There’s a WCI App For That 6: User Auth Source Flipper

I recently worked on a project with a client that was migrating from LDAP to Active Directory.  Because we didn’t want to lose all the group memberships of the existing users, or any of their history (such as Collaboration Server authors), we needed to come up with something a bit more… creative… than just creating a new Authentication Source and telling users to start using the new accounts.  Kenan Shifflet wrote a great post about migrating Plumtree Authentication Sources a while back, but I took a different approach because we were going from LDAP to AD, and the GUIDs and CRCs were all different.  In fact, the only thing that was the same between the two authentication sources was the login names.

Swapping the Auth Source IDs would have resulted in each of the users getting deleted and recreated, since these GUIDs didn’t match.  But by swapping the OBJECT IDs of corresponding users, we were able to preserve all group membership and security.  Why did this work?  Well, in the PTUSERS table, all user objects have an Object ID, a mapping auth name, and other values that allow the respective Authentication Web Services to match a user to the source repository, whether it’s LDAP or AD.  But in every other portal table, only the Object ID is used for things like security and group membership.

So, for example, let’s say I have an mchiste account in LDAP that’s been fully configured; I’m a member of a bunch of groups, I’ve uploaded documents to Collaboration, and my user ID is in the Access Control List for various portal objects.  Then we run the AD Synch and there’s now a new mchiste account, but it doesn’t have any of that configuration associated with the old user.  If I just swap the object IDs for the two users, then all of a sudden my AD account will has all the correct group memberships and security settings, and the LDAP one looks like it’s brand new.

That’s exactly how User Auth Source Flipper works – it matches users from two authentication sources, then swaps out the ObjectID if there’s a match:

Got an idea for an interesting app?  Interested in developing your own Auth Source Flipper?  Give us a shout.

Oh, and “There’s a WCI App For That” can’t possible be confused with “There’s an app for that“, right?

Tags: ,

Leave a Reply