2. Adding a LDAP Provisioning Target

REQUIRED ROLE: CMP Administrator👑 -OR- CO Administrator👑

The first step to setting up provisioning is to define a Provisioning Target.

1. Login as a CO Administrator and select your CO.

2. Using the menu on the left, go to Configuration > Provisioning Targets to open the list of targets. (There shouldn’t be any yet!)

3. Click the Add Provisioning Target link above the table to start the process of creating a new target.

4. Configure the new Provisioning Target. All of the currently active Provisioning Plugins will be available in the Plugin dropdown list. For this workshop, the list includes Grouper and LDAP. Note: the form that appears here is common to all Provisioners. If the Provisioner that you select requires additional configuration, it will be presented once you click the ADD button in this form.

   Field	Value	Description / Notes
   Description	Enterprise LDAP	A description of the target system that this Provisioning rule will affect
   Plugin	LdapProvisioner	The Plugin to provision to LDAP
   Status	Automatic Mode	There are four modes as described in the Provisioning Overview.
   Provisioning Group	blank	This setting determines what group will be provisioned as a result of running this rule. Leaving this value blank will provision all attributes, including group memberships to all CO Persons⚙️. For inactive CO Persons⚙️ this setting will leave a skeleton record in LDAP for referential integrity, but all group information will be deprovisioned.
   Skip if Associated with Org Identity Source	blank	This feature is rarely used.
   Order	blank	since we only have one provisioner it is left blank. This field is useful if you have multiple rules that need to be executed in a particular order. NOTE: in future versions, the order will be removed because asynchronous processing will be enabled.)

5. Click the SAVE button to save your work. This action will save this information, and open a new form to collect information specific to the LDAP Provisioning Plugin. Fill out this form as follows (Note: You may need to talk with the administrator for your LDAP director service for some of this information):

   Field	Value	Description / Notes
   Server URL	ldap://ldap	Here we will use the internal service name since this service is running in a docker container
   Bind DN	uid=registry_user, ou=system, o=Training, dc=comanage, dc=incommon, dc=training	Talk with the administrator for your LDAP directory service to get this information.
   Password	our workshop password	Talk with the administrator for your LDAP directory service to get this information.
   People DN Identifier Type	Enterprise	We will be using the enterprise identifier that you created in an earlier lesson.
   People DN Attribute Name	voPersonID
   People Base DN	ou=people, o=Training, dc=comanage, dc=incommon, dc=training	Talk with the administrator for your LDAP directory service to get this information.
   Group Base DN	ou=groups, o=Training, dc=comanage, dc=incommon, dc=training	Talk with the administrator for your LDAP directory service to get this information.
   Attribute Scope	blank	usually not used.
   Unconfigured Attribute Mode	Remove	The information in LDAP is more authoritative than that from COmanage for unconfigured attributes.
   Enable Attribute Options	unchecked	This field is out of scope for this training. We can discuss it later if time & interest allow.
   Attributes	See below	mapping from COmanage attributes to those from LDAP
   Additional Person Object Classes	blank	Enables one to extend the list of attributes exchanged.
   Additional Group Object Classes	blank	Enables one to extend the list of attributes exchanged.

Attributes

Attributes are organized as classes that contain fields. To exchange attributes, one must first enable to object class, and then select the fields that should be exchanged. A few fields are required:

• ENABLED: person objectclass
  • sn
  • cn
• ENABLED: organizationalPerson objectclass
• ENABLED: inetOrgPerson objectclass
  • givenName
  • displayName (official)
  • mail (official)
  • uid (UID) - Use the value from Org Identity⚙️

The following additional attributes will be provisioned for this Plugin in this example,

• ENABLED: groupOfNames objectclass
  • cn
  • member
• ENABLED: eduMember objectclass
  • isMemberOf (for PERSON)
• ENABLED: voPerson objectclass
  • voPersonID (Enterprise - the Identity we created)

Hands on - Provision someone to LDAP

REQUIRED ROLE: CMP Administrator👑 -OR- CO Administrator👑

Provision someone to LDAP

6. Select a person from your population. From the left menu, select People > My Population. Click the Edit button next to one of the names.
7. From the menu on the right, click the Provisioned Services link to display the possible rules that can be run (from those that you created.) Doing this action for one CO Person⚙️ will enable you to check the provisioning to make sure that it is doing what you expect.
8. Once you have checked the rule, retrovision all using the Reprovisioning a Target process described below.

Reprovisioning a Target

It is possible to reprovision (or provision for the first time for new rules) all records for a given target.

9. From the Configuration menu for your CO⚙️, select the Provisioning Targets link.
10. For the Provisioning Target rule that you just created click the Reprovision All button. This action effectively calls manual provisioning for each defined CO Person⚙️ and CO Group⚙️ (whether or not they are active). For large datasets, this operation may take a while.

Note that reprovisioning has no way of knowing how to clear entries from the provisioning target that are not known to COmanage Registry. A typical pattern for reprovisioning all records would be to first clear out the target entirely (eg: delete all records from the LDAP server) and then execute Reprovision All.