[Using Sakai] ldap question

Wed Apr 16 05:15:50 PDT 2014

Hi Anders,

What I was thinking is that you could create a sakai_user record for each
user so at least you are preserving first name/lastname/email in the system
when they drop out of LDAP. Then disable the account (2.9 feature). The
user won't be able to be added to sites and you'll have info as to who they
are when doing queries on the course data. And you could later on just
enable their account and reset their password to grant access the same as
it was before.

This is something I've done before, people get converted to a guest/alumni
account once they leave the university etc.

As per last email, creating that record may not be necessary if the EID is
enough for you to identify someone. So YMMV.

The bug still exists where users that just disappear (either from LDAD or
being deleted) that are still in a site have their realm reference left
behind and orphaned. And they are unable to be removed within the Realm UI
since the user doesn't resolve to anything. Creating the sakai_user record
would fix that. Its not a big deal though, but its a bit dirty.
https://jira.sakaiproject.org/browse/SAK-7775

Basically, that is what happens when a user is removed from LDAP. They
can't login since their LDAP credentials are no longer valid, and Sakai
won't be able to resolve them in data lookups so they will essentially
disappear from the system.

If doing any of this record manipulation you'd need to be able to retrieve
details from somewhere for users that have sakai_user_id_map records but
don't have a sakai_user record and no longer exist in LDAP (maybe a second
LDAP that doesn't get cleaned up immediately, or a database or something).

cheers,
Steve

On Wed, Apr 16, 2014 at 5:44 PM, Anders Nordkvist
<anders.nordqvist at his.se>wrote:

>  Hi Steve, and thanks for answering. As it is now we have EID on all
> users in the Sakai_user_id_map table in database. Which tables do you think
> I need to create for the users and how do I do that for them to be able to
> be visible in the system? Which tables are used for LDAP, and can you
> please explain what happens when the user is no longer available in the AD?
> Many questions J
>
>
>
>
>
> Regards
>
> Anders Nordkvist
>
> System administrator
>
> University Of Skövde
>
> Sweden
>
>
>
>
>
>
>
>
>
> *From:* Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
> *Sent:* den 16 april 2014 00:22
>
> *To:* Anders Nordkvist
> *Cc:* sakai-user at collab.sakaiproject.org
> *Subject:* RE: [Using Sakai] ldap question
>
>
>
> If the eids are enough then maybe you don't even need the full user record
> created. Up to you depending on your current data.
>
> Cheers
>
> sent from my mobile device
>
> On 16/04/2014 8:20 AM, "Steve Swinsburg" <steve.swinsburg at gmail.com>
> wrote:
>
> No it's just something I thought of ;)
>
> Ldap users still get a record in the map table maybe you could have a job
> that finds orphans and creates the other part of the record (sakai_user).
>
> Cheers
> Steve
>
> sent from my mobile device
>
> On 15/04/2014 11:36 PM, "Anders Nordkvist" <anders.nordqvist at his.se>
> wrote:
>
> Thanks for answering Steve!
>
> That sounds like a plausible solution but how can I implement it? Is there
> some webpage that describes something similar?
>
>
>
>
>
> mvh
>
> Anders Nordqvist
>
> Systemadministratör
>
> ________________________
>
> IT-avdelningen
>
> Högskolan i Skövde
>
> Box 408
>
> 541 28 Skövde
>
> tfn 0500-44 81 78
>
> e-post anders.nordqvist at his.se
>
>
>
>
>
> *From:* Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
> *Sent:* den 15 april 2014 13:59
> *To:* Anders Nordkvist
> *Cc:* sakai-user at collab.sakaiproject.org
> *Subject:* Re: [Using Sakai] ldap question
>
>
>
> One way would be to have a process that turns that user into an internal
> user, then disables their account to prevent them logging in. They can
> still be removed from sites as normal.
>
>
>
> This will allow you to continue to map the user did (jsmith26) onto the
> uuid, which is what the data is stored against, and look it up in the
> database.
>
>
>
> cheers,
>
> Steve
>
>
>
> On Tue, Apr 15, 2014 at 9:41 PM, Anders Nordkvist <anders.nordqvist at his.se>
> wrote:
>
> Hi everyone,
>
>
>
> We in Skövde, Sweden, have sakai 2.9.x and use ldap for integrating users
> into Sakai from our Active Directory. When a user quit his/hers courses and
> some time has passed he or she will be removed and cannot login to Sakai
> anymore. The problem Is that all data from assignments that the student
> becomes unreachable because the student isn’t in the system anymore. I know
> that all information is still in Sakai but you can’t get it because the
> ldap connection is broken. Does anyone know how to in an easy way (if
> possible) get to the information? When I search in the assignment tables in
> the database on one of the removed students I can’t find any human readable
> paths to the information, everything is in binary stored in the filesystem.
> I have also looked for tables that store ldap information in Sakai database
> (mysql) but couldn’t find any. I suppose everything is stored in memory, if
> this is the case where can I see this?
>
>
>
> Regards
>
> Anders Nordkvist
>
> System administrator
>
> University Of Skövde
>
> Sweden
>
>
>
>
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to
> sakai-user-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20140416/f808330f/attachment.html 