You are here

Home » API reference » LDAP integration 6

README-PUID.txt in LDAP integration 6 

LDAP Integration Module - Persistent and Unique IDs (PUID)

Overview
========

LDAP Integration needs to map Drupal users to LDAP user.  Generally, just 
mapping via the user name works.  However, LDAP in enterprise settings can
be a very dynamic. People can change user names and e-mail addresses, be moved 
between LDAP trees (e.g. ou=Contract -> ou=Employee), and the like.

The PUID attribute can be used to better map LDAP users to Drupal users.  This
will allow LDAP Integration to definitively map an LDAP object to a Drupal user.

The PUID can be a site specific attribute such as employeeNumber.  It can also
use one of the various default attributes that LDAP servers supply for this
purpose.  Some examples are:

entryUUID - RFC 4530 standard operational attribute which the server assigns
            a unique GUID to each LDAP object.  OpenLDAP, Apache DS, and other
            impliment this.
            
objectGUID - Microsoft Active Directory standard attribute which get a unique
             GUID as well.  NOTE:  This is a binary attributes.

Note that most major LDAP servers currently have an attribute that supplies
this functionality, even if the don't support RFC 4530.  Review your server
documentation to determine what this is.
             
             
Using PUID with LDAP Integration
================================

The first step is make sure you have the latest version of LDAP Integration
install (after 4/24/2012) and have run UPDATE.php

Next, you can edit your LDAP server settings to define the attribute to use
for a PUID.

Once you define a PUID, new users will be automatically be associated with 
this as their accounts are created.  Existing users will be mapped to the
PUID as they log on.  With the next version of ldapsync, this can also be 
done by syncing the LDAP to Drupal users.

An existing Drupal user is mapped via the PUID to an LDAP user if the following
test are all true:

- The Drupal user name matches the Authenticated ldap user name attribute.
- The matching user is marked as an ldap user.
- The Drupal user's stored dn matches the ldap dn
- The Drupal user's server id matches the ldap server id or the Drupal sid does 
  not exist anymore (i.e. server deleted/recreated)
  
Note that if the matching user is not an ldap user, the User conflict settings
will be used to associate this or deny access.

Some Operational Notes
======================

The PUID LDAP to Drupal user mappings are cleared when:

- The PUID attribute is changed (or set initially) or
- The Server entry is deleted.

This should not have any major impact other than causing the "matching" rules
to come into play as existing users log in.  You may want to use ldapsync to
prevent any problems with name changes before the person logs in.


Note that not all tools and LDAP backup software will properly migrate 
the operational UUID attributes.  Many do, so make sure that your backup 
and recovery/migrate processes include the PUID attributes.

If your recover/migrate without these, you will have to clear the 
ldapauth_users info for the effected server(s).  This can be done by 
blanking out the PUID attribute, saving the server, then reentering the
PUID value and saving the server.  Existing users will be mapped according 
to the rules above. 

Developer Notes:
================

The PUID mapping information is stored in the ldapauth_users table and can be
managed by the ldapauth_userinfo_* CRUD functions in the ldap.core.inc file.

There are two hooks that can effect Drupal to LDAP user mapping.  These are:

/**
 * Called if the LDAP user's PUID attribute does not exist or is empty.
 */
hook_ldap_user_puid_alter( &$puid, $name, $dn, $sid)

This is a way for a site specific module to create or calculate PUID values for
users.  Note that implementors will need to save this to the LDAP entry since 
ldapauth may not have LDAP auth write priviledges.
   
/**
 * Called after the ldap user is authenticated but before the Drupal user
 * lookup/create process is done.
 */
hook_ldap_drupal_user_name_alter( &$name, $ldap, $dn )

This allows sites to use a custom module to define the Drupal user name that 
will be used to map to an LDAP user.  

For example, if you have multiple servers with a possiblity of duplicate user 
names, you can use this to prefix the Drupal name with the server machine name.
So, LDAP user jsmith on the Student server maps to Drupal user id student-jsmith
while jsmith on the Staff server maps to staff-jsmith.

With a PUID, both users can log on using jsmith and their password and be 
correctly mapped to different Drupal users.  Of course, if both users happen 
to choose the same password... there may be problems.
   
See the ldapauth.api.php file for argument details.

File

README-PUID.txt
View source 
  1. 

  2. LDAP Integration Module - Persistent and Unique IDs (PUID)

  3. 

  4. Overview

  5. ========

  6. 

  7. LDAP Integration needs to map Drupal users to LDAP user.  Generally, just 

  8. mapping via the user name works.  However, LDAP in enterprise settings can

  9. be a very dynamic. People can change user names and e-mail addresses, be moved 

  10. between LDAP trees (e.g. ou=Contract -> ou=Employee), and the like.

  11. 

  12. The PUID attribute can be used to better map LDAP users to Drupal users.  This

  13. will allow LDAP Integration to definitively map an LDAP object to a Drupal user.

  14. 

  15. The PUID can be a site specific attribute such as employeeNumber.  It can also

  16. use one of the various default attributes that LDAP servers supply for this

  17. purpose.  Some examples are:

  18. 

  19. entryUUID - RFC 4530 standard operational attribute which the server assigns

  20.             a unique GUID to each LDAP object.  OpenLDAP, Apache DS, and other

  21.             impliment this.

  22.             

  23. objectGUID - Microsoft Active Directory standard attribute which get a unique

  24.              GUID as well.  NOTE:  This is a binary attributes.

  25. 

  26. Note that most major LDAP servers currently have an attribute that supplies

  27. this functionality, even if the don't support RFC 4530.  Review your server

  28. documentation to determine what this is.

  29.              

  30.              

  31. Using PUID with LDAP Integration

  32. ================================

  33. 

  34. The first step is make sure you have the latest version of LDAP Integration

  35. install (after 4/24/2012) and have run UPDATE.php

  36. 

  37. Next, you can edit your LDAP server settings to define the attribute to use

  38. for a PUID.

  39. 

  40. Once you define a PUID, new users will be automatically be associated with 

  41. this as their accounts are created.  Existing users will be mapped to the

  42. PUID as they log on.  With the next version of ldapsync, this can also be 

  43. done by syncing the LDAP to Drupal users.

  44. 

  45. An existing Drupal user is mapped via the PUID to an LDAP user if the following

  46. test are all true:

  47. 

  48. - The Drupal user name matches the Authenticated ldap user name attribute.

  49. - The matching user is marked as an ldap user.

  50. - The Drupal user's stored dn matches the ldap dn

  51. - The Drupal user's server id matches the ldap server id or the Drupal sid does 

  52.   not exist anymore (i.e. server deleted/recreated)

  53.   

  54. Note that if the matching user is not an ldap user, the User conflict settings

  55. will be used to associate this or deny access.

  56. 

  57. Some Operational Notes

  58. ======================

  59. 

  60. The PUID LDAP to Drupal user mappings are cleared when:

  61. 

  62. - The PUID attribute is changed (or set initially) or

  63. - The Server entry is deleted.

  64. 

  65. This should not have any major impact other than causing the "matching" rules

  66. to come into play as existing users log in.  You may want to use ldapsync to

  67. prevent any problems with name changes before the person logs in.

  68. 

  69. 

  70. Note that not all tools and LDAP backup software will properly migrate 

  71. the operational UUID attributes.  Many do, so make sure that your backup 

  72. and recovery/migrate processes include the PUID attributes.

  73. 

  74. If your recover/migrate without these, you will have to clear the 

  75. ldapauth_users info for the effected server(s).  This can be done by 

  76. blanking out the PUID attribute, saving the server, then reentering the

  77. PUID value and saving the server.  Existing users will be mapped according 

  78. to the rules above. 

  79. 

  80. Developer Notes:

  81. ================

  82. 

  83. The PUID mapping information is stored in the ldapauth_users table and can be

  84. managed by the ldapauth_userinfo_* CRUD functions in the ldap.core.inc file.

  85. 

  86. There are two hooks that can effect Drupal to LDAP user mapping.  These are:

  87. 

  88. /**

  89.  * Called if the LDAP user's PUID attribute does not exist or is empty.

  90.  */

  91. hook_ldap_user_puid_alter( &$puid, $name, $dn, $sid)

  92. 

  93. This is a way for a site specific module to create or calculate PUID values for

  94. users.  Note that implementors will need to save this to the LDAP entry since 

  95. ldapauth may not have LDAP auth write priviledges.

  96.    

  97. /**

  98.  * Called after the ldap user is authenticated but before the Drupal user

  99.  * lookup/create process is done.

  100.  */

  101. hook_ldap_drupal_user_name_alter( &$name, $ldap, $dn )

  102. 

  103. This allows sites to use a custom module to define the Drupal user name that 

  104. will be used to map to an LDAP user.  

  105. 

  106. For example, if you have multiple servers with a possiblity of duplicate user 

  107. names, you can use this to prefix the Drupal name with the server machine name.

  108. So, LDAP user jsmith on the Student server maps to Drupal user id student-jsmith

  109. while jsmith on the Staff server maps to staff-jsmith.

  110. 

  111. With a PUID, both users can log on using jsmith and their password and be 

  112. correctly mapped to different Drupal users.  Of course, if both users happen 

  113. to choose the same password... there may be problems.

  114.    

  115. See the ldapauth.api.php file for argument details.