UnityHPC · simonLeary42 · May 26, 2026 · May 27, 2026 · May 27, 2026 · May 29, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ For details on the changes in each release, see [the Releases page](https://gith
 
 ## Version-specific update instructions:
 
+### 1.8 -> 1.9
+- schema migration:
+  - the new LDAP schema should be added in conjunction with the old
+  - all entries should have the `piGroup` objectClass replaced with `unityGroup`
+  - the `setup-pi-group-owners.php` worker should be run
+
 ### 1.7 -> 1.8
 - the [webhook] section of the config file can be removed
 - all mail templates are no longer PHP files, now they are `.html.twig`

diff --git a/resources/lib/UnityGroup.php b/resources/lib/UnityGroup.php
@@ -352,9 +352,10 @@ private function init(): void
         assert(!$this->entry->exists());
         $nextGID = $this->LDAP->getNextPIGIDNumber();
         $this->entry->create([
-            "objectclass" => ["piGroup", "posixGroup", "top"],
+            "objectclass" => ["unityGroup", "posixGroup", "top"],
             "gidnumber" => strval($nextGID),
             "memberuid" => [$owner->uid],
+            "owneruid" => $owner->uid,
         ]);
         // TODO if we ever make this project based,
         // we need to update the cache here with the memberuid
@@ -480,7 +481,7 @@ public function addPlusAddressToMail(string $mail): string
         $owner = $this->getOwner();
         $suffix = "_" . $owner->getOrg();
         assert(str_ends_with($owner->uid, $suffix));
-        $short_name = substr($owner->uid, 0, -1 * strlen($suffix));
+        $short_name = substr($owner->uid, 0, -strlen($suffix));
         $parts = explode("@", $mail, 2);
         return sprintf("%s+%s@%s", $parts[0], $short_name, $parts[1]);
     }

diff --git a/tools/docker-dev/identity/account-portal-schema.ldif b/tools/docker-dev/identity/account-portal-schema.ldif
@@ -12,7 +12,17 @@ olcAttributeTypes: ( 1.1.3 NAME 'managerUid'
     EQUALITY caseExactIA5Match
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
     )
+olcAttributeTypes: ( 1.1.4 NAME 'ownerUid'
+    DESC 'group owner'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE
+    )
 olcObjectClasses: ( 1.1.2 NAME 'piGroup' SUP top AUXILIARY
-    DESC 'PI Group'
+    DESC 'DEPRECATED, DO NOT USE'
     MAY ( isDisabled $ managerUid )
     )
+olcObjectClasses: ( 1.1.5 NAME 'unityGroup' SUP top AUXILIARY
+    DESC 'general-purpose group in the Unity HPC Platform'
+    MAY ( isDisabled $ managerUid $ ownerUid )
+    )
diff --git a/workers/setup-pi-group-owners.php b/workers/setup-pi-group-owners.php
@@ -0,0 +1,12 @@
+#!/usr/bin/env php
+<?php
+include __DIR__ . "/init.php";
+
+use UnityWebPortal\lib\UnityGroup;
+use UnityWebPortal\lib\UnityLDAP;
+
+foreach ($LDAP->getPIGroupsAttributes(["cn"], filter: UnityLDAP::INCLUDE_DISABLED) as $attributes) {
+    $gid = $attributes["cn"][0];
+    $entry->setAttribute("ownerUid", UnityGroup::GID2OwnerUID($gid));
+}
+