Site members with no user record cannot be maintained in Site Info
Description
Attachments
is related to
Activity
Sam Ottenhoff June 12, 2015 at 8:52 AM
> DON'T use LDAP auth for your Sakai instance.
Hi Laura, This isn't good advice for Sakai-using institutions. LDAP is a sane way for higher-ed institutions to manage thousands of users. It allows provisioning new users on hundreds of apps and allows de-provisioning users instantly. Tying LDAP into the LMS allows sane user management for the vast majority of Sakai-using institutions.
If a useful archive of activity in Sakai is an institutional requirement, the LDAP record should be locked instead of being purged: deny authentication capabilities while maintaining the student record.
Laura Gekeler June 12, 2015 at 8:48 AM
If multiple users have been expunged from an institution's database, this implementation provides no traceability back to the institutional eid. At the very least, the Users tool available to Admins needs to do 'reverse lookups' so that the hash can be entered and the removed user's original eid be viewed. Currently only entering the eid returns records. The hash isn't searchable.
More usefully, this could be enhanced such that the "soft delete" of a user could be reversed, and the user's eid in the UI restored. (Use Case: graduated student requests recommendation but instructor wants to look at their work).
Even more usefully, if a Gradebook of a graduated class of seniors, for example, whose institutional LDAP accounts had been removed, were to be exported, and then IMPORTED, back into the "Users" tool, again, by admins, this would return a 'bulk' display of all the mappable hashes, as eids which could then be re-activated.
==========
Sakai 3rd Party Authentication Management Implications
At our institution we moved away from LDAP auth when we were on 2.9 because we could maintain no useful archives of student activity. This JIRA does not rectify that, but with a few tweaks could. If the LDAP administrative policies at your institution include removal of retired or terminated faculty, and graduated students, DON'T use LDAP auth for your Sakai instance.
LG
Hudson CI Server October 25, 2013 at 4:10 PM
Integrated in site-manage trunk #941 (See http://builds.sakaiproject.org:8080/job/site-manage%20trunk/941/)
Allow admins/maintainers to remove orphaned users in the Site Info tool (Revision 130876)
Result = SUCCESS
Sam Ottenhoff October 25, 2013 at 3:55 PM
trunk r130876
Jean-François Lévêque October 25, 2013 at 3:17 AM
Or have no provided roster, add users manually from user provider and have them disappear from user provider.
If an instance of Sakai uses an external User Provider (e.g. institutional LDAP directory) then users who are joined to sites will no longer appear in "Site Info" if their external record is deleted (e.g. they leave the institution).
The logs show messages:
org.sakaiproject.site.util.SiteParticipantHelper - SiteParticipantHelper.prepareParticipants: user not defined <userid>
Now because they don't appear in Site Info, it is not possible to clean up these "de-registered" users, so this situation cannot be resolved easily without doing some work at the db level.