Versions Compared

Old Version 59

changes.mady.by.user Benn Oshrin

Saved on

compared with

New Version 60

changes.mady.by.user Benn Oshrin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Registry CO Person Transaction

LDAP Action

Externally Managed Attributes

Add

Add entry to LDAP (if entry already exists it will be deleted and replaced)

Deleted

Edit

Update configured attributes only

Untouched

Status Set To Grace Period

No changes (unless attributes change as part of grace period)

Untouched

Status Set To Expired or Suspended

Update entry to maintain only Person attributes (include Unix Cluster Account attributes) for referential integrity (no Role or Group attributes, including Entitlements)

Untouched

Status Set Back To Active

Restore Role, Group, and Group Entitilement attributes, or add entry to LDAP if not present

Untouched

Delete, or Status Set To Deleted (or any other status not specified above)

Remove entry from LDAP

Deleted

Manual Provision

If entry exists: Update configured attributes only
If entry does not exist: Add entry to LDAP

(warning) Attributes are subject to CO Person and Person Role Status
(warning) To completely erase and rewrite a record, an administrator must remove the record from LDAP (manually or by setting the person status to eg Deleted) before manually provisioning

Untouched

...

  1. Attribute Options must be enabled
  2. Each Unix Cluster to be provisioned must have an associated CO Service defined. (The CO Service must have the Unix Cluster set for the Cluster configuration option.) A Unix Cluster can only be associated with one CO Service.
  3. The CO Service must have a Short Label defined. The short label will becomes the scope in the attribute option.

Deprovisioning Unix Cluster Accounts

As of Registry v4.0.0, in order to maintain referential integrity, Unix Cluster Accounts are provisioned to LDAP for the following statuses:

  • Active
  • Expired
  • Grace Period
  • Locked
  • Suspended

Additionally, the posixAccount and voPosixAccount objectclasses both required a primary group to be set. Therefore, the presence of a Unix Cluster Account record in LDAP should not be sufficient in and of itself to permit login. One of the following should also be checked, depending on local deployment capabilities and need:

  • A membership in any group other than the Primary Group
  • voPersonStatus
  • pwdAccountLockedTime

To remove a Unix Cluster Account from LDAP either set the CO Person status to another value (such as Deleted), or set the Cluster Account status to something other than Active (such as Suspended).

Application Specific Passwords

...