Description
LDAP entity provisioner, is provisioning an attribute that only exists for entities with a specific objectClass. Matching is on uid=subjectId. Debugging shows it's only querying on the uid, and does not use objectClass in the filter, nor does the provisioner exclude found entities later by that criteria.
Set up #1: Select all entities at once during full sync = false
Attempt 1: Set objectClass attribute = exampleEduPerson
Result: No effect; debug log shows ldap filter is the member set: `(|(uid=800000000)(uid=900))`
Attempt 2: Set Entity search filter: `(&(uid=${targetGroup.retrieveAttributeValue('uid')})(objectClass=exampleEduPerson))`
Result: No effect. Does this mean the "Entity search filter" is never used for anything?
Set up #2: Select all entities at once during full sync = true
Attempt 1: Search all filter blank (should default to uid=* and objectClass=...)
Result: Yes, filter is "(&(uid=*)(objectclass=berkeleyEduPerson))"
Attempt 2: Set Entity search all filter = `objectClass=exampleEduPerson`
Result: This works; filter is `objectClass=exampleEduPerson`
So the only way to filter users by objectClass is to opt to select all entities at once. There doesn't seem to be a way to filter the returned users when not selecting all entities.
At minimum, the help text for the search filter and search all filter should note they are ineffective unless searching all users at once.