPublicKey | ldapPublicKey | | |
sn | person | cm_names family | Only the preferred name attached to the CO Person is exported (CO-333) |
st | organizationalPerson | cm_addresses state | |
street | organizationalPerson | cm_addresses line1 | |
telephoneNumber | organizationalPerson | cm_telephone_numbers number | |
title | organizationalPerson | cm_co_person_roles title | |
uid | inetOrgPerson, posixAccount | cm_identifiers identifier | |
uidNumber | posixAccount | cm_identifiers identifier where type is | |
posixAccount support is experimental and subject to change in a future release (CO-866).
Configuring DNs
Base DNs must be configured for each LDAP Provisioning Target. A People Base DN is mandatory. A Group Base DN is only required if the groupOfNames objectclass is enabled.
For People entries, an identifier label and type must be selected which will be used to create the person-specific portion of the DN. Be sure to pick an identifier that will always be defined for all people, as the Plugin will be unable to export records for which it cannot generate a DN. You may wish to use an identifier that you have configured Registry to assign automatically. The selected identifier must also be exported as part of the record (the Plugin will do this automatically if you don't configure it).
For Group entries, the name of the group is placed into cn and used to construct the DN. Thus, all Groups will have DNs of the form cn=Group Name,Group Base DN.
If an element of a DN changes for a CO Person or a CO Group, the Plugin will automatically assign a new DN and rename the entry the next time the entry is provisioned.
| Note | ||
|---|---|---|
| ||
The LDAP Provisioning Plugin requires LDAP protocol v3 in order to rename an entry when its DN changes. |
Other Customization
Additional customization is planned (CO-551, CO-564).
| Info | ||
|---|---|---|
| ||
You may write to LDAP via other services or applications to maintain attributes that are not managed by COmanage Registry. For example, you might use a mailing list manager to maintain list memberships in LDAP. However, you should be aware of the implications of the operations described above. For example, if the LDAP Provisioning Plugin decides to delete an entry from LDAP, the attributes managed by external applications in that entry will also be deleted. |