Current setup:
I've setup a server connection to my Active Directory system using TLS. Using the latest dev version of the LDAP module I am able to login to my Drupal site using Active Directory credentials.
Desired functionality:
The LDAP module seems to support that I can "Provide option on admin/people/create to create corresponding LDAP Entry." I've setup the attributes under "PROVISIONING FROM DRUPAL TO LDAP MAPPINGS:" correctly. Right now everything works about this except for saving the password. If I try to create a user in Drupal I get 53 - "Server is unwilling to perform". This is because I am trying to pass the Drupal password into the "unicodePwd" AD field. Something seems to be going wrong there. If I remove the password element from the provisioning scheme, then the user is created in Drupal and the AD just fine. But, obviously this isn't functional because that user in the AD doesn't have a password assigned.
From some research into this problem I think I need to do something like this to the password before it's sent to ldap_add as an attribute:
// create the unicode password
$len = strlen($newPassword);
$newPass = '"';
for ($i = 0; $i < $len; $i++)
{
$newPass .= "{$newPassword{$i}}\000";
}
$newPass .= '"';
I've done a bit of research into the module, but can't exactly figure out where the "Pwd: User or Random" parsing happens. It seems like I could write a conditional that wraps the password string in the above code if the server type is Active Directory. Can anyone give me some pointers on where I should look at adding that code?
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedThis is a duplicate of another current issue.
Comment #2
bryan kennedy CreditAttribution: bryan kennedy commentedCould you let me know which issue this is a duplicate of? I did a bit of searching and even posted on another thread and was encouraged to open a new issue. Sorry for cluttering the queue, I just need some specific direction.
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedThese are the 3. If these are not appropriate, pleas continue with this.
#1718200: LDAP User: Create options for setting password in provisioning of ldap entries
#1884962: LDAP Users: Password encryption token options available for Provisioning to LDAP of drupal password.
#1838896: LDAP User: When provisioning from Drupal to LDAP a random password is always used regardless of selecting User or Random.
Comment #4
mallezieI'm gonna reopen this issue. I encountered the same problem.
It's a very specific Active Directory 'change password' problem.
When mapping the password to the unicodePwd attribute. To make it possible to change your AD-password from Drupal, there are specific requirements. See http://stackoverflow.com/questions/10763070/ldap-mod-replace-function-ld...
Main reasons are
This code above solves the last two issues.
i managed to get this working, by hacking this code in LdapServer.class.php more specific just before the ldap_modify call on line 564.
(This probably only works for account update, not account creation).
LdapServer.class.php line 564
I assume this better belongs some way in the LdapTypeActiveDirectory.class.php class, but i have no idea, how to isolate this code there.
Comment #5
saford91 CreditAttribution: saford91 commentedThis solved my problem. Here are those changes made into a patch.
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedThe patch looks good. But there should be an option in the UI to specify this type of behavior or in the token system.
Comment #7
kenorb CreditAttribution: kenorb commentedComment #8
nullkernel CreditAttribution: nullkernel commentedI have been working with the ldap module for the past week, and have made a patch to contribute back to the project. There are two problems which caused me lots of debugging, and I have both bugfixes in this patch. One being unicodePwd, the other being a bug I haven't seen reported ("Pwd: User Only" not being set with my site's registration form).
I can appreciate why johnbarclay suggests to have an option in the UI. However the code I wrote is very particular - it will only change the unicodePwd field, and only if the LDAP server type is set to Active Directory (which is a UI option). I can think of no use case in which this change would have an adverse impact.
The other change I made is adding a hook so that the function ldap_user_grab_password_validate($form, &$form_state) will be called if the FORM_ID is user-pass-reset (in addition to the previously defined hooks which call the function).
Also, I have noticed that there is a similar function that appears to be intended for Active Directory, but it is implemented in a different way and doesn't work for me. I am thinking it is defunct in general (and works for nobody). It is called "ldap_password_modify". I have left it alone, but I am thinking it probably should be deleted.
Comment #9
sin CreditAttribution: sin commented#8 works. Thanks!
Comment #10
jean jack CreditAttribution: jean jack commented#8 works good for AD 2012
Thanks
Comment #11
nullkernel CreditAttribution: nullkernel commentedThanks for the feedback guys. Although the patch is 2 years old, it still applies fine to my local clone of branch 7.x-2.x . Should the issue's status be changed to RTBC so that the patch may be committed?
Comment #12
mallezieJohnbarclay (the maintainer) already replied, this should be configurable behaviour. (Which i fully agree). So if anyone could take care of that, i'm sure this could be merged. But it can't be committed as is, since this would break other backends.
Comment #13
nullkernel CreditAttribution: nullkernel commentedI think the patch I proposed would not break other backends. The patch restricts the behavior to Active Directory servers. From what I gather, Active Directory always needs the string to be in this format (and no other backend does). So I don't see any technical reason to add a configuration option. Or am I missing something?
Comment #14
grahlComment #15
grahlComment #17
nullkernel CreditAttribution: nullkernel commentedUpdating to "Needs review" - I don't see any current testbot failures. Earlier testbot failures were caused by a composer require failure which is unrelated to this patch.
Comment #18
grahlLooks good, committed.
I agree with nullkernel, this is type-specific and should not break other backends.
Moving this issue back to needs work for porting it to 8.x. Patches are welcome!
Comment #20
caiobianchi CreditAttribution: caiobianchi commentedAny updates on the 8.x fix?
I'm having the same issue. :\
Comment #21
grahlTry the attached please.
Comment #22
rawbubble CreditAttribution: rawbubble commentedgrahl,
thanks for this password patch. couldn't have been better timed for a project i'm working on.
only hiccup: any idea why the 8.x patch would fail?
Comment #23
grahl@caiobianchi: Patch working?
Comment #24
mh.marouan CreditAttribution: mh.marouan as a volunteer commentedI applied this patch for version 8.x-3.0-alpha1+45-dev and worked well
Comment #26
grahlThanks for the feedback, committed.