Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] Creating LDAP DN from a self-signup user

Subject: COmanage Users List

List archive

Re: [comanage-users] Creating LDAP DN from a self-signup user


Chronological Thread 
  • From: Benn Oshrin <>
  • To: "Kevin M. Hildebrand" <>
  • Cc:
  • Subject: Re: [comanage-users] Creating LDAP DN from a self-signup user
  • Date: Thu, 13 Apr 2017 19:55:13 -0500
  • Ironport-phdr: 9a23:YFHkdhFvRYfSmG85YF8xNp1GYnF86YWxBRYc798ds5kLTJ7zocmwAkXT6L1XgUPTWs2DsrQf2rSQ6vGrAjZIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbJ/IA+roQjVucUbj5VuIbstxxXUpXdFZ/5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnMVhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1kyoMKSI3/3/LhcxxlKJboQyupxpjw47PfYqZMONycr7Bcd8GQGZMWNtaWS5cDYOmd4YBEvQPPehYoYf+qVUBoxSxCguwC+3g0TJImn370Lcm3+g9HwzL3gotFM8OvnTOq9X1Mb8fXP2rw6nOyzXIcupY2Sz96IjScxAhp+yHULVrfsXPz0kvEQTFg06RqYzjIzOayP4Ns26F4Op8S+6jkXAopBxsojW2wMonl4fHhoUQyl/e9CV5xp44Jdy+SE5nf9GkCp1QuD+GN4doWM8tXXxnuDs8x7YbupC7ZDAHxIo7yxPccfCKd4qF7gj+WOufPzt0nmxpdK68ihqq7ESs1PfwW8eq3FpQrSdIksPAum0C2hHV98OJUOFy/l271jaKzw3T6v9LIUQzlafDK54hxbswlpsNvkTGBCD2mUH2gLaMeUgq4OSo5P7rbaj8ppCCLYB0jwH+MqM1msyjG+g3Lg8OX22D9eS90r3s41H5Ta1UgvEqkaTVqpTXKMYBqqKkDQJZzJwv5wijAzqlyNgYmGMILFNBeBKJlYjpPFTOLejjAvihhVSsljBryuvHPr3nHpXCMGLDkLH/crZh9UJQ0hQ8ws1C555MELEOPOrzWlPttNzfFhI2Lwu0w+P9B9V7zIweVnyADraEMKPJr1CI/PkvLvKIZI8Uozb9N+Ml6+D0gX84n18dYbem3YERaH+mAvRqPV+VbmTxjdccQi82uV90b+H0iVvKdHgbR3e2U682/Dg9BMjuWYTOWIGrqKGE0GG2EoAANU5cDVXZO3rucc2jQPcWaSTadsVslDoDfbmnV4I70xyy7kn3x6cxfbmcwTERqZ+2jIs93ObUjxxnsGUsV8k=

To reply with more detail...

For the most part what you're asking for is
https://bugs.internet2.edu/jira/browse/CO-1137 (which I think is what
was brought up a few days ago on list). The complication is that even
when we implement that capability (I think we're trying to get it done
for the next feature release), you'll still run into the issue that eppn
is attached to the org identity, and not the CO Person record.

I could offer a couple of options for how to work around that
(pipelines, enrollment forms, new RFEs related to the new $ENV OIS we're
planning), but instead I'd actually rather push back and suggest that
eppn might not be the best choice for a DN component, which needs to
uniquely identify a person in LDAP.

(1) What happens if a person has more than one eppn? If they've linked a
gmail account and a university.edu account, which one do you pick?

(2) What happens when the eppn changes? Say I registered with

but then later decide I don't want my personal gmail
address associated with the registration. (COmanage can handle a DN
change, but downstream applications might not be able to.)

A better approach is to use Identifier Assignments to create a CO
specific opaque identifier (something like "UMD123456") and then use
that to populate the DN. This way there is a one to one relationship
between a CO Person identifier and an LDAP DN, and it doesn't change
based on external factors. You can still look up records based on eppn
by having the LDAP Provisioner write the eppn into the LDAP record.

Thanks,

-Benn-

On 4/10/17 6:04 PM, Kevin M. Hildebrand wrote:
> That works for most of the ldap attributes but I can't create a dn that
> way.
> I'd like my dn to have the eppn in it, and have the uid match.
> i.e.,
> dn:
>
>
> <mailto:>,dc=test,dc=umd,dc=edu
>
> I was thinking, perhaps an expansion of the fields available in the
> automatic identifier assignment would help- right now you can build
> identifiers with tokens from the user's name, how about expanding that
> to allow more generic expansion.
> Then I can build uid from eppn, and use that for my dn.
> Alternatively, the dn creation options should also allow one to pull
> values from the org record.
>
> Kevin
>
> On Apr 10, 2017 18:21, "Benn Oshrin"
> <
> <mailto:>>
> wrote:
>
> In the LDAP provisioner attribute configuration, you should see an
> option "Use value from Organizational Identity" that does what you want.
> I thought this was documented in the wiki somewhere, but I can't
> find it...
>
> (In general you can't export Org Identity attributes because they're not
> "operational", but there are limited exceptions primarily for this use
> case.)
>
> Thanks,
>
> -Benn-
>
> On 4/10/17 9:06 AM, Kevin M. Hildebrand wrote:
> > I'm having some challenges creating the LDAP dn that I want based on
> > attributes obtained via self-signup.
> >
> > I've got authenticated self-signup working, using Google auth. That
> > populates ePPN in the Organizational Identity with the
> authenticated ID
> > (I'm currently having it use the Google user's email address).
> >
> > The problem I'm having is that the LDAP provisioner only seems to want
> > to draw items from the CO person record, and self-signup doesn't
> > populate that record with much.
> >
> > For example if I set my 'People DN Identifier Type' in the provisioner
> > to ePPN, the provisioning fails because ePPN isn't defined in the CO
> > person record.
> >
> > I'd like to have the authenticated ID passed in from Google get
> assigned
> > to ePPN in a form available to the LDAP provisioner so I can build
> a DN
> > from it. Perhaps by automatically copying it to the CO person record,
> > or perhaps a way to allow the LDAP provisioner to export
> attributes from
> > the Organizational record.
> >
> > Thanks,
> > Kevin
> >
> > --
> > Kevin Hildebrand
> > University of Maryland, College Park
> >
>



Archive powered by MHonArc 2.6.19.

Top of Page