It should probably be possible to provision multiple identifiers to voPersonExternalID . It is often the case that a user brings combinations of identifiers like ePPN and OIDC sub (via a gateway like CILogon) or ePPN and ePTID and we want to be able to get all of them provisioned to LDAP into the voPersonExternalID attribute.

--------------------

OLD DESCRIPTION

The "right" LDAP attribute to record external identifiers asserted during authentication such as ePPN, ePTID, OIDC sub, subject-id, and the like is voPersonExternalID. When using EnvSource those identifiers are attached to the OrgId and there is no simple way for them to "migrate" to the CoPerson record. But the LDAP Provisioner only supports pulling values to be provisioned for voPersonExternalID from the CoPerson record and not the OrgId.

Either the LDAP provisioner should support pulling values from the OrgId as is the case with "uid", or there should be a way for identifiers to migrate from the OrgId to the CoPerson record.

Additionally, it should probably be possible to provision multiple identifiers to voPersonExternalID . It is often the case that a user brings combinations of identifiers like ePPN and OIDC sub (via a gateway like CILogon) or ePPN and ePTID and we want to be able to get all of them provisioned to LDAP into the voPersonExternalID attribute.