[Using Sakai] ldap question

Steve Swinsburg steve.swinsburg at gmail.com
Tue Apr 22 15:19:14 PDT 2014 

Hi anders

No new table, add to sakai_user.

If you can take the eid and look them up elsewhere then that is probably
enough.

There should be,  but there isn't. It would need to be a proc that runs and
cleans orphans. It doesn't affect much so no one has bothered.

Yes you could create a jdbc provider. That would be a good enhancement as
long as the tables and fields are configurable. A second db for users,
cool.

Cheers
Steve


sent from my mobile device
On 17/04/2014 5:22 PM, "Anders Nordkvist" <anders.nordqvist at his.se> wrote:





*From:* Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
*Sent:* den 16 april 2014 14:16

*To:* Anders Nordkvist
*Cc:* sakai-user at collab.sakaiproject.org
*Subject:* Re: [Using Sakai] ldap question



Hi Steve,



A couple of more stupid questions J



Hi Anders,



What I was thinking is that you could create a sakai_user record for each
user so at least you are preserving first name/lastname/email in the system
when they drop out of LDAP. Then disable the account (2.9 feature). The
user won't be able to be added to sites and you'll have info as to who they
are when doing queries on the course data. And you could later on just
enable their account and reset their password to grant access the same as
it was before.



Here you mean that I could create a new table in mysql with first
name/lastname/email from LDAP users?



This is something I've done before, people get converted to a guest/alumni
account once they leave the university etc.



As per last email, creating that record may not be necessary if the EID is
enough for you to identify someone. So YMMV.

How do I know if the EID is enough to identify someone?



The bug still exists where users that just disappear (either from LDAD or
being deleted) that are still in a site have their realm reference left
behind and orphaned. And they are unable to be removed within the Realm UI
since the user doesn't resolve to

Is this what happens in our case “have their realm reference left behind
and orphaned”? But we don’t remove anything just the ldap connection.
Shouldn’t there be an easy way to get the users back cause all information
except the LDAP info about them are still intact?





anything. Creating the sakai_user record would fix that. Its not a big deal
though, but its a bit dirty. https://jira.sakaiproject.org/browse/SAK-7775

The Jira you refere to is closed with wont fix. Im still wondering how I
can create this record and get the users back if its possible?



Basically, that is what happens when a user is removed from LDAP. They
can't login since their LDAP credentials are no longer valid, and Sakai
won't be able to resolve them in data lookups so they will essentially
disappear from the system.



If doing any of this record manipulation you'd need to be able to retrieve
details from somewhere for users that have sakai_user_id_map records but
don't have a sakai_user record and no longer exist in LDAP (maybe a second
LDAP that doesn't get cleaned up immediately, or a database or something).

We have a database with all our users but it is MSSQL and I cant find any
Sakai provider for that one. Then we have to create that I suppose. Do you
think the users become visible if we use this MSSQL database?



cheers,

Steve







On Wed, Apr 16, 2014 at 5:44 PM, Anders Nordkvist <anders.nordqvist at his.se>
wrote:

Hi Steve, and thanks for answering. As it is now we have EID on all users
in the Sakai_user_id_map table in database. Which tables do you think I
need to create for the users and how do I do that for them to be able to be
visible in the system? Which tables are used for LDAP, and can you please
explain what happens when the user is no longer available in the AD? Many
questions J





Regards

Anders Nordkvist

System administrator

University Of Skövde

Sweden









*From:* Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
*Sent:* den 16 april 2014 00:22


*To:* Anders Nordkvist
*Cc:* sakai-user at collab.sakaiproject.org

*Subject:* RE: [Using Sakai] ldap question



If the eids are enough then maybe you don't even need the full user record
created. Up to you depending on your current data.

Cheers

sent from my mobile device

On 16/04/2014 8:20 AM, "Steve Swinsburg" <steve.swinsburg at gmail.com> wrote:

No it's just something I thought of ;)

Ldap users still get a record in the map table maybe you could have a job
that finds orphans and creates the other part of the record (sakai_user).

Cheers
Steve

sent from my mobile device

On 15/04/2014 11:36 PM, "Anders Nordkvist" <anders.nordqvist at his.se> wrote:

Thanks for answering Steve!

That sounds like a plausible solution but how can I implement it? Is there
some webpage that describes something similar?





mvh

Anders Nordqvist

Systemadministratör

________________________

IT-avdelningen

Högskolan i Skövde

Box 408

541 28 Skövde

tfn 0500-44 81 78

e-post anders.nordqvist at his.se





*From:* Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
*Sent:* den 15 april 2014 13:59
*To:* Anders Nordkvist
*Cc:* sakai-user at collab.sakaiproject.org
*Subject:* Re: [Using Sakai] ldap question



One way would be to have a process that turns that user into an internal
user, then disables their account to prevent them logging in. They can
still be removed from sites as normal.



This will allow you to continue to map the user did (jsmith26) onto the
uuid, which is what the data is stored against, and look it up in the
database.



cheers,

Steve



On Tue, Apr 15, 2014 at 9:41 PM, Anders Nordkvist <anders.nordqvist at his.se>
wrote:

Hi everyone,



We in Skövde, Sweden, have sakai 2.9.x and use ldap for integrating users
into Sakai from our Active Directory. When a user quit his/hers courses and
some time has passed he or she will be removed and cannot login to Sakai
anymore. The problem Is that all data from assignments that the student
becomes unreachable because the student isn’t in the system anymore. I know
that all information is still in Sakai but you can’t get it because the
ldap connection is broken. Does anyone know how to in an easy way (if
possible) get to the information? When I search in the assignment tables in
the database on one of the removed students I can’t find any human readable
paths to the information, everything is in binary stored in the filesystem.
I have also looked for tables that store ldap information in Sakai database
(mysql) but couldn’t find any. I suppose everything is stored in memory, if
this is the case where can I see this?



Regards

Anders Nordkvist

System administrator

University Of Skövde

Sweden




_______________________________________________
sakai-user mailing list
sakai-user at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-user

TO UNSUBSCRIBE: send email to
sakai-user-unsubscribe at collab.sakaiproject.orgwith a subject of
"unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20140423/e011c817/attachment-0001.html

More information about the sakai-user mailing list