Skip to Content.
Sympa Menu

comanage-users - [comanage-users] LDAP Provisioner - multiple roles for a user

Subject: COmanage Users List

List archive

[comanage-users] LDAP Provisioner - multiple roles for a user

Chronological Thread 
  • From: <>
  • To:
  • Subject: [comanage-users] LDAP Provisioner - multiple roles for a user
  • Date: Thu, 10 Jul 2014 21:48:19 +0000 (UTC)

Observation 1 - if ldap provisioning includes inetOrgPerson 'o' , and a user
has multiple CO Person Roles in a CO, each Role must have a unique value for

When you add a role for a user, the organization is defaulted to the CO name.
At provisioning, the 'o' field in ldap is populated from the role organization
field. If 2 roles have the same 'o' value, it fails and LDAP reports 'type or
value exists (500).' Apparently, the 'o' attr wants to be unique.

As a work around, the UI allows editing of the Role's 'Organization' field
and there is no validation. If you change it to anything else, like a COU
name or whatever, it will work, as long as it is unique.

UI side validation would be handy.

Or, maybe the provisioner should check for duplicate 'o' values and delete the
extra. It is allowed by the ldap schema to have multiple titles but only one

Note - I only tested this on my system that uses COUs. Can't say if this
applies to those that do not use COUs, but I think it would.

Observation 2 - Assume configuration as above, and also ldap provisioner
includes organizationalPerson.title. The value for title comes from CO Person
Role 'title'.

Assume user has 2 roles, organization 'O1' title 'Staff' and organization 'O2'
title 'Faculty'.

After provisioning, in Ldap I see
o: O1
o: O2
title: Staff
title: Faculty

How do I know which title applies to which 'o'? Can sequence be trusted or is
that incidental?

Observation 3 - Updating a users roles does not trigger automatic provisioning
(auto is enabled). Is this by design?

Observation 4 - if ldap provisioning includes eduPerson. eduPersonAffiliation,
and a user has multiple roles within a CO, each affiliation must be unique,
else 'type or value exists (500).' This is true even if the roles have
different values for organization.

Archive powered by MHonArc 2.6.16.

Top of Page