Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] LDAP Provisioner - multiple roles for a user

Subject: COmanage Users List

List archive

Re: [comanage-users] LDAP Provisioner - multiple roles for a user

Chronological Thread 
  • From: Benn Oshrin <>
  • To:
  • Subject: Re: [comanage-users] LDAP Provisioner - multiple roles for a user
  • Date: Sat, 12 Jul 2014 13:31:07 -0400

On 7/10/14 5:48 PM,


Observation 1 - if ldap provisioning includes inetOrgPerson 'o' , and a user
has multiple CO Person Roles in a CO, each Role must have a unique value for

When you add a role for a user, the organization is defaulted to the CO name.
At provisioning, the 'o' field in ldap is populated from the role organization
field. If 2 roles have the same 'o' value, it fails and LDAP reports 'type or
value exists (500).' Apparently, the 'o' attr wants to be unique.
> Or, maybe the provisioner should check for duplicate 'o' values and delete the
> extra. It is allowed by the ldap schema to have multiple titles but only one
> 'o'.

In general, multi-valued attributes need to have a unique value. Probably the LdapProvisioner should just filter the duplicate entry, but see below.

After provisioning, in Ldap I see
o: O1
o: O2
title: Staff
title: Faculty

How do I know which title applies to which 'o'? Can sequence be trusted or is
that incidental?

You don't, and it's incidental. The solution here would be to use LDAP options, with which we could create something like

o;x-role-1: O1
o;x-role-2: O2
title;x-role-1: Staff
title;x-role-2: Faculty

"dumb" clients wouldn't know what to do with this (and would fall back to the default behavior we have today), but "smart" clients would.

We don't currently support this, but it has been discussed.

Observation 3 - Updating a users roles does not trigger automatic provisioning
(auto is enabled). Is this by design?

Provisioning should trigger on each update. What specific data did you change?



Archive powered by MHonArc 2.6.16.

Top of Page