mirror of
https://github.com/zulip/zulip.git
synced 2025-10-23 04:52:12 +00:00
ldap: Improve unique_account_id defaults and docs.
Some installations will change `dn` when a user marries, and also for Active Directory and various other LDAP providers I've checked, there's often a better value to use.
This commit is contained in:
@@ -182,7 +182,6 @@ _Released 2025-07-17_
|
|||||||
enabling the new `unique_account_id` setting for automatically
|
enabling the new `unique_account_id` setting for automatically
|
||||||
handling [email address
|
handling [email address
|
||||||
changes](../production/authentication-methods.md#synchronizing-email-addresses).
|
changes](../production/authentication-methods.md#synchronizing-email-addresses).
|
||||||
This setting is the default for new installations.
|
|
||||||
- Zulip's incoming email integration was simplified to no longer use
|
- Zulip's incoming email integration was simplified to no longer use
|
||||||
`postfix`. Installations using the integration will automatically
|
`postfix`. Installations using the integration will automatically
|
||||||
uninstall `postfix` when upgraded.
|
uninstall `postfix` when upgraded.
|
||||||
|
@@ -274,9 +274,14 @@ groups. To configure this feature:
|
|||||||
Zulip 11.0+ supports automatically handling changes in email address
|
Zulip 11.0+ supports automatically handling changes in email address
|
||||||
for most LDAP installations. All you need to do is set the
|
for most LDAP installations. All you need to do is set the
|
||||||
`unique_account_id` field in `AUTH_LDAP_USER_ATTR_MAP` to a **stable
|
`unique_account_id` field in `AUTH_LDAP_USER_ATTR_MAP` to a **stable
|
||||||
unique identifier** for the account, such as the LDAP Distinguished
|
unique identifier** for the account. If your LDAP server has a policy
|
||||||
Name (DN). The `unique_account_id` field defaults to the `dn` for new
|
of never changing the Distinguished Name (`dn`) for a user, you can
|
||||||
installations.
|
use that. But it's worth checking if your LDAP provider offers a UUID
|
||||||
|
that is guaranteed to map to a unique user account.
|
||||||
|
|
||||||
|
For Active Directory installations, the immutable Security Identifier
|
||||||
|
[`objectSid`](https://ldapwiki.com/wiki/Wiki.jsp?page=Security%20Identifier)
|
||||||
|
is recommended.
|
||||||
|
|
||||||
:::{note}
|
:::{note}
|
||||||
|
|
||||||
|
@@ -244,7 +244,7 @@ AUTH_LDAP_USER_ATTR_MAP = {
|
|||||||
## A stable unique identifier for a user allows Zulip to
|
## A stable unique identifier for a user allows Zulip to
|
||||||
## automatically handle email address changes.
|
## automatically handle email address changes.
|
||||||
## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#identifying-user-accounts-via-a-unique-ldap-attribute
|
## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#identifying-user-accounts-via-a-unique-ldap-attribute
|
||||||
"unique_account_id": "dn",
|
# "unique_account_id": "objectSid",
|
||||||
##
|
##
|
||||||
## Profile pictures can be pulled from the LDAP "thumbnailPhoto"/"jpegPhoto" field.
|
## Profile pictures can be pulled from the LDAP "thumbnailPhoto"/"jpegPhoto" field.
|
||||||
# "avatar": "thumbnailPhoto",
|
# "avatar": "thumbnailPhoto",
|
||||||
|
Reference in New Issue
Block a user