...
LDAP attributes are grouped into collections called object classes. The LDAP Provisioning Plugin supports several object classes, and various attributes within those object classes. Depending on the object class, it may possible to select some (but not all) attributes within an object class for export. The Plugin assumes full control over any enabled attribute within an object class.
Prior to v1.1.0, Registry the Plugin assumed that if an object class is enabled, it controls all attributes within that schema object class are within its control, even if they are not configured. However, this can cause problems (eg: if you are using an older version of an object class than what the Plugin supports, or if you have another application that you want to manage an attribute). As of v1.1.0, two modes are supported, selected via the Unconfigured Attribute Mode setting:
- Ignore: Unconfigured (disabled) attributes within an enabled object class are ignored. Note that if you subsequently disable an attribute after having previously enabled it, existing values of that attribute will not be removed. You will need to manually clean them up. This is the default behavior beginning with Registry v1.1.0.
- Remove: Unconfigured attributes within an enabled object class are removed. This is the default behavior prior to Registry v1.1.0.
Regardless of this setting, attributes associated with object classes not enabled are left alone (except as described in Operations, below). not specif
Operations
Versions prior to Registry v1.1.0 may not be consistent with this documentation.
Externally Managed Attributes are those not managed by this Plugin. This includes all attributes except:
- Attributes enabled for export, within object classes enabled for export.
- Attributes defined by LDAP Schema Plugins and enabled for export.
- If Unconfigured Attribute Mode is Remove, all other defined attributes within object classes enabled for export (including those defined by Schema Plugins).
Registry CO Person Transaction | LDAP Action | Externally Managed Attributes |
---|---|---|
Add | Add entry to LDAP (if entry already exists it will be deleted and replaced) | Deleted |
Edit | Update configured attributes only | Untouched |
Status Set To Grace Period | No changes (unless attributes change as part of grace period) | Untouched |
Status Set To Expired or Suspended | Update entry to maintain only Person attributes for referential integrity (no Role or Group attributes) | Untouched |
Status Set Back To Active | Restore Role and Group attributes, or add entry to LDAP if not present | Untouched |
Delete, or Status Set To Deleted (or any other status not specified above) | Remove entry from LDAP | Deleted |
Manual Provision | If entry exists: Update configured attributes only Attributes are subject to CO Person and Person Role Status | Untouched |
...