COmanage Users List

[Benn Oshrin <>]

On 7/10/14 5:48 PM, 

 wrote:

> Observation 1 - if ldap provisioning includes inetOrgPerson 'o' , and a user
> has multiple CO Person Roles in a CO, each Role must have a unique value for
> 'organization'.
>
> When you add a role for a user, the organization is defaulted to the CO name.
> At provisioning, the 'o' field in ldap is populated from the role organization
> field. If 2 roles have the same 'o' value, it fails and LDAP reports 'type or
> value exists (500).'  Apparently, the 'o' attr wants to be unique.
[...]
> Or, maybe the provisioner should check for duplicate 'o' values and 
delete the
> extra.  It is allowed by the ldap schema to have multiple titles but 
only one
> 'o'.

In general, multi-valued attributes need to have a unique value. 
Probably the LdapProvisioner should just filter the duplicate entry, but 
see below.

> After provisioning, in Ldap I see
> o: O1
> o: O2
> title: Staff
> title: Faculty
>
> How do I know which title applies to which 'o'? Can sequence be trusted or is
> that incidental?

You don't, and it's incidental. The solution here would be to use LDAP 
options, with which we could create something like

 o;x-role-1: O1
 o;x-role-2: O2
 title;x-role-1: Staff
 title;x-role-2: Faculty

"dumb" clients wouldn't know what to do with this (and would fall back 
to the default behavior we have today), but "smart" clients would.

We don't currently support this, but it has been discussed.

> Observation 3 - Updating a users roles does not trigger automatic provisioning
> (auto is enabled). Is this by design?

Provisioning should trigger on each update. What specific data did you 
change?

Thanks,

-Benn-