LDAP Sync
| Project: | LDAP integration |
| Version: | 5.x-2.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
I've looked through the support and project documentation, and this seems to be a new feature request - although it's similar to this one:
The above request talks about having an admin be able to create a user on an individual basis and pulling details from LDAP while doing so. I'd like to be able to do this in bulk. At my organization, we've got a few hundred users within our Active Directory, and I want to be able to do the following:
- Do a bulk import of all users. After having set up the proper LDAP settings so that users can login and have an account created for them automatically (which works like a charm for me, thanks!) I'd want to be able to go to an admin page and spawn a process that scans through all of the available OUs and creates drupal accounts for every user account it finds. On an individual basis, each account should simply have the same process happen that occurs when an individual user logs in for the first time. (I haven't dug into the code too much yet, so I'm not sure exactly what this process entails. Hopefully it's password-agnostic.)
- Setup a cron-based sync event. The initial import is only half the issue, there'd have to be a mechanism to synchronize the two account lists. My initial thought is to have cron-job run which scans through the LDAP, and for each user account it finds - update or create the corresponding drupal account if necessary. Then, of course, it'd have to remove (or maybe just disable) any drupal accounts which claimed to be LDAP accounts but had no corresponding account on the LDAP server.
Come to think of it... #1 can just be a user spawned occurrence of #2.
My gut-response to the issue would be to create a 4th module that's included in the LDAP Integration package called "LDAP Synchronization" or something similar which had it's own config page where you could enable or disable this feature, control its inclusion in cron, configure accounts or OUs to ignore, and perform any other appropriate configuration tasks. This may not be the best approach, though - maybe it's logically more appropriate to include it in one of the 3 existing modules.
The end goal is to be able to create the entire userlist all at once so that each user object is available for inclusion in automatically created directories and I can perform admin tasks on the users without having to wait for them to login first. If there are other mechanisms available for this - I haven't found them yet.
I'm pretty new to PHP and Drupal development, but I'm willing to do what I can. We all have to start somewhere, so I may as well try to learn about how to develop drupal modules by working on one, right?
#1
as a workaround, you could set ldapauth to store ldap passwords in drupal and then, after a first login, remove users from authmap database table. This point on, users will 'natively' authenticate against drupal.
#2
I am also interested in this feature and willing to help write it. Did you ever make progress on this project? I agree with every aspect of your plan, including making it a fourth module in the LDAP modules group. This would be really helpful to allow LDAP users to have the appropriate permissions the first time they log in.
#3
This is also what I am missing most from the LDAP modules. miglius also said it would be useful at issue #367692: synchronizing users from LDAP to Drupal (reply #6).
#4
I would have loved to had the feature at one point. For 2 reasons. 1) I wanted a why to allow user to search the directory for account info. That I fixed with http://drupal.org/project/ldapdirectory the 2nd is as you said you have to wait for someone to login before you can make a manual change to the account. I fixed that but simple not making manual changes to accounts. All management I do is in roles and AD.
Thanks
Robert
#5
kassissieh has now started to create a "ldapsync" module. First information is available at #394220: $_ldapauth_ldap object. Maybe there will be a place where his progress could be followed. Thanks kassissieh!
#6
Task issue created at http://drupal.org/node/396574
#7
susbcribed