Request to add Unique Object Identifier to Users

Request to add Unique Object Identifier to Users

by jason everling -
Number of replies: 10

I am requesting that a Unique Object Identifier be added to all users in Moodle when using external authentication like LDAP or CAS. Like the way Active Directory has ObjectGUID, this way if users first/last name or username can be changed, Moodle will still recognize that it is the same user.

Students get married/divorced or even just name changes and we update these in Active Directory but since we use CAS backed by AD we must keep the username the same so that Moodle does not create a completely separate profile for the user.

We can manually make these changes, update AD then update Moodle but making it automated would be great!

Thanks,

JASON

Average of ratings: -
In reply to jason everling

Re: Request to add Unique Object Identifier to Users

by Rex Lorenzo -

Are you using the idnumber field in the Moodle user table? When we create users from our Shibboleth integration, we populate the idnumber field with a value that acts as a GUID for our campus.

So, if names change or emails change, it will update the corresponding user table in Moodle.

Average of ratings: Useful (1)
In reply to Rex Lorenzo

Re: Request to add Unique Object Identifier to Users

by jason everling -

I tried populating objectGUID into the ID field and it does not come out correctly in Moodle. I even tried using the objectSID, these are the only 2 attributes in AD I can think of that are persistent. We do not add student/faculty/staff IDs to our users in AD.

Is there another way to populate the id filed in Moodle using objectGUID ? I am assuming that it does not get populated correctly because it is in HEXIDECIMAL format.

Thanks,

JASON

Average of ratings: -
In reply to jason everling

Re: Request to add Unique Object Identifier to Users

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

idnumber != id.

idnumber is a char(255) field.

 

Average of ratings: -
In reply to Tim Hunt

Re: Request to add Unique Object Identifier to Users

by Andrew Lyons -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers

We had to do something similar to at Lancaster University, but the idnumber field was not sufficient for our purposes.

Instead, we created a mapping table for our authentication plugin which mapped each uid to any number of external identifiers and had our authentication plugin check this table to determine the Moodle user record. This suited our use-case because our institution-wide authentication mechanism (Cosign + LDAP) allowed for multiple user records to belong to the same user account and this was used within the institution.

It would not have been right to do this in the user table. In fact, I did hear a proposal to remove things like the password field from the user table because in truth, it belongs to the authentication plugin rather than the user.

Hope that this helps,

Andrew

Average of ratings: -
In reply to Tim Hunt

Re: Request to add Unique Object Identifier to Users

by jason everling -

I really don't want to modify the database, it could lead to issues down the road during upgrades, might not but do not want to take that chance.

Is there any way that this could be looked at in a future version?

JASON

Average of ratings: -
In reply to jason everling

Re: Request to add Unique Object Identifier to Users

by Richard Oelmann -
Picture of Core developers Picture of Plugin developers Picture of Testers

If the idnumber field that is already there (not the user id as Tim points out!) is not sufficient, could you just set up a custom user profile field and add your unique identifier into that?

 

Average of ratings: -
In reply to Richard Oelmann

Re: Request to add Unique Object Identifier to Users

by jason everling -

I actually didn't think about creating a custom profile field and setting it unique, Ill give it a go and see what happens,

The whole reason for this for example we have a student this semester with username/email josmith and he/she graduates and several years down the road we get another new student and for some reason someone gives them the same username josmith and since we do not delete grade history in Moodle then that new student would have the same information attached to he/she in database.

JASON

Average of ratings: -
In reply to jason everling

Re: Request to add Unique Object Identifier to Users

by Richard Oelmann -
Picture of Core developers Picture of Plugin developers Picture of Testers

Still not sure why you cant use the existing idnumber as the unique identifier field?

Its in the Optional fieldswhen you are editing the profile

- but we populate it from our LDAP authentication: user name and email address and student idnumber are populated directly and the student idnumber is always a unique identifier (although in our case usernames and email addresses are kept unique too by adding a sequential number after the username, so the first ever josmith would be jsmith01, then josmith02... even years after the original josmith has left, becaus esometimes they might come back to do a further degree or postgrad)

Richard

Average of ratings: -
In reply to Richard Oelmann

Re: Request to add Unique Object Identifier to Users

by jason everling -

I tried using the idnumber field in Moodle but it is not unique without modifying the database, multiple users can have the same data in the idnumber field. I tested this by adding the same id number to 5 test users, it should not have let me save the 2nd user profile after I added the same id number but I was able to save all 5 with the same id number in the field.

As suggested, I created a custom field and setting it to unique in Moodle. I have modified our AD schema to support eduPersonProperties and I created a Powershell script to pull the student IDs from our database and import them into the eduPersonTargetedID field in Active Directory which is unique. I created a custom profile field in Moodle labeled ID and set it to unique.

I still do not think that this will solve the issue of name/username changes and Moodle knowing that it is the same person and automatically updating the username to match. This will just prevent the same username from being provisioned to different people many years down the road since the student IDs are the unique identifier and not the username.

JASON

Average of ratings: -
In reply to jason everling

Re: Request to add Unique Object Identifier to Users

by Andrew Lyons -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers

Hi Jason,

The option I described in my previous post was actually used for exactly what you describe.

In my previous job we used an external authentication source called Cosign with user data fed by LDAP. We had an LDAP field for each user account (uolOwnerCid) which referred to a unique person object. Every person in the University had one, and only one, person object even if they had multiple user accounts.

As part of the login checking phase, we would:

  • take the authenticated username, and feed it into LDAP to get the CID associated with that user account;
  • check whether an account with that CID was present in the mapping table I described;
    • if so, then take the username associated with that CID and pass that to the rest of the login phase;
    • otherwise create a new mapping and pass the supplied username;
  • continue login with the specified username

This allowed us to handle logins for different usernames belonging to the same user.

We called this username the authoritative username.

We also had to update our (custom) enrolment system to call the same mapping function when enrolling students to ensure that it would use the authoritative username for all enrolments regardless of which account the enrolment was associated with.

We also had a CLI script which was run every few minutes which ran through every CID in the LDAP tree and:

  • created missing user records in Moodle;
  • updated user records (e.g. firstname, lastname, phone, e-mail), but importantly the username; and
  • soft-deleted old users (we didn't want to actually unenrol users fully).

This had the effect that:

  • usernames could then be re-used in subsequent years; and
  • a student starting a course, leaving, and then coming back several years later will still have access to all of their previous content, grades, messages, etc.

Hope that this sheds some light,

Andrew

Average of ratings: Useful (2)