COmanage Users List

[Benn Oshrin <>]

I think there are two bits here. The first is about reflecting the COU
(or CO) name into LDAP. Currently, there are two CO Person Role fields
that could be used for this:

(1) "Organization" (cm_co_person_roles:o) will be used to populate the
"o" attribute in LDAP.

(2) "Department" (cm_co_person_roles:ou) will be used to populate the
"ou" attribute in LDAP.

You could populate these with the name of the CO and COU respectively,
perhaps by fixed fields populated at enrollment, perhaps manually by an
administrator.

There is currently no way to automatically populate these fields based
on the name of the CO or COU, though that might be a useful enhancement.

The second bit is correlating multiple records worth of data together in
LDAP. I think the answer to that is LDAP Attribute Options, which would
allow something like

 ou;x-role-1: First COU
 ou;x-role-2: Second COU
 title;x-role-1: Professor of First COU
 title;x-role-2: Researcher of Second COU

We could prioritize adding support for this, but it's not there now.

Thanks,

-Benn-

On 9/5/14 3:22 PM, 

 wrote:
> This is related to Jira issue CO-941, but did not what to clutter that with
> discussion.
> 
> This is our #1 showstopper. 
> 
> The question is about scope / context of a eduPersonAffiliation values in 
> the
> presence of multiple roles in different COUs. I think this is more a bug in
> the requirements, and less so the code.
> 
> Example:
> 
> A CO Person has multiple roles defined, 'Member' of COU-1 and 'Staff' of
> COU-2.
> 
> This needs to be exported to LDAP. Not just the 'affiliations' as COmanage
> calls them, but the COU to which they apply.
> 
> In LDAP, the affiliations are mapped to eduPersonAffiliation, and this is a
> multi value field. Using the example above, this would result in
> 'member,staff'. Fine, as far as it goes.
> 
> However, unless I am missing something, the COU is not represented anywhere 
> in
> the current LDAP provisioner output. Since it does not convey the
> scope/context of the affiliations, the eduPersonAffiliation value is
> meaningless when COUs are used within COmanage.
> 
> (Using our example, it does not say for which COU a person is a member and
> which staff.)
> 
> Therefore, even if the above Jira issue is 'fixed' (provisioning fails when
> multiple roles are defined) it still does not address the real functional
> need.
> 
> Is the solution to concatenate the COU name and affiliation in
> eduPersonAffiliation? E.g., 'COU-1->member,COU-2->staff'
> 
> Or restructuring the mapping to LDAP (yikes!)?
> 
> Or?
>