external tenant id

devtools/deployments/multi-tenancy/initialize_users.go

@@ -24,6 +24,7 @@ var demoTenants = []tenantWithUsers{
 	{
 		tenant: libregraph.EducationSchool{
 			DisplayName: libregraph.PtrString("Famous Coders"),
+			ExternalId:  libregraph.PtrString("famouscodersExternalID"),
 		},
 		users: []libregraph.EducationUser{
 			{
@@ -41,6 +42,7 @@ var demoTenants = []tenantWithUsers{
 	{
 		tenant: libregraph.EducationSchool{
 			DisplayName: libregraph.PtrString("Scientists"),
+			ExternalId:  libregraph.PtrString("scientistsExternalID"),
 		},
 		users: []libregraph.EducationUser{
 			{

devtools/deployments/multi-tenancy/traefik.yml

@@ -9,7 +9,7 @@ services:
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.3.1
+    image: traefik:v3.6.7
     # release notes: https://github.com/traefik/traefik/releases
     networks:
       opencloud-net:

devtools/deployments/shared/config/ldap/schemas/20_opencloud_education_schema.ldif

@@ -42,4 +42,4 @@ olcObjectClasses: ( openCloudOid:1.2.5 NAME 'openCloudEducationSchool'
   DESC 'OpenCloud education school objectclass'
   SUP openCloudObject
   AUXILIARY
-  MAY ( openCloudEducationSchoolNumber $ openCloudEducationSchoolTerminationTimestamp ) )
+  MAY ( openCloudEducationSchoolNumber $ openCloudEducationSchoolTerminationTimestamp $ openCloudEducationExternalId) )

go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/onsi/gomega v1.39.1
 	github.com/open-policy-agent/opa v1.12.3
 	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
-	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
+	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260204102724-10bcda1b3068
 	github.com/opencloud-eu/reva/v2 v2.42.3
 	github.com/opensearch-project/opensearch-go/v4 v4.6.0
 	github.com/orcaman/concurrent-map v1.0.0
@@ -339,9 +339,9 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
-	github.com/samber/lo v1.52.0 // indirect
-	github.com/samber/slog-common v0.20.0 // indirect
-	github.com/samber/slog-zerolog/v2 v2.9.1 // indirect
+	github.com/samber/lo v1.51.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
 	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/segmentio/kafka-go v0.4.50 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
@@ -417,5 +417,3 @@ replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/opencloud-
 
 // to get the logger injection (https://github.com/pablodz/inotifywaitgo/pull/11)
 replace github.com/pablodz/inotifywaitgo v0.0.9 => github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9
-
-replace github.com/opencloud-eu/reva/v2 => github.com/aduffeck/reva/v2 v2.27.3-0.20260209115512-73c029375aec

go.sum

@@ -97,8 +97,6 @@ github.com/RoaringBitmap/roaring/v2 v2.4.5 h1:uGrrMreGjvAtTBobc0g5IrW1D5ldxDQYe2
 github.com/RoaringBitmap/roaring/v2 v2.4.5/go.mod h1:FiJcsfkGje/nZBZgCu0ZxCPOKD/hVXDS2dXi7/eUFE0=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
-github.com/aduffeck/reva/v2 v2.27.3-0.20260209115512-73c029375aec h1:0OGMGUDSQeOSungcukaZOC1MfY7N7zJ8OrfnWGxrnBE=
-github.com/aduffeck/reva/v2 v2.27.3-0.20260209115512-73c029375aec/go.mod h1:EIhSI2Tv1FCdtvv5AO4ublX4yrM+1KZCcrkSImDVCDg=
 github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
 github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -969,8 +967,10 @@ github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89 h1:W1ms+l
 github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89/go.mod h1:vigJkNss1N2QEceCuNw/ullDehncuJNFB6mEnzfq9UI=
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIftlX03Bzfbujhp9B54FbgER0VBDWJi/w8RBxJlzxU=
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
-github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI=
-github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
+github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260204102724-10bcda1b3068 h1:i09YEVYbiUBMhxyak93REn/ZJOTRhAN4I3PXp2nCXgU=
+github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260204102724-10bcda1b3068/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
+github.com/opencloud-eu/reva/v2 v2.42.3 h1:A9v52jgIY6+UHnj5xuC4HVn/w8X4sVSibyvWsQ/50mk=
+github.com/opencloud-eu/reva/v2 v2.42.3/go.mod h1:LrMYMcSrH9nvTywiE1ry0i2w38yGLFKUPYxWjvKulBo=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -1103,12 +1103,12 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
 github.com/sacloud/libsacloud v1.36.2/go.mod h1:P7YAOVmnIn3DKHqCZcUKYUXmSwGBm3yS7IBEjKVSrjg=
 github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
 github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
-github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
-github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
-github.com/samber/slog-common v0.20.0 h1:WaLnm/aCvBJSk5nR5aXZTFBaV0B47A+AEaEOiZDeUnc=
-github.com/samber/slog-common v0.20.0/go.mod h1:+Ozat1jgnnE59UAlmNX1IF3IByHsODnnwf9jUcBZ+m8=
-github.com/samber/slog-zerolog/v2 v2.9.1 h1:RMOq8XqzfuGx1X0TEIlS9OXbbFmqLY2/wJppghz66YY=
-github.com/samber/slog-zerolog/v2 v2.9.1/go.mod h1:DQYYve14WgCRN/XnKeHl4266jXK0DgYkYXkfZ4Fp98k=
+github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
+github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
+github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
+github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
+github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210127161313-bd30bebeac4f/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=

services/graph/pkg/identity/ldap_education_class.go

@@ -7,8 +7,8 @@ import (
 
 	"github.com/go-ldap/ldap/v3"
 	"github.com/libregraph/idm/pkg/ldapdn"
-	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
 	libregraph "github.com/opencloud-eu/libre-graph-api-go"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
 )
 
 type educationClassAttributeMap struct {

services/graph/pkg/identity/ldap_education_school.go

@@ -34,6 +34,7 @@ type educationConfig struct {
 type schoolAttributeMap struct {
 	displayName     string
 	schoolNumber    string
+	externalId      string
 	id              string
 	terminationDate string
 }
@@ -48,9 +49,10 @@ const (
 )
 
 var (
-	errNotSet             = errors.New("attribute not set")
-	errSchoolNameExists   = errorcode.New(errorcode.NameAlreadyExists, "A school with that name is already present")
-	errSchoolNumberExists = errorcode.New(errorcode.NameAlreadyExists, "A school with that number is already present")
+	errNotSet                 = errors.New("attribute not set")
+	errSchoolNameExists       = errorcode.New(errorcode.NameAlreadyExists, "A school with that name is already present")
+	errSchoolNumberExists     = errorcode.New(errorcode.NameAlreadyExists, "A school with that number is already present")
+	errSchoolExternalIdExists = errorcode.New(errorcode.NameAlreadyExists, "A school with that external id is already present")
 )
 
 func defaultEducationConfig() educationConfig {
@@ -105,6 +107,7 @@ func newSchoolAttributeMap() schoolAttributeMap {
 	return schoolAttributeMap{
 		displayName:     "ou",
 		schoolNumber:    "openCloudEducationSchoolNumber",
+		externalId:      "openCloudEducationExternalId",
 		id:              "openCloudUUID",
 		terminationDate: "openCloudEducationSchoolTerminationTimestamp",
 	}
@@ -121,18 +124,33 @@ func (i *LDAP) CreateEducationSchool(ctx context.Context, school libregraph.Educ
 	// Check that the school number is not already used
 	if school.HasSchoolNumber() {
 		_, err := i.getSchoolByNumber(school.GetSchoolNumber())
-		switch err {
-		case nil:
+		switch {
+		case err == nil:
 			logger.Debug().Err(errSchoolNumberExists).Str("schoolNumber", school.GetSchoolNumber()).Msg("duplicate school number")
 			return nil, errSchoolNumberExists
-		case ErrNotFound:
+		case errors.Is(err, ErrNotFound):
 			break
 		default:
 			logger.Error().Err(err).Str("schoolNumber", school.GetSchoolNumber()).Msg("error looking up school by number")
 			return nil, errorcode.New(errorcode.GeneralException, "error looking up school by number")
 		}
 	}
 
+	// Check that the school external id is not already used
+	if school.HasExternalId() {
+		_, err := i.getSchoolByExternalId(school.GetExternalId())
+		switch {
+		case err == nil:
+			logger.Debug().Err(errSchoolExternalIdExists).Str("externalId", school.GetExternalId()).Msg("duplicate school external id")
+			return nil, errSchoolExternalIdExists
+		case errors.Is(err, ErrNotFound):
+			break
+		default:
+			logger.Error().Err(err).Str("externalId", school.GetExternalId()).Msg("error looking up school by external id")
+			return nil, errorcode.New(errorcode.GeneralException, "error looking up school by external id")
+		}
+	}
+
 	attributeTypeAndValue := ldap.AttributeTypeAndValue{
 		Type:  i.educationConfig.schoolAttributeMap.displayName,
 		Value: school.GetDisplayName(),
@@ -147,6 +165,9 @@ func (i *LDAP) CreateEducationSchool(ctx context.Context, school libregraph.Educ
 	if school.HasSchoolNumber() {
 		ar.Attribute(i.educationConfig.schoolAttributeMap.schoolNumber, []string{school.GetSchoolNumber()})
 	}
+	if school.HasExternalId() {
+		ar.Attribute(i.educationConfig.schoolAttributeMap.externalId, []string{school.GetExternalId()})
+	}
 	if !i.useServerUUID {
 		ar.Attribute(i.educationConfig.schoolAttributeMap.id, []string{uuid.NewString()})
 	}
@@ -278,14 +299,14 @@ func (i *LDAP) updateSchoolProperties(ctx context.Context, dn string, currentSch
 }
 
 // UpdateEducationSchool updates the supplied school in the identity backend
-func (i *LDAP) UpdateEducationSchool(ctx context.Context, numberOrID string, school libregraph.EducationSchool) (*libregraph.EducationSchool, error) {
+func (i *LDAP) UpdateEducationSchool(ctx context.Context, numberOrIDOrExternalID string, school libregraph.EducationSchool) (*libregraph.EducationSchool, error) {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("UpdateEducationSchool")
 	if !i.writeEnabled {
 		return nil, ErrReadOnly
 	}
 
-	e, err := i.getSchoolByNumberOrID(numberOrID)
+	e, err := i.getSchoolByNumberOrIDOrExternalID(numberOrIDOrExternalID)
 	if err != nil {
 		return nil, err
 	}
@@ -308,7 +329,7 @@ func (i *LDAP) UpdateEducationSchool(ctx context.Context, numberOrID string, sch
 	}
 
 	// Read	back school from LDAP
-	e, err = i.getSchoolByNumberOrID(i.getID(e))
+	e, err = i.getSchoolByNumberOrIDOrExternalID(i.getID(e))
 	if err != nil {
 		return nil, err
 	}
@@ -322,7 +343,7 @@ func (i *LDAP) DeleteEducationSchool(ctx context.Context, id string) error {
 	if !i.writeEnabled {
 		return ErrReadOnly
 	}
-	e, err := i.getSchoolByNumberOrID(id)
+	e, err := i.getSchoolByNumberOrIDOrExternalID(id)
 	if err != nil {
 		return err
 	}
@@ -337,10 +358,10 @@ func (i *LDAP) DeleteEducationSchool(ctx context.Context, id string) error {
 }
 
 // GetEducationSchool implements the EducationBackend interface for the LDAP backend.
-func (i *LDAP) GetEducationSchool(ctx context.Context, numberOrID string) (*libregraph.EducationSchool, error) {
+func (i *LDAP) GetEducationSchool(ctx context.Context, numberOrIDOrExternalID string) (*libregraph.EducationSchool, error) {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("GetEducationSchool")
-	e, err := i.getSchoolByNumberOrID(numberOrID)
+	e, err := i.getSchoolByNumberOrIDOrExternalID(numberOrIDOrExternalID)
 	if err != nil {
 		return nil, err
 	}
@@ -415,11 +436,11 @@ func (i *LDAP) GetEducationSchoolUsers(ctx context.Context, schoolNumberOrID str
 }
 
 // AddUsersToEducationSchool adds new members (reference by a slice of IDs) to supplied school in the identity backend.
-func (i *LDAP) AddUsersToEducationSchool(ctx context.Context, schoolNumberOrID string, memberIDs []string) error {
+func (i *LDAP) AddUsersToEducationSchool(ctx context.Context, schoolNumberOrIDOrExternalID string, memberIDs []string) error {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("AddUsersToEducationSchool")
 
-	schoolEntry, err := i.getSchoolByNumberOrID(schoolNumberOrID)
+	schoolEntry, err := i.getSchoolByNumberOrIDOrExternalID(schoolNumberOrIDOrExternalID)
 	if err != nil {
 		return err
 	}
@@ -462,11 +483,11 @@ func (i *LDAP) AddUsersToEducationSchool(ctx context.Context, schoolNumberOrID s
 }
 
 // RemoveUserFromEducationSchool removes a single member (by ID) from a school
-func (i *LDAP) RemoveUserFromEducationSchool(ctx context.Context, schoolNumberOrID string, memberID string) error {
+func (i *LDAP) RemoveUserFromEducationSchool(ctx context.Context, schoolNumberOrIDOrExternalID string, memberID string) error {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("RemoveUserFromEducationSchool")
 
-	schoolEntry, err := i.getSchoolByNumberOrID(schoolNumberOrID)
+	schoolEntry, err := i.getSchoolByNumberOrIDOrExternalID(schoolNumberOrIDOrExternalID)
 	if err != nil {
 		return err
 	}
@@ -521,12 +542,12 @@ func (i *LDAP) GetEducationSchoolClasses(ctx context.Context, schoolNumberOrID s
 }
 
 func (i *LDAP) getEducationSchoolEntries(
-	schoolNumberOrID, filter, objectClass, baseDN string,
+	schoolNumberOrIDOrExternalID, filter, objectClass, baseDN string,
 	scope int,
 	attributes []string,
 	logger log.Logger,
 ) ([]*ldap.Entry, error) {
-	schoolEntry, err := i.getSchoolByNumberOrID(schoolNumberOrID)
+	schoolEntry, err := i.getSchoolByNumberOrIDOrExternalID(schoolNumberOrIDOrExternalID)
 	if err != nil {
 		return nil, err
 	}
@@ -563,11 +584,11 @@ func (i *LDAP) getEducationSchoolEntries(
 }
 
 // AddClassesToEducationSchool adds new members (reference by a slice of IDs) to supplied school in the identity backend.
-func (i *LDAP) AddClassesToEducationSchool(ctx context.Context, schoolNumberOrID string, memberIDs []string) error {
+func (i *LDAP) AddClassesToEducationSchool(ctx context.Context, schoolNumberOrIDOrExternalID string, memberIDs []string) error {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("AddClassesToEducationSchool")
 
-	schoolEntry, err := i.getSchoolByNumberOrID(schoolNumberOrID)
+	schoolEntry, err := i.getSchoolByNumberOrIDOrExternalID(schoolNumberOrIDOrExternalID)
 	if err != nil {
 		return err
 	}
@@ -610,11 +631,11 @@ func (i *LDAP) AddClassesToEducationSchool(ctx context.Context, schoolNumberOrID
 }
 
 // RemoveClassFromEducationSchool removes a single member (by ID) from a school
-func (i *LDAP) RemoveClassFromEducationSchool(ctx context.Context, schoolNumberOrID string, memberID string) error {
+func (i *LDAP) RemoveClassFromEducationSchool(ctx context.Context, schoolNumberOrIDOrExternalID string, memberID string) error {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("RemoveClassFromEducationSchool")
 
-	schoolEntry, err := i.getSchoolByNumberOrID(schoolNumberOrID)
+	schoolEntry, err := i.getSchoolByNumberOrIDOrExternalID(schoolNumberOrIDOrExternalID)
 	if err != nil {
 		return err
 	}
@@ -652,14 +673,16 @@ func (i *LDAP) getSchoolByDN(dn string) (*ldap.Entry, error) {
 	return i.getEntryByDN(dn, i.getEducationSchoolAttrTypes(), filter)
 }
 
-func (i *LDAP) getSchoolByNumberOrID(numberOrID string) (*ldap.Entry, error) {
-	numberOrID = ldap.EscapeFilter(numberOrID)
+func (i *LDAP) getSchoolByNumberOrIDOrExternalID(numberOrIDOrExternalID string) (*ldap.Entry, error) {
+	numberOrIDOrExternalID = ldap.EscapeFilter(numberOrIDOrExternalID)
 	filter := fmt.Sprintf(
-		"(|(%s=%s)(%s=%s))",
+		"(|(%s=%s)(%s=%s)(%s=%s))",
 		i.educationConfig.schoolAttributeMap.id,
-		numberOrID,
+		numberOrIDOrExternalID,
 		i.educationConfig.schoolAttributeMap.schoolNumber,
-		numberOrID,
+		numberOrIDOrExternalID,
+		i.educationConfig.schoolAttributeMap.externalId,
+		numberOrIDOrExternalID,
 	)
 	return i.getSchoolByFilter(filter)
 }
@@ -674,6 +697,16 @@ func (i *LDAP) getSchoolByNumber(schoolNumber string) (*ldap.Entry, error) {
 	return i.getSchoolByFilter(filter)
 }
 
+func (i *LDAP) getSchoolByExternalId(schoolExternalId string) (*ldap.Entry, error) {
+	schoolExternalId = ldap.EscapeFilter(schoolExternalId)
+	filter := fmt.Sprintf(
+		"(%s=%s)",
+		i.educationConfig.schoolAttributeMap.externalId,
+		schoolExternalId,
+	)
+	return i.getSchoolByFilter(filter)
+}
+
 func (i *LDAP) getSchoolByFilter(filter string) (*ldap.Entry, error) {
 	filter = fmt.Sprintf("(&%s(objectClass=%s)%s)",
 		i.educationConfig.schoolFilter,
@@ -723,6 +756,8 @@ func (i *LDAP) createSchoolModelFromLDAP(e *ldap.Entry) *libregraph.EducationSch
 	id := i.getID(e)
 	schoolNumber := i.getSchoolNumber(e)
 
+	externalId := i.getExternalId(e)
+
 	t, err := i.getTerminationDate(e)
 	if err != nil && !errors.Is(err, errNotSet) {
 		i.logger.Error().Err(err).Str("dn", e.DN).Msg("Error reading termination date for LDAP entry")
@@ -739,6 +774,9 @@ func (i *LDAP) createSchoolModelFromLDAP(e *ldap.Entry) *libregraph.EducationSch
 	if schoolNumber != "" {
 		school.SetSchoolNumber(schoolNumber)
 	}
+	if externalId != "" {
+		school.SetExternalId(externalId)
+	}
 	if t != nil {
 		school.SetTerminationDate(*t)
 	}
@@ -750,6 +788,11 @@ func (i *LDAP) getSchoolNumber(e *ldap.Entry) string {
 	return schoolNumber
 }
 
+func (i *LDAP) getExternalId(e *ldap.Entry) string {
+	externalId := e.GetEqualFoldAttributeValue(i.educationConfig.schoolAttributeMap.externalId)
+	return externalId
+}
+
 func (i *LDAP) getID(e *ldap.Entry) string {
 	id := e.GetEqualFoldAttributeValue(i.educationConfig.schoolAttributeMap.id)
 	return id