ldap: Improve unique_account_id defaults and docs.

Some installations will change `dn` when a user marries, and also for
Active Directory and various other LDAP providers I've checked,
there's often a better value to use.
This commit is contained in:
Tim Abbott
2025-07-18 14:32:51 -07:00
parent eaf4970215
commit 3bd82927dc
3 changed files with 9 additions and 5 deletions

View File

@@ -182,7 +182,6 @@ _Released 2025-07-17_
enabling the new `unique_account_id` setting for automatically
handling [email address
changes](../production/authentication-methods.md#synchronizing-email-addresses).
This setting is the default for new installations.
- Zulip's incoming email integration was simplified to no longer use
`postfix`. Installations using the integration will automatically
uninstall `postfix` when upgraded.

View File

@@ -274,9 +274,14 @@ groups. To configure this feature:
Zulip 11.0+ supports automatically handling changes in email address
for most LDAP installations. All you need to do is set the
`unique_account_id` field in `AUTH_LDAP_USER_ATTR_MAP` to a **stable
unique identifier** for the account, such as the LDAP Distinguished
Name (DN). The `unique_account_id` field defaults to the `dn` for new
installations.
unique identifier** for the account. If your LDAP server has a policy
of never changing the Distinguished Name (`dn`) for a user, you can
use that. But it's worth checking if your LDAP provider offers a UUID
that is guaranteed to map to a unique user account.
For Active Directory installations, the immutable Security Identifier
[`objectSid`](https://ldapwiki.com/wiki/Wiki.jsp?page=Security%20Identifier)
is recommended.
:::{note}

View File

@@ -244,7 +244,7 @@ AUTH_LDAP_USER_ATTR_MAP = {
## A stable unique identifier for a user allows Zulip to
## automatically handle email address changes.
## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#identifying-user-accounts-via-a-unique-ldap-attribute
"unique_account_id": "dn",
# "unique_account_id": "objectSid",
##
## Profile pictures can be pulled from the LDAP "thumbnailPhoto"/"jpegPhoto" field.
# "avatar": "thumbnailPhoto",