New Account Archiving Feature

[sunweaver]

We are planning a new account archiving feature for the SM plugin.

The admin uploads a list of teachers or students that reflects the current list of active users. The admin can select various parameters (Base DN of users to be archived / matched, matching attributes, CSV style, etc.)

The account archiving tool shall then:

1. Select to-be-archived users
   • present a list of to-be-archived users. This is the diff between what is in LDAP and what is in the CSV file. Users shall be listed line by line, each user line has a tickbox at the beginning
   • the header of this list as a tickbox where one can tick / untick all boxes
   • the admin can then select / deselect users, those that are selected will be archived
2. the archiving process
   • at the beginning of the archiving tool, we need to query the sub-BaseDN in LDAP where to move the archived accounts
   • in this archiving sub-DN, we create a ou=archived-20180905 (date, sortable in alpha-num order)
   • into ou=people,ou=archived-20180905 we move the user accounts
   • into ou=group,ou=archived-20180905 (not sure, if it is group or groups), we move their primary groups (if they exist)
   • we disable (lock) the accounts (GOsa has an API)
   • we remove the accounts' uids from all POSIX groups
   • we try to find matching groupOfNames objects named parents_
   • we remove the DNs listed in these parents_ groups
   • we remove the parents_ groups themselves
   • we rename the uids of the archived account to something uid=archived-20180905-
   • we rename the primary group to cn=archived-2018-0905-
3. hooks for home directory processing
   • we need to be able to have an impact on home directory archiving / removal
   • this could be via a flag in the LDAP object
   • this could be via the LDAP object's renamed uid (preferred)

[dzatoah]

Hey, I have a few questions regarding this Issue post. First of all, what means DN and OU? And what do you mean with "... find matching groupOfNames objects named parents_" ? Why renaming the archived accounts and groups in such cryptic strings? Wouldn't they conflict if each account has the same uid? Why not something like this: "uid=%UID%-archived-20180905-%RDM-Number%" There would only be a very small chance that the accounts conflict. The same with the primary groups. Will the parents account be deleted or just renamed and moved like the main acc. ?

Thank you! I hope you can answer my questions ^^

[sunweaver]

Hi Daniel,

On Mo 10 Sep 2018 21:30:19 CEST, Daniel wrote:

Hey, I have a few questions regarding this Issue post. First of all, what means DN and OU?

DN -> Distinguished Name. It is, so to say, the full path of LDAP
objects in an LDAP tree.

OU -> OrganizationalUnit. Normally a container in LDAP where other
LDAP objects or other sub containers can rest in. (the comparison is
bad, but think of it as a directory in a file system tree).

And what do you mean with "... find matching groupOfNames objects
named parents_" ?

We have two different group types in LDAP:

• posixGroups: members are stored in attribute "memberUid". Only
  the username ist stored in there We use posixGroups for students and teachers and their group memberships

• groupOfNames (or groupOfUniqueNames): members are stoanswersred
  in attribute "member". The members are stored with their DN path, not just with their username. We use
  groupOfNames for grouping one or more parent account objects into a groupOfName called
  parent_. The members of this groupOfNames are the student's parents. This is important for
  generating e.g. email distribution lists for a given class at school. You can derive all parents in a
  school class from this grouping model

Why renaming the archived accounts and groups in such cryptic strings?

• Because the system gets clogged (verstopft) with good login names
  that never get used anymore. The first imported accounts have short login names. The more
  accounts we import, the longer the login names become. The not-deleting but renaming of login
  accounts frees those short login names again.

Wouldn't they conflict if each account has the same uid?

The import bit is: we don't free the uidNumbers (the number of the  

user account). We only free the uid (the login name). The login name can then be reused with a new
uidNumber. On the file system level we will then be always able to identify files from old/archived users.

Why not something like this: "uid=%UID%-archived-20180905-%RDM-Number%"

I am not sure what %RDM-Number% is, but it sounds good.

There would only be a very small chance that the accounts conflict.

Yes.

The same with the primary groups.

Oh, yes. The primary groups need to be renamed, too.

Will the parents account be deleted or just renamed and moved like
the main acc. ?

I'd say, that we delete them. They can be reimported if needed (e.g.
when younger enter the school) and we don't want to store non-school
mail address longer than needed (to be more compliant with the new
GDPR (DSGVO)).

Thank you! I hope you can answer my questions ^^

Thanks for placing your questions! If anything stayed unclear, please ask.

Mike --

DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de