Versions Compared

Old Version 79

changes.mady.by.user Chris Hyzer (upenn.edu)

Saved on

compared with

New Version Current

changes.mady.by.user chris.hyzer.3@at.internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • First configure an external system for the target LDAP.
  • Supports both memberships in groups (e.g. using the member attribute) and memberships in entities (e.g. using the memberOf or eduPersonEntitlement attributes).  Also referred to as groupAttributes vs entityAttributes.
  • Groups can be flat or bushy in LDAP.
  • Configure a "name" field in the object model to represent the LDAP object DN for groups and entities.
  • All other attributes in the LDAP object are attributes (rather than fields) in the object model. 
    • For example, for groups, you may have attributes such as:
      • cn
      • objectClass (based on staticValues)
      • gidNumber (could be configured as the matching id and search attribute)
      • description (optional)
      • member (configured as the membership attribute if groupAttributes)
    • And for entities, you may have attributes such as:
      • uid (could be configured as the matching id and search attribute)
      • memberOf or eduPersonEntitlement (configured as the membership attribute if entityAttributes)
      • If creating entities, then you may have several other attributes such as givenName, sn, objectClass, etc.
  • If you need to lookup an object in LDAP to get the DN, use a "group link" or "entity link"
    • Also store the DN in the groupToId2 sync bucket or the memberToId2 sync bucket
  • If data is flipflopping we have seen in AD (cannot explain why), that using a specific search/match attribute, and a second one for DN is required

FAQ

How can I provision a boolean to LDAP

...