Posted by wvd_vegt on October 16, 2008 at 10:54am
| Project: | LDAP integration |
| Version: | 6.x-1.x-dev |
| Component: | User interface |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Hi,
Could anyone add a menu item to both ldap_data and ldap_groups to update profile & group data all ad authenticated users? We're in the process of migrating from pure drupal to mixed mode and can change user to switch but their profiles are not updated somehow. Also when there is a major change in AD data this option would be handy.
--
wvd_vegt
Comments
#1
User profile syncing with ldap entry happens on the user login. So when the user will log in for the first time, his profile data will be pulled from the ldap server.
#2
Hi,
Thats mainly my point: When I bulk create users I cannot 'already' pull the ldap data.
#3
Hi,
Wrote the following patch. It will update all matching accounts if ldap_authentified is set in the user data,
and also tries to retrieve the DN for user that did not login already. I already used to to retrieve the ldap data of 100+
users before they logged in (so the user view with profile data is already pre-filled).
What is still missing is the same option for ldap_groups.
For those interested, the OutputDebugString() calls is a php extension I wrote for Wamp servers that allows you to dump text to a debug windows like sysinternals dbgview. It will allow one to see what is going on inside drupal code without interrupting page layout or polluting the logging database.
In ldapdata_admin_edit() (ldapdata.admin.inc):
else {drupal_goto('admin/settings/ldap/ldapdata');
}
changed into:
//veg: 16-10-2008 added
elseif ($op == "updateall" && $sid) {
$form['sid'] = array(
'#type' => 'value',
'#value' => $sid,
);
//OutputDebugString('updateall','info');
return confirm_form(
$form,
t('Are you sure you want to update all profile fields ?'),
'admin/settings/ldap/ldapdata',
t('<em>This action cannot be undone.</p>'),
t('Updateall'),
t('Cancel')
);
}
else {
drupal_goto('admin/settings/ldap/ldapdata');
}
In ldapdata_admin_list() (ldapdata.admin.inc):
while ($row = db_fetch_object($result)) {
$rows[] = array(
$row->name,
l(t('edit'), 'admin/settings/ldap/ldapdata/edit/'. $row->sid),
l(t('reset'), 'admin/settings/ldap/ldapdata/reset/'. $row->sid),
);
}
$header = array(
t('LDAP Config'),
array('data' => t('Operations'), 'colspan' => 2),
);
changed into:
while ($row = db_fetch_object($result)) {
$rows[] = array(
$row->name,
l(t('edit'), 'admin/settings/ldap/ldapdata/edit/'. $row->sid),
l(t('reset'), 'admin/settings/ldap/ldapdata/reset/'. $row->sid),
l(t('update all'), 'admin/settings/ldap/ldapdata/updateall/'. $row->sid), //veg
);
}
$header = array(
t('LDAP Config'),
array('data' => t('Operations'), 'colspan' => 3),//veg
);
Added the following case to ldapdata_admin_edit_submit() (ldapdata.admin.inc):
//veg: 16-10-2008 Added to update all Ldap Data and retrieve from other (matching) users where neccesary..
case t('Updateall'):
if ($values['confirm'] == 1) {
$uids = db_query("SELECT u.uid, u.name FROM {users} u ORDER BY u.uid");
while ($u = db_fetch_object($uids)) {
//Skip Anonymous and Administrator
if ($u->uid == 0|| $u->uid==1) {
continue;
}
$tmpuser = user_load( array('uid'=>$u->uid ) );
if (isset($tmpuser->ldap_authentified)) {
if (isset($tmpuser->ldap_dn)) {
_ldapdata_user_profile_load($tmpuser);
} else {
if (_ldapdata_init($tmpuser, $values['sid'])) {
$dn = ldapauth_login2dn($tmpuser->name, $values['sid']);
if (isset($dn)) {
//OutputDebugString('Found DN ('.$tmpuser->name.'): '.$dn, 'info');
//veg: Add lpdap info... and save it...
$tmpuser = user_save($tmpuser, array('ldap_dn' => $dn, 'ldap_config' => $values['sid']));
_ldapdata_user_profile_load($tmpuser);
//OutputDebugString(var_export($tmpuser, TRUE),'info');
}
_ldapdata_user_login($tmpuser);
}
}
//OutputDebugString("Updating profile for : ".$u->name. " [" . $u->uid . "]", 'info');
}
}
drupal_set_message(t('The user accounts have been updated.'));
}
$form_state['redirect'] = 'admin/settings/ldap/ldapdata';
break;
}
in ldapauth.module added:
//veg: 16-10-2008 made publicfunction ldapauth_login2dn($name, $sid) {
_ldapauth_init($sid);
return _ldapauth_login2dn($name);
}
#4
Maybe #396574: LDAPsync component might do that?
#5
Hi,
Not quite (although a VERY interesting & promising add-on).
The patch I proposed updates all the existing user's profile with ldap data (we had to do some cleaning up in the ldapdata module (seemed the best place). Then we noticed that, although ldapauth retrieves data very often, it only does this for logged in users. Because of some inconsistencies in the ldap data we have to do some mopping up of group mapping and blocking some people who left the department but are still in the directory.
Basically we're happy with the generate a user at first login but want to be able force updates of existing ones. If the LDAPSync where to provide some configuration options to skip new users (not all of our ldap users are allowed to login) or present a checkable list of new users found before adding them, I could surely use it! Another useful option would be a button to update a single user (I now force that by filtering on a UserId in the patch i provided).
As a separate module it would release me from applying the patch every time.
#6
I think that the sync module could be extended with the functionality you need. I would prefer all sync'ing of offline users to be handled by the separate module rather then moving part of functionality to the ldapdata.
Could you describe what you are looking for in the #396574: LDAPsync component issue?
#7
I can't seem to get this working with the latest stable beta of ldap_integration 6.x
When I click "update all" I don't get the confirm form - just seems like nothing happens. Ideas?
#8
Hi,
Created a (separate) small module that updates all existing lpdap authenticated users with the latest ldap data (or in out case, pulls it through the filters where we mop-up and correct some stale data).
My first version used ' _ldapdata_user_load' but as that is private it needed a small patch in ldapdata.module to make it public.
The attached version used the public ldapdata_user with the 'form' opcode that calls '_ldapdata_user_load' including the wanted $sync=TRUE parameter value.
Maybe it could be added to the ldap_integration module.
#9
Is this able to bulk update groups from LDAP as well? Basically resetting membership?
#10
Sounds like you guys want ldapsync (now committed to HEAD) but with an additional option of only synchronizing existing users (which sounds like a useful option).
There's a patch that adds on ldap data syncing (#867356: ldapsync - synchronize accounts ldapdata as well) and it already does ldap groups syncing.
@wvd_vegt: I think you can manually force an update on a single user by just clicking edit and then re-saving their account. It works for us at least.