The user name is a property of the identity object and can not be changed. For legacy reasons the identity.name is used as a reference in several places.
However, the identity.name is not really used for the login process. When performing a login, the authentication.authusername is used instead. A user can have several authentication tokens, one with a local OpenOlat password, one for LDAP, Shibboleth, oAuth, LinkedIn etc. In those authentication tokens the login name is stored together with the encrypted credential or other information necessary when authenticating agains an external system.
Renaming login names has been a wish for a long time, e.g. due to marriage some people insist on changing their login name. While renaming login name in the authentication.authusername is no problem at all, renaming the identity.name is not possible due to the braking references. in files, filenames and database entries.
The goal of this issue is to remove the users identity.name and only use the authentication.authusername instead. Technically the identity.name remains and new users will also get a identity.name, however this technical identifier will not be displayed anymore and is not the same as the authentication.authusername. It is just a technical ID that happed to be the same as the login name for old users and the database key for new users.
Following things must be done
- Decouple login process from identity.name
- Implement a new nickname user property that can be used instead of the identity.name
- Populate it with existing identity.name for migration
- Add options to populate the nickname from LDAP/Shib/oAuth Attributes or let user set it
- Decouple user match from identity.name for authentication providers
- Implement GUI to rename authentication.authusername
- Make sure dependencies to other authentication tokens are handled correctly, eg. for WebDAV access, OpenOlat password caching in LDAP Provider
- Remove identity.name from all GUI's, replace it with nickname property
- Migration user property contexts to use the new nickname where the username has been used previously
- Make sure it is still possible to create a user without authentication and still give some unique identifier for later identification (maybe just by email?)
- Adapt search queries to search in all relevant authentication providers when searching by username
- When creating a new identity, set identity.name to "U" + user.key
The default configuration uses the new identity.name scheme automatically. An opt-out configuration allows using the old scheme of using the authentication.authusername as the identity.name on identity generation (not possible to rename afterwards).
This is configured using a global flag that can be set in the olat.local.properties
When this flat is set to manual, the authentication.authusername provided on identity generation is used as identity.name for every authentication provider and also set as the nick name property (OpenOlat via REST or GUI, LDAP, Shibboleth etc).
Participant bulk import
User import in courses and groups is often done using the username. Since the new identity.name has not the meaning of a username anymore the new nickname userproperty is supported.