Details
-
Bug
-
Resolution: Duplicate
-
Minor
-
2.3.0
-
None
Description
With release 2.3 and the patches up to Mar 1, 2017, PSPNG's ldap-attribute provisioning is unable to control the entire attribute if the values provisioned don't share a common prefix.
This issue is requesting that PSPNG be configurable to completely own the destination attribute. This will likely be allProvisionedValuesPrefix=*.
From Paul Engle on the grouper-users list, 2/20/2017:
> I understand how to make Grouper authoritative for prefixed values of an
> LDAP attribute using the LdapAttributeProvisioner and setting a value
> for the grouperIsAuthoritative & allProvisionedAttributePrefix
> properties. But how can I do so for all values of an attribute,
> without a prefix?
>
> Up to now, we've had isMemberOf populated from the group name, so they
> don't all share a common prefix. Introducing a prefix at this stage
> would break several applications that are already using the existing
> values. I thought I could be clever and put in a string like '*:',
> making the resultant LDAP filter be (isMemberOf=:). But apparently
> later on during the reconciliation, the prefix is made part of a regex,
> so the asterisk blows it up.
>
> Is there any way to specify an empty string for the property? If not,
> can that be a feature request? If I can get this one issue solved, then
> I think I will have a fully functional pspng equivalent of our existing
> psp config.
>
> -paul
>
>
–
Paul Engle
Office of Information Technology
pengle@rice.edu
713-348-4702