Skip to content
GitLab
Closed
Issue created by bmortier@bmortierMaintainer

Add an archival plugin to fusiondirectory

Actual behavior

There is no account archival plugin.

Expected behavior

Be able to store a striped down object only for archival purposes:

  • it should contain a minimal number of attributes
  • it should be compliant with the RGPD (aka minimal information needed for the service needed)
  • it should not be used as a snapshot we can restore
  • it should be configurable on which attributes should be saved except for the attributes FusionDirectory need to show the entries correctly, a tab in the configuration backend for archival needs to be created
  • it should store those account in a ou=archive branch

Step by step description of new behaviour

  1. In the configuration, activate archive for type user, selecting which field should be kept
  2. In the ACLs, give rights user/archive/cdr to the admin
  3. Use the Archive action on a user / several users
  4. An archive of the user is created in ou=archive,<baseoftheuser> with only the attributes we selected in the configuration backend
  5. The user is deleted from its original branch upon successful creation
  6. The archive have a reference to original dn
  7. The archive have a timestamp of the time it was created
  8. The archive have a specific objectClass for filtering

LDAP example of an archive:

dn: cn=asmith,ou=archive,o=organization1,dc=example,dc=com
cn: asmith
fdArchivedDn: uid=asmith,ou=people,o=organization1,dc=example,dc=com
fdArchivedDate: 2021070500Z
fdArchivedType: USER
fdArchivedUniqueField: uid:asmith
fdArchivedField: homeDirectory:/home/asmith
fdArchivedField: uidNumber:1337
objectClass: fdArchivedObject

ACL rights on special fake class type/archive (inspired by type/template):

  • type/archive/c -> allow to archive(and delete) objects
  • type/archive/d -> allow to delete archive objects
  • type/archive/r -> allow to read archive data

Benefits

Have a structured way of storing the archival of the accounts of people no longer there.

Make sure values for unique attributes like uid, uidNumber or mail are not re-used by new users.

Applicable Issues

Archiving account in the education / research fields

Edited by Côme Chilliet