On 7/13/21 12:36 PM, Nate Dreier wrote:
> Hello!
>
> *Version: 3.4
> Auth: Active Directory (previously Slapd)*
> *Issue: Update old username*
>
> I have recently shifted auth to use Active Directory. Previously we used
> a basic slapd. Both are LDAP.
>
> In the old LDAP instance there are a small handful of users that their
> UID does not map 1:1 with our Active Directory's UID.
>
> Is there a simple way to update a username?
>
> I have looked around online and there are varying answers from varying
> years. Wondering if there is a new updated answer for 3.4
>
> The two things that I've ruled out are using the API. Errors out since
> the accounts are controlled via LDAP (makes sense). The other is
> reverting back to the old LDAP, updating the LDAP UID entry to match the
> new UID. That I hoped would work but ultimately just creates a new account.
>
> I have seen some rumblings from posts about updating *All-Users.git*. I
> am currently looking around seeing if I can figure that out. Any
> direction would be greatly appreciated.
You're likely going to have to muck around inside All-Users to get this
fixed. To my knowledge there are currently no plugins or tools for
merging or renaming accounts that already exist.
So... the primer on user accounts in NoteDB
Your external authentication linkages all happen in the
meta/external-ids branch
Your records are indexed and stored via a shared sha1sum of the record
data type and key.
So, for LDAP you're going to have a few records. Record types that I
know you'll have:
gerrit:$uid
username:$uid
The gerrit:$uid is the primary account linkage record it will look
something like this:
[externalId "gerrit:foo"]
<hardtab>accountId = 12345
<hardtab>email =
f...@example.com
The above would be stored in the following file:
df/e9e07aea260bf85aa31f08a392a2ae71f40766
That can be obtained by the following incantation:
echo -n 'gerrit:foo' | sha1sum | cut -f1 -d' ' | \
sed 's/^\(.\{2\}\)/\1\//'
The username record would look like this:
[externalId "username:foo"]
<hardtab>accountId = 12345
There might be an optional password field in there to depending on the
gerrit configuration. This one would be stored at:
4b/0d6805d13e212673b3b7ea7f9ecc464c4a9227
Which is obtained by the same incantation, just swapping out the
gerrit:foo for username:foo
So... if you're needing to change account identifiers on the back end
you basically have to move records around and update the information in
them.
Additionally the email field in the gerrit record must be unique in your
Gerrit system, if the email that is listed there _does not match_ what
your authentication backend is, it must be fixed. If you need to
maintain that email address after swapping it out then you will need to
add a mailto record which would look like:
[externalId "mailto:
f...@example.com"]
<hardtab>accountId = 12345
<hardtab>email =
f...@example.com
Living at 0a/401e098c5702d9ed9643f405ef3893632ad4b2
As for the account details those will be stored in files at are the
following location
users/<shard>/<accountId>
Where shard == the last too digits of the accountId (zero padded)
So in this case it would be users/45/12345 a user with accountId of 1
would be at users/01/1
For the case of just fixing up bad accounts you shouldn't have to deal
with those branches, but you _will_ want to consider doing some
consistency checks.
A more in depth email about all of this (including how to deal with
consistency issues) can be found in this [0] post I made back in 2019
-Andy-
[0]
https://groups.google.com/g/repo-discuss/c/tZ1tYQwbeLY/m/xSZhIQ20EQAJ