The LDAP Provisioning Plugin is designed to provision Registry data into an LDAP server.
Operations
Registry CO Person Transaction |
LDAP Action |
---|---|
Add |
Add entry to LDAP (if entry already exists, throw error; manual provisioning required) |
Edit |
Update configured attributes only (other attributes will be left untouched) |
Enter Grace Period |
No changes (unless attributes change as part of grace period) |
Expiration / Becomes Inactive |
Remove entry from LDAP (or place into some sort of referential integrity state for archival purposes?) |
Unexpire / Becomes Active |
Add entry to LDAP (if entry already exists, throw error; manual provisioning required) |
Delete |
Remove entry from LDAP |
Manual Provision |
If entry exists: Update configured attributes only |
Configuration
When using this plugin, it is recommended to add database encryption for the password
column in the table cm_co_ldap_provisioner_targets.
The LDAP Provisioning Plugin automatically converts the internal Registry data model into the following LDAP object classes:
person
organizationalPerson
inetOrgPerson
Currently, no further configuration is possible, though customization is planned (CO-549).
Updating LDAP via Other Services
You may write to LDAP via other services or applications to maintain attributes that are not managed by COmanage Registry. For example, you might use a mailing list manager to maintain list memberships in LDAP.
However, you should be aware of the implications of the operations described above. For example, if the LDAP Provisioning Plugin decides to delete an entry from LDAP, the attributes managed by external applications in that entry will also be deleted.