...
Registry CO Person Transaction | LDAP Action | Externally Managed Attributes |
---|---|---|
Add | Add entry to LDAP (if entry already exists it will be deleted and replaced) | Deleted |
Edit | Update configured attributes only | Untouched |
Status Set To Grace Period | No changes (unless attributes change as part of grace period) | Untouched |
Status Set To Expired or Suspended | Update entry to maintain only Person attributes (include Unix Cluster Account attributes) for referential integrity (no Role or Group attributes, including Entitlements) | Untouched |
Status Set Back To Active | Restore Role, Group, and Group Entitilement attributes, or add entry to LDAP if not present | Untouched |
Delete, or Status Set To Deleted (or any other status not specified above) | Remove entry from LDAP | Deleted |
Manual Provision | If entry exists: Update configured attributes only Attributes are subject to CO Person and Person Role Status | Untouched |
...
- Attribute Options must be enabled
- Each Unix Cluster to be provisioned must have an associated CO Service defined. (The CO Service must have the Unix Cluster set for the Cluster configuration option.) A Unix Cluster can only be associated with one CO Service.
- The CO Service must have a Short Label defined. The short label will becomes the scope in the attribute option.
Deprovisioning Unix Cluster Accounts
As of Registry v4.0.0, in order to maintain referential integrity, Unix Cluster Accounts are provisioned to LDAP for the following statuses:
- Active
- Expired
- Grace Period
- Locked
- Suspended
Additionally, the posixAccount
and voPosixAccount
objectclasses both required a primary group to be set. Therefore, the presence of a Unix Cluster Account record in LDAP should not be sufficient in and of itself to permit login. One of the following should also be checked, depending on local deployment capabilities and need:
- A membership in any group other than the Primary Group
voPersonStatus
pwdAccountLockedTime
To remove a Unix Cluster Account from LDAP either set the CO Person status to another value (such as Deleted
), or set the Cluster Account status to something other than Active
(such as Suspended
).
Application Specific Passwords
...