From 3bd82927dcd0a183a05d85e7edb7d420108c6a63 Mon Sep 17 00:00:00 2001
From: Tim Abbott <tabbott@zulip.com>
Date: Fri, 18 Jul 2025 14:32:51 -0700
Subject: [PATCH] ldap: Improve unique_account_id defaults and docs.

Some installations will change `dn` when a user marries, and also for
Active Directory and various other LDAP providers I've checked,
there's often a better value to use.
---
 docs/overview/changelog.md                |  1 -
 docs/production/authentication-methods.md | 11 ++++++++---
 zproject/prod_settings_template.py        |  2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/docs/overview/changelog.md b/docs/overview/changelog.md
index 415a1d6cbc..06a52456c8 100644
--- a/docs/overview/changelog.md
+++ b/docs/overview/changelog.md
@@ -182,7 +182,6 @@ _Released 2025-07-17_
   enabling the new `unique_account_id` setting for automatically
   handling [email address
   changes](../production/authentication-methods.md#synchronizing-email-addresses).
-  This setting is the default for new installations.
 - Zulip's incoming email integration was simplified to no longer use
   `postfix`. Installations using the integration will automatically
   uninstall `postfix` when upgraded.
diff --git a/docs/production/authentication-methods.md b/docs/production/authentication-methods.md
index c892f1ca3f..d8234becfb 100644
--- a/docs/production/authentication-methods.md
+++ b/docs/production/authentication-methods.md
@@ -274,9 +274,14 @@ groups. To configure this feature:
 Zulip 11.0+ supports automatically handling changes in email address
 for most LDAP installations. All you need to do is set the
 `unique_account_id` field in `AUTH_LDAP_USER_ATTR_MAP` to a **stable
-unique identifier** for the account, such as the LDAP Distinguished
-Name (DN). The `unique_account_id` field defaults to the `dn` for new
-installations.
+unique identifier** for the account. If your LDAP server has a policy
+of never changing the Distinguished Name (`dn`) for a user, you can
+use that. But it's worth checking if your LDAP provider offers a UUID
+that is guaranteed to map to a unique user account.
+
+For Active Directory installations, the immutable Security Identifier
+[`objectSid`](https://ldapwiki.com/wiki/Wiki.jsp?page=Security%20Identifier)
+is recommended.
 
 :::{note}
 
diff --git a/zproject/prod_settings_template.py b/zproject/prod_settings_template.py
index 013dd28497..f05c1694fd 100644
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -244,7 +244,7 @@ AUTH_LDAP_USER_ATTR_MAP = {
     ## A stable unique identifier for a user allows Zulip to
     ## automatically handle email address changes.
     ## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#identifying-user-accounts-via-a-unique-ldap-attribute
-    "unique_account_id": "dn",
+    # "unique_account_id": "objectSid",
     ##
     ## Profile pictures can be pulled from the LDAP "thumbnailPhoto"/"jpegPhoto" field.
     # "avatar": "thumbnailPhoto",