How to synch LDAP users and groups when LDAP does not support Unique Identifier?

2
votes

I import reference to LDAP users and groups to my database. Therefore, I need to synch these users and groups periodically.

It is clear for me how to synch these object when LDAP supports Unique Identifier (UID). For example Active Directory support objectGUID attribute.

In this case when a user (or group) is moved to other place in LDAP tree and therefore its DN is changed I still can find it using UID and update the user.

What to do when LDAP does not support UID and DN is changed?

If I looking using old DN I can not find a user (or group) and need to remove the user.

But how can I distinguish between use cases when a user is moved to other place in the LDAP tree (its DN is changed) and a user is deleted from LDAP?

When it moved I should find it and update to new DN. When it is deleted I need to remove it.

I do not know how to do it.

Can I use the username (login name) for the user synchronization?

What I should use for LDAP group?

2
active-directoryldap
Normally, I would update a reference only if I was sure there was an absolutely unique property, (which may be an account or email) and that nothing in terms of access rights has changed. But how is deleting a user and allowing new user different than moving? What are you migrating that wouldn't be recreated if it were a real new LDAP user showing up on your doorstep? For example, if someone moves departments it may be worth treating it as a delete and new user rather than risking their continued access to resources they were reassigned away from.. It really depends on what your database is.lossleader
@lossleader, 1) If there is absolutely unique property I do not have problem. Therefore, I have asked if I can use username. I need confirmation that it can works for all LDAPs. 2) If someone moves departments (and its DN is changed) it should not be a new user. It should be the same user with same personal settings. Absolutely sure it should not be able to be authorized to use old resources. A user belongs to new LDAP group and therefore (after group synchronization) he authorized to see new resources. I need help: How can I synchronize group if UID for group is not supported.Michael

2 Answers

5
votes

In case you want to support multiple LDAP servers then sensible option will be making ID configurable, i.e. ask users for unique attribute during deployment. This will work for you in 100% of cases if your customers use LDAP for authentication, since even directory server doesn't support unique attributes itself, they have to keep at least one of them unique manually in order to enable connected systems to authenticate against LDAP as it is unlikely that you can find software that will operate normally when there are duplicates in the authentication backend.

Of course, during deployment you can suggest default attribute that is known to be unique in certain LDAP implementation (like samAccountName in AD) and you will hit correct one in most cases.

0
votes

LDAP supports uid in several schemas. You haven't told us which one you're using, or what object class you're using for users. I use inetOrgPerson which supports a uid, and I use that to tie the LDAP user to the database user.