From 5065a67891cde72ac3d38cd8ba5977da3a711725 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <r.haferkamp@opencloud.eu>
Date: Mon, 2 Mar 2026 17:53:37 +0100
Subject: [PATCH] feat(graph/edu): Add externalID user property

---
 .../deployments/multi-tenancy/initialize_users.go  |  4 ++++
 services/graph/pkg/identity/ldap_education_user.go | 14 +++++++++++++-
 .../graph/pkg/identity/ldap_education_user_test.go |  1 +
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/devtools/deployments/multi-tenancy/initialize_users.go b/devtools/deployments/multi-tenancy/initialize_users.go
index 9c64182b44..b376e3476a 100644
--- a/devtools/deployments/multi-tenancy/initialize_users.go
+++ b/devtools/deployments/multi-tenancy/initialize_users.go
@@ -31,11 +31,13 @@ var demoTenants = []tenantWithUsers{
 				DisplayName:              libregraph.PtrString("Dennis Ritchie"),
 				OnPremisesSamAccountName: libregraph.PtrString("dennis"),
 				Mail:                     libregraph.PtrString("dennis@example.org"),
+				ExternalId:               libregraph.PtrString("ExternalID1"),
 			},
 			{
 				DisplayName:              libregraph.PtrString("Grace Hopper"),
 				OnPremisesSamAccountName: libregraph.PtrString("grace"),
 				Mail:                     libregraph.PtrString("grace@example.org"),
+				ExternalId:               libregraph.PtrString("ExternalID2"),
 			},
 		},
 	},
@@ -49,11 +51,13 @@ var demoTenants = []tenantWithUsers{
 				DisplayName:              libregraph.PtrString("Albert Einstein"),
 				OnPremisesSamAccountName: libregraph.PtrString("einstein"),
 				Mail:                     libregraph.PtrString("einstein@example.org"),
+				ExternalId:               libregraph.PtrString("ExternalID3"),
 			},
 			{
 				DisplayName:              libregraph.PtrString("Marie Curie"),
 				OnPremisesSamAccountName: libregraph.PtrString("marie"),
 				Mail:                     libregraph.PtrString("marie@example.org"),
+				ExternalId:               libregraph.PtrString("ExternalID4"),
 			},
 		},
 	},
diff --git a/services/graph/pkg/identity/ldap_education_user.go b/services/graph/pkg/identity/ldap_education_user.go
index c2700195ed..9fb33f78fb 100644
--- a/services/graph/pkg/identity/ldap_education_user.go
+++ b/services/graph/pkg/identity/ldap_education_user.go
@@ -12,11 +12,13 @@ import (
 
 type educationUserAttributeMap struct {
 	primaryRole string
+	externalID  string
 }
 
 func newEducationUserAttributeMap() educationUserAttributeMap {
 	return educationUserAttributeMap{
 		primaryRole: "userClass",
+		externalID:  "openCloudEducationExternalId",
 	}
 }
 
@@ -33,7 +35,7 @@ func (i *LDAP) CreateEducationUser(ctx context.Context, user libregraph.Educatio
 		return nil, err
 	}
 
-	if err := i.conn.Add(ar); err != nil {
+	if err = i.conn.Add(ar); err != nil {
 		var lerr *ldap.Error
 		logger.Debug().Err(err).Msg("error adding user")
 		if errors.As(err, &lerr) {
@@ -118,6 +120,7 @@ func (i *LDAP) UpdateEducationUser(ctx context.Context, nameOrID string, user li
 		i.userAttributeMap.givenName:                   user.GetGivenName(),
 		i.userAttributeMap.userType:                    user.GetUserType(),
 		i.educationConfig.userAttributeMap.primaryRole: user.GetPrimaryRole(),
+		i.educationConfig.userAttributeMap.externalID:  user.GetExternalId(),
 	}
 
 	for attribute, value := range properties {
@@ -277,6 +280,10 @@ func (i *LDAP) userToEducationUser(user libregraph.User, e *ldap.Entry) *libregr
 		if primaryRole := e.GetEqualFoldAttributeValue(i.educationConfig.userAttributeMap.primaryRole); primaryRole != "" {
 			eduUser.SetPrimaryRole(primaryRole)
 		}
+
+		if externalID := e.GetEqualFoldAttributeValue(i.educationConfig.userAttributeMap.externalID); externalID != "" {
+			eduUser.SetExternalId(externalID)
+		}
 	}
 
 	return eduUser
@@ -286,6 +293,10 @@ func (i *LDAP) educationUserToLDAPAttrValues(user libregraph.EducationUser, attr
 	if role, ok := user.GetPrimaryRoleOk(); ok {
 		attrs[i.educationConfig.userAttributeMap.primaryRole] = []string{*role}
 	}
+
+	if externalID, ok := user.GetExternalIdOk(); ok {
+		attrs[i.educationConfig.userAttributeMap.externalID] = []string{*externalID}
+	}
 	attrs["objectClass"] = append(attrs["objectClass"], i.educationConfig.userObjectClass)
 	return attrs, nil
 }
@@ -326,6 +337,7 @@ func (i *LDAP) getEducationUserAttrTypes() []string {
 		i.userAttributeMap.userType,
 		i.userAttributeMap.identities,
 		i.educationConfig.userAttributeMap.primaryRole,
+		i.educationConfig.userAttributeMap.externalID,
 		i.educationConfig.memberOfSchoolAttribute,
 	}
 }
diff --git a/services/graph/pkg/identity/ldap_education_user_test.go b/services/graph/pkg/identity/ldap_education_user_test.go
index 5fbefa5d82..bfe047d9b6 100644
--- a/services/graph/pkg/identity/ldap_education_user_test.go
+++ b/services/graph/pkg/identity/ldap_education_user_test.go
@@ -22,6 +22,7 @@ var eduUserAttrs = []string{
 	"userTypeAttribute",
 	"openCloudExternalIdentity",
 	"userClass",
+	"openCloudEducationExternalId",
 	"openCloudMemberOfSchool",
 }