ldap: Improve unique_account_id defaults and docs.

Some installations will change `dn` when a user marries, and also for
Active Directory and various other LDAP providers I've checked,
there's often a better value to use.
This commit is contained in:
Tim Abbott
2025-07-18 14:32:51 -07:00
parent eaf4970215
commit 3bd82927dc
3 changed files with 9 additions and 5 deletions

View File

@@ -182,7 +182,6 @@ _Released 2025-07-17_
enabling the new `unique_account_id` setting for automatically enabling the new `unique_account_id` setting for automatically
handling [email address handling [email address
changes](../production/authentication-methods.md#synchronizing-email-addresses). changes](../production/authentication-methods.md#synchronizing-email-addresses).
This setting is the default for new installations.
- Zulip's incoming email integration was simplified to no longer use - Zulip's incoming email integration was simplified to no longer use
`postfix`. Installations using the integration will automatically `postfix`. Installations using the integration will automatically
uninstall `postfix` when upgraded. uninstall `postfix` when upgraded.

View File

@@ -274,9 +274,14 @@ groups. To configure this feature:
Zulip 11.0+ supports automatically handling changes in email address Zulip 11.0+ supports automatically handling changes in email address
for most LDAP installations. All you need to do is set the for most LDAP installations. All you need to do is set the
`unique_account_id` field in `AUTH_LDAP_USER_ATTR_MAP` to a **stable `unique_account_id` field in `AUTH_LDAP_USER_ATTR_MAP` to a **stable
unique identifier** for the account, such as the LDAP Distinguished unique identifier** for the account. If your LDAP server has a policy
Name (DN). The `unique_account_id` field defaults to the `dn` for new of never changing the Distinguished Name (`dn`) for a user, you can
installations. use that. But it's worth checking if your LDAP provider offers a UUID
that is guaranteed to map to a unique user account.
For Active Directory installations, the immutable Security Identifier
[`objectSid`](https://ldapwiki.com/wiki/Wiki.jsp?page=Security%20Identifier)
is recommended.
:::{note} :::{note}

View File

@@ -244,7 +244,7 @@ AUTH_LDAP_USER_ATTR_MAP = {
## A stable unique identifier for a user allows Zulip to ## A stable unique identifier for a user allows Zulip to
## automatically handle email address changes. ## automatically handle email address changes.
## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#identifying-user-accounts-via-a-unique-ldap-attribute ## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#identifying-user-accounts-via-a-unique-ldap-attribute
"unique_account_id": "dn", # "unique_account_id": "objectSid",
## ##
## Profile pictures can be pulled from the LDAP "thumbnailPhoto"/"jpegPhoto" field. ## Profile pictures can be pulled from the LDAP "thumbnailPhoto"/"jpegPhoto" field.
# "avatar": "thumbnailPhoto", # "avatar": "thumbnailPhoto",