Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] Multiple Roles and COUs and LDAP

Subject: COmanage Users List

List archive

Re: [comanage-users] Multiple Roles and COUs and LDAP

Chronological Thread 
  • From: Benn Oshrin <>
  • To:
  • Subject: Re: [comanage-users] Multiple Roles and COUs and LDAP
  • Date: Fri, 05 Sep 2014 16:24:56 -0400

I think there are two bits here. The first is about reflecting the COU
(or CO) name into LDAP. Currently, there are two CO Person Role fields
that could be used for this:

(1) "Organization" (cm_co_person_roles:o) will be used to populate the
"o" attribute in LDAP.

(2) "Department" (cm_co_person_roles:ou) will be used to populate the
"ou" attribute in LDAP.

You could populate these with the name of the CO and COU respectively,
perhaps by fixed fields populated at enrollment, perhaps manually by an

There is currently no way to automatically populate these fields based
on the name of the CO or COU, though that might be a useful enhancement.

The second bit is correlating multiple records worth of data together in
LDAP. I think the answer to that is LDAP Attribute Options, which would
allow something like

ou;x-role-1: First COU
ou;x-role-2: Second COU
title;x-role-1: Professor of First COU
title;x-role-2: Researcher of Second COU

We could prioritize adding support for this, but it's not there now.



On 9/5/14 3:22 PM,

> This is related to Jira issue CO-941, but did not what to clutter that with
> discussion.
> This is our #1 showstopper.
> The question is about scope / context of a eduPersonAffiliation values in
> the
> presence of multiple roles in different COUs. I think this is more a bug in
> the requirements, and less so the code.
> Example:
> A CO Person has multiple roles defined, 'Member' of COU-1 and 'Staff' of
> COU-2.
> This needs to be exported to LDAP. Not just the 'affiliations' as COmanage
> calls them, but the COU to which they apply.
> In LDAP, the affiliations are mapped to eduPersonAffiliation, and this is a
> multi value field. Using the example above, this would result in
> 'member,staff'. Fine, as far as it goes.
> However, unless I am missing something, the COU is not represented anywhere
> in
> the current LDAP provisioner output. Since it does not convey the
> scope/context of the affiliations, the eduPersonAffiliation value is
> meaningless when COUs are used within COmanage.
> (Using our example, it does not say for which COU a person is a member and
> which staff.)
> Therefore, even if the above Jira issue is 'fixed' (provisioning fails when
> multiple roles are defined) it still does not address the real functional
> need.
> Is the solution to concatenate the COU name and affiliation in
> eduPersonAffiliation? E.g., 'COU-1->member,COU-2->staff'
> Or restructuring the mapping to LDAP (yikes!)?
> Or?

Archive powered by MHonArc 2.6.16.

Top of Page