Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There should be an option to automatically update Drupal user information with data from LDAP. Ideally, the Queue API used and frequency optional.
Would simply resaving every LDAP user account work? Is something else required or is there a better method?
Yes, I know, patches are accepted. I'm willing (and may find time) to write the patch, but want some direction first.
Comments
Comment #1
ShaunDychko CreditAttribution: ShaunDychko commentedDoesn't cron take care of this? The number of users to check is configured at /admin/config/people/ldap/user
Comment #2
13rac1 CreditAttribution: 13rac1 commentedldap_user_cron() doesn't: http://drupalcode.org/project/ldap.git/blob/refs/heads/7.x-2.x:/ldap_use...
ldap_servers_cron() doesn't: http://drupalcode.org/project/ldap.git/blob/refs/heads/7.x-2.x:/ldap_ser...
Comment #3
13rac1 CreditAttribution: 13rac1 commentedThe existing code checks for users deleted from LDAP, but it doesn't update existing user data.
Comment #4
johnbarclay CreditAttribution: johnbarclay commentedSimply resaving would work when service accounts are used for binding to ldap. Ldap feeds would be a more appropriate way to do this. I believe this should wait for 8.x version if its implemented in ldap_user.
Comment #5
13rac1 CreditAttribution: 13rac1 commentedHow would it work in LDAP Feeds? I'm willing to write this. Putting it in LDAP user is the only place it made sense though. Add everyone once a week (adjustable) to the cron queue to be resaved.
Comment #6
vgalindus CreditAttribution: vgalindus commentedHi john, what is the status for that issue? why do you think it should be implemented in ldap feeds instead of ldap_user, to me it looks more logic to place it in ldap_user since it reduces the number of dependencies (ldap query, ldap feeds).
We are considering to implement this feature to reduce log in times.
\BR
Comment #7
mausolos CreditAttribution: mausolos commentedI wrote a simple function that we will trigger either with a button click in an admin panel or call with a cron job.
It adds or syncs all Drupal accounts against AD via LDAP, and it saves the usernames it extracts from LDAP into an array as it goes.
Then, if you initiate the function with
$drupal_sync = TRUE
, it does a query of all drupal users with the LDAP role (all users created in Drupal via LDAP are assigned the LDAP role) and puts those into a second, simple array.Finally, a third array is created via array_diff(), and the resulting array is iterated through, cancelling the Drupal accounts in the process.
The function also allows you to tell it whether it's called via cron or not, and generates results output accordingly.
I'm putting some finishing details on it, but I'll consider sharing it when I'm done, if you're interested.
Comment #8
zanixI would like to see your solution mausolos
Comment #9
mausolos CreditAttribution: mausolos commentedNOTES:
- This is pretty slow and takes a lot of memory. It could probably be optimized. I would LOVE it if people pointed out things I could/should do different or better. Thank you in advance!
- Some of our fields need additional processing. For these, you can write another function and pass $user_final to it, extract, modify and save them using entity_metadata_wrapper technique:
- Some of our fields are specifically formatted in DN format. To break the useful data out, we employ a function similar to the one described here, by Renoir Boulanger: http://www.php.net/manual/en/function.ldap-explode-dn.php
- We plan to optimize this by adding the "whenchanged" attribute (might be different in your system). This would allow us to patrol/synch a much more limited set of users, and thus increase performance. It's not perfect.
- I have not finished full unit testing, use at your own risk and only on a dev system!!!
Comment #10
johnbarclay CreditAttribution: johnbarclay commented@#6. The rationale for using feeds is basically this:
Its a generic integration tool for synching A to B with a good architecture of hooks and the ability to deal with a variety of field types. By using a more generic, heavily used tool we don't have to deal with all the use cases that are not specific to ldap (eg. binary fields, cron and batch processes, etc.) If every drupal integration module wrote their own synching interface for their particular data source it would be a big mess. And thats only if we consider integration between drupal and other data sources. When you get into permutations of other data sources it gets even messier.
Take a look at feeds and its architecture and give it a try. Once you get used to it, you'll find its a much better model that recreating the wheel. With features/exportables you can make feeds a dependency and create the feature (specific configuration) for the end user rather than creating whole new integration modules.
Comment #11
13rac1 CreditAttribution: 13rac1 commented@johnbarclay Thanks John.
I've made a staff directory (View with images and exposed filters) and Feeds seems to be handling the user import correctly. Users are connecting to their account when logged in and all of the data is there. The only frustrating part is that I think I'll need to map all of the user fields twice. Once in LDAP Users and once in Feeds, so both can check for user data changes. It's not really a problem though. Once you set it up it... it's done. If don't have many users, you could also "Skip hash check" in Feeds to update every user on cron.
Can someone else try this method? Maybe we can just write some docs and close this issue...
Comment #12
larowlanNo update in > 12 months, no patches - closing