You are here

README-PUID.txt in LDAP integration 6

LDAP Integration Module - Persistent and Unique IDs (PUID)

Overview
========

LDAP Integration needs to map Drupal users to LDAP user.  Generally, just 
mapping via the user name works.  However, LDAP in enterprise settings can
be a very dynamic. People can change user names and e-mail addresses, be moved 
between LDAP trees (e.g. ou=Contract -> ou=Employee), and the like.

The PUID attribute can be used to better map LDAP users to Drupal users.  This
will allow LDAP Integration to definitively map an LDAP object to a Drupal user.

The PUID can be a site specific attribute such as employeeNumber.  It can also
use one of the various default attributes that LDAP servers supply for this
purpose.  Some examples are:

entryUUID - RFC 4530 standard operational attribute which the server assigns
            a unique GUID to each LDAP object.  OpenLDAP, Apache DS, and other
            impliment this.
            
objectGUID - Microsoft Active Directory standard attribute which get a unique
             GUID as well.  NOTE:  This is a binary attributes.

Note that most major LDAP servers currently have an attribute that supplies
this functionality, even if the don't support RFC 4530.  Review your server
documentation to determine what this is.
             
             
Using PUID with LDAP Integration
================================

The first step is make sure you have the latest version of LDAP Integration
install (after 4/24/2012) and have run UPDATE.php

Next, you can edit your LDAP server settings to define the attribute to use
for a PUID.

Once you define a PUID, new users will be automatically be associated with 
this as their accounts are created.  Existing users will be mapped to the
PUID as they log on.  With the next version of ldapsync, this can also be 
done by syncing the LDAP to Drupal users.

An existing Drupal user is mapped via the PUID to an LDAP user if the following
test are all true:

- The Drupal user name matches the Authenticated ldap user name attribute.
- The matching user is marked as an ldap user.
- The Drupal user's stored dn matches the ldap dn
- The Drupal user's server id matches the ldap server id or the Drupal sid does 
  not exist anymore (i.e. server deleted/recreated)
  
Note that if the matching user is not an ldap user, the User conflict settings
will be used to associate this or deny access.

Some Operational Notes
======================

The PUID LDAP to Drupal user mappings are cleared when:

- The PUID attribute is changed (or set initially) or
- The Server entry is deleted.

This should not have any major impact other than causing the "matching" rules
to come into play as existing users log in.  You may want to use ldapsync to
prevent any problems with name changes before the person logs in.


Note that not all tools and LDAP backup software will properly migrate 
the operational UUID attributes.  Many do, so make sure that your backup 
and recovery/migrate processes include the PUID attributes.

If your recover/migrate without these, you will have to clear the 
ldapauth_users info for the effected server(s).  This can be done by 
blanking out the PUID attribute, saving the server, then reentering the
PUID value and saving the server.  Existing users will be mapped according 
to the rules above. 

Developer Notes:
================

The PUID mapping information is stored in the ldapauth_users table and can be
managed by the ldapauth_userinfo_* CRUD functions in the ldap.core.inc file.

There are two hooks that can effect Drupal to LDAP user mapping.  These are:

/**
 * Called if the LDAP user's PUID attribute does not exist or is empty.
 */
hook_ldap_user_puid_alter( &$puid, $name, $dn, $sid)

This is a way for a site specific module to create or calculate PUID values for
users.  Note that implementors will need to save this to the LDAP entry since 
ldapauth may not have LDAP auth write priviledges.
   
/**
 * Called after the ldap user is authenticated but before the Drupal user
 * lookup/create process is done.
 */
hook_ldap_drupal_user_name_alter( &$name, $ldap, $dn )

This allows sites to use a custom module to define the Drupal user name that 
will be used to map to an LDAP user.  

For example, if you have multiple servers with a possiblity of duplicate user 
names, you can use this to prefix the Drupal name with the server machine name.
So, LDAP user jsmith on the Student server maps to Drupal user id student-jsmith
while jsmith on the Staff server maps to staff-jsmith.

With a PUID, both users can log on using jsmith and their password and be 
correctly mapped to different Drupal users.  Of course, if both users happen 
to choose the same password... there may be problems.
   
See the ldapauth.api.php file for argument details.

File

README-PUID.txt
View source
  1. LDAP Integration Module - Persistent and Unique IDs (PUID)
  2. Overview
  3. ========
  4. LDAP Integration needs to map Drupal users to LDAP user. Generally, just
  5. mapping via the user name works. However, LDAP in enterprise settings can
  6. be a very dynamic. People can change user names and e-mail addresses, be moved
  7. between LDAP trees (e.g. ou=Contract -> ou=Employee), and the like.
  8. The PUID attribute can be used to better map LDAP users to Drupal users. This
  9. will allow LDAP Integration to definitively map an LDAP object to a Drupal user.
  10. The PUID can be a site specific attribute such as employeeNumber. It can also
  11. use one of the various default attributes that LDAP servers supply for this
  12. purpose. Some examples are:
  13. entryUUID - RFC 4530 standard operational attribute which the server assigns
  14. a unique GUID to each LDAP object. OpenLDAP, Apache DS, and other
  15. impliment this.
  16. objectGUID - Microsoft Active Directory standard attribute which get a unique
  17. GUID as well. NOTE: This is a binary attributes.
  18. Note that most major LDAP servers currently have an attribute that supplies
  19. this functionality, even if the don't support RFC 4530. Review your server
  20. documentation to determine what this is.
  21. Using PUID with LDAP Integration
  22. ================================
  23. The first step is make sure you have the latest version of LDAP Integration
  24. install (after 4/24/2012) and have run UPDATE.php
  25. Next, you can edit your LDAP server settings to define the attribute to use
  26. for a PUID.
  27. Once you define a PUID, new users will be automatically be associated with
  28. this as their accounts are created. Existing users will be mapped to the
  29. PUID as they log on. With the next version of ldapsync, this can also be
  30. done by syncing the LDAP to Drupal users.
  31. An existing Drupal user is mapped via the PUID to an LDAP user if the following
  32. test are all true:
  33. - The Drupal user name matches the Authenticated ldap user name attribute.
  34. - The matching user is marked as an ldap user.
  35. - The Drupal user's stored dn matches the ldap dn
  36. - The Drupal user's server id matches the ldap server id or the Drupal sid does
  37. not exist anymore (i.e. server deleted/recreated)
  38. Note that if the matching user is not an ldap user, the User conflict settings
  39. will be used to associate this or deny access.
  40. Some Operational Notes
  41. ======================
  42. The PUID LDAP to Drupal user mappings are cleared when:
  43. - The PUID attribute is changed (or set initially) or
  44. - The Server entry is deleted.
  45. This should not have any major impact other than causing the "matching" rules
  46. to come into play as existing users log in. You may want to use ldapsync to
  47. prevent any problems with name changes before the person logs in.
  48. Note that not all tools and LDAP backup software will properly migrate
  49. the operational UUID attributes. Many do, so make sure that your backup
  50. and recovery/migrate processes include the PUID attributes.
  51. If your recover/migrate without these, you will have to clear the
  52. ldapauth_users info for the effected server(s). This can be done by
  53. blanking out the PUID attribute, saving the server, then reentering the
  54. PUID value and saving the server. Existing users will be mapped according
  55. to the rules above.
  56. Developer Notes:
  57. ================
  58. The PUID mapping information is stored in the ldapauth_users table and can be
  59. managed by the ldapauth_userinfo_* CRUD functions in the ldap.core.inc file.
  60. There are two hooks that can effect Drupal to LDAP user mapping. These are:
  61. /**
  62. * Called if the LDAP user's PUID attribute does not exist or is empty.
  63. */
  64. hook_ldap_user_puid_alter( &$puid, $name, $dn, $sid)
  65. This is a way for a site specific module to create or calculate PUID values for
  66. users. Note that implementors will need to save this to the LDAP entry since
  67. ldapauth may not have LDAP auth write priviledges.
  68. /**
  69. * Called after the ldap user is authenticated but before the Drupal user
  70. * lookup/create process is done.
  71. */
  72. hook_ldap_drupal_user_name_alter( &$name, $ldap, $dn )
  73. This allows sites to use a custom module to define the Drupal user name that
  74. will be used to map to an LDAP user.
  75. For example, if you have multiple servers with a possiblity of duplicate user
  76. names, you can use this to prefix the Drupal name with the server machine name.
  77. So, LDAP user jsmith on the Student server maps to Drupal user id student-jsmith
  78. while jsmith on the Staff server maps to staff-jsmith.
  79. With a PUID, both users can log on using jsmith and their password and be
  80. correctly mapped to different Drupal users. Of course, if both users happen
  81. to choose the same password... there may be problems.
  82. See the ldapauth.api.php file for argument details.