The LDAP Provisioning Plugin is designed to provision Registry data into an LDAP server.
Operations
Registry CO Person Transaction |
LDAP Action |
---|---|
Add |
Add entry to LDAP (if entry already exists, throw error; manual provisioning required) |
Edit |
Update configured attributes only (other attributes will be left untouched) |
Enter Grace Period |
No changes (unless attributes change as part of grace period) |
Expiration / Becomes Inactive |
Remove entry from LDAP (or place into some sort of referential integrity state for archival purposes?) |
Unexpire / Becomes Active |
Add entry to LDAP (if entry already exists, throw error; manual provisioning required) |
Delete |
Remove entry from LDAP |
Manual Provision |
If entry exists: Update configured attributes only |
Configuration
When using this plugin, it is recommended to add database encryption for the password
column in the table cm_co_ldap_provisioner_targets.
The LDAP Provisioning Plugin automatically converts the internal Registry data model into the following LDAP object classes:
person
organizationalPerson
inetOrgPerson
eduPerson
(must be enabled)eduMember
(must be enabled)
When configuring the Plugin, you can select which object classes to use and which attributes within those object classes to export to LDAP. When attributes come from data model attributes that are typed, a specific type can be selected, or all types can be selected. When multiple values are not supported, the first obtained value will be exported. Unless otherwise noted, only attributes attached to the CO Person record are exported. (Org Identity attributes are not.)
Attributes are mapped as follows:
Attribute |
Data Model |
Multiple Values Exported? |
---|---|---|
cn |
Only the preferred name attached to the CO Person is exported (CO-333) |
|
eduPersonAffiliation |
cm_co_person_roles affiliation |
|
eduPersonPrincipalName |
cm_identifiers identifier |
|
employeeNumber |
cm_identifiers identifier |
|
facsimileTelephoneNumber |
cm_telephone_numbers number |
|
givenName |
cm_names given |
Only the preferred name attached to the CO Person is exported (CO-333) |
isMemberOf |
cm_co_groups name |
|
l |
cm_addresses locality |
|
cm_email_addresses mail |
|
|
mobile |
cm_telephone_numbers number |
|
o |
|
|
ou |
|
|
postalCode |
cm_addresses postal_code |
|
sn |
cm_names family |
Only the preferred name attached to the CO Person is exported (CO-333) |
st |
cm_addresses state |
|
street |
cm_addresses line1 |
|
telephoneNumber |
cm_telephone_numbers number |
|
title |
cm_co_person_roles title |
|
uid |
cm_identifiers identifier |
|
Additional customization is planned (CO-551, CO-564).
Updating LDAP via Other Services
You may write to LDAP via other services or applications to maintain attributes that are not managed by COmanage Registry. For example, you might use a mailing list manager to maintain list memberships in LDAP.
However, you should be aware of the implications of the operations described above. For example, if the LDAP Provisioning Plugin decides to delete an entry from LDAP, the attributes managed by external applications in that entry will also be deleted.