I'm working on ldap synchronization and my feeling is the following :
- there are a lot of plugins and sync option on several modules either core modules or added one. Each one has different configuration options, and it is very difficult to understand how they are linked togather, and furthermore the documentation lack of exemples. It is very difficult to find which one to use, there are several sync options that tou can find on very different places.
- the sync option are group oriented mostly. All ldap do not group all users by ldap group, it can be done on attributes or combination of attributes, or combination of an ou context and attributes.. the usual search ldap pattern is to give a base search and a pattern. No configuration option offers this common use of a ldap directory. It gives the feeling that each plugin has been built considering a special case and not a general use.
- it is not clear if sync task will add users or just modify existing users.
- cohort sync is a bit raw. You can't give a name to a cohort, you just can use the name in the ldap. But usually students have an internal code which is quite criptic , which is not the one used by teachers and students. What would be nice would be that each cohort could have an ldap filter that can determine if a user belongs to it or not. So you create the cohort with the name you want, and than add sync option and parameters.
What should be done would be to have a generic method of describing a group of people in ldap (given base search, a filter with an uid or mail placeholder for existing users) that could be use in different sync or configuration options mainly cohorts, role, and course inscription. Clean the problem of finding configuration option in too many places which are not always coherent from one place to another and sometime redondant.
Ok I understand it's a big job, but pity for the sysadmins that have to fight with sync options...