Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The login handling does not allow for logging in with email. The settings allow to get close, but user name is used in a few places.
Current Setup:
- Server Settings: AuthName attribute = mail
- Email Registration module to process mail to user name
Caveats:
- The email_registration module sets
$form_state['values']['name']
to the existing account's user name to allow normal authentication.- _ldap_authentication_user_login_authenticate_validate() uses
$form_state['values']['name']
as the$authname
for LDAP. This could be alleviated by checking for$form_state['values']['email']
and then using that as the authname; however, that still feels clunky.
- _ldap_authentication_user_login_authenticate_validate() uses
- LDAP authorizations do not provision for existing Drupal users
- Authorizations passes the user object to
LdapServer::groupMembershipsFromUser()
which callsLdapServer::userUserToExistingLdapEntry()
which uses$user->name
to find the existing LDAP entry for the user.
- Authorizations passes the user object to
Possible Solutions ...
- An authentication setting for "Drupal account property that correlates to the login name". Then that could be used in areas where the user object is used to query LDAP.
Thoughts?
Comments
Comment #1
recrit CreditAttribution: recrit commentedThe attached patch adds:
function ldap_user_get_authname
- takes a variant input and returns the authmap authname. This provides a common way to determine the authname when you have the username, uid, or user object.Comment #2
recrit CreditAttribution: recrit commentedAdjusted patch to
* determine the "entered" login name by checking if
$form_state['values']['email']
exists* find existing users by mail in
ldap_authentication_corresponding_drupal_user
Comment #3
recrit CreditAttribution: recrit commentedupdated patch to properly set authmap when a drupal user is created during ldap authentication
Comment #4
recrit CreditAttribution: recrit commentedre-rolled patch with whitespace so it applies correctly
Comment #5
recrit CreditAttribution: recrit commentedUpdated patch to account for updating existing users found via puid, ie "VI.A: Drupal account doesn't exist with $authname used to logon, but puid exists in another Drupal account; this means username has changed and needs to be saved in Drupal account"
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedThis looks good. I committed it. Please continue to test.
Comment #6.0
johnbarclay CreditAttribution: johnbarclay commentedfixed spelling of function name
Comment #7
validollIf I set AuthName attribute to mail value, then get error on login
In ldap_authentication.inc:460 I change
$drupal_account = $auth_conf->ldapUser->provisionDrupalAccount(NULL, $user_edit, NULL, TRUE);
to
$drupal_account = $auth_conf->ldapUser->provisionDrupalAccount(NULL, $user_edit, $ldap_user, TRUE);
This is right? How I can login with LDAP mail?
Comment #8
kenorb CreditAttribution: kenorb commentedI've some issue with LDAP, Email Registration and above patch which were commited to dev (#5).
The scenario is:
- there is Drupal 6 site which authenticates with LDAP credentials only (both username and e-mail)
- there is new site on Drupal 7 which authenticates with LDAP credentials only (only via e-mail using Email Registration module).
The problem is:
- when I'm creating the new user, uid is set to username, but when LDAP authenticate the user, it's looking for e-mail address in uid
Call: _ldap_authentication_user_login_authenticate_validate ()/ldap_authentication_test_credentials()/userUserNameToExistingLdapEntry(uid=foo@example.com)
Code:
- also I can't fully store e-mail address in uid property, as there are other existing users which were created by a standard method (uid=username).
So I'm not sure what's the proper solution for problem. Either to remove the above condition, override validation function or improve the logic.
Comment #9
kenorb CreditAttribution: kenorb commentedProposed change:
Or we need to handle the authentication of LDAP users in different way rather than just e-mail address against the uid property.
Comment #10
kenorb CreditAttribution: kenorb commentedI did some more tests and I think the patch is necessary, otherwise the authentication is inconsistent. We should authenticate username against LDAP uid property and not change the logic (e-mail instead of username) depending if some module is enabled or not, otherwise it'll always break the functionality to existing users.
I've successfully tested the attached patch as well with another patch at #2037887: Edit user password should use LDAP to authenticate (#10).
The test I did:
- I've created new user (registered with e-mail via Email Registration module),
- I was able log-in with the right credentials.
- I've tested password change and I was able log-in with the new credentials.
Comment #11
kenorb CreditAttribution: kenorb commentedHere is validation function which can be used to validate user via e-mail against LDAP, if user doesn't exist in Drupal yet:
Example usage as part of custom login form:
Comment #12
agerson CreditAttribution: agerson commentedI agree we should authenticate username against LDAP and not change the logic (e-mail instead of username) depending if some module is enabled or not.
kenorb, Is your patch in #10 based on some previous patches, it just appears to remove some lines of a previous patch. Does it patch the original ldap_authentication.inc?
Comment #13
agerson CreditAttribution: agerson commentedOk, I have figured out where the two modules are bumping into each other. The LDAP module uses the presence of $form_state['values']['email'], which it sets to know if people are using email_registration.
The email_registration.module on line 208 says:
When I comment this line out I am able to log into both local and LDAP account with username and email address. And it doesnt appear to be used elsewhere in email_registration. But I dont think this is the right way to handle it.
It does appear that the presence of ldap_authentication.inc line 162 breaks integration with email_registration when it implies it supposed to support it:
Comment #14
grahlComment #15
grahlComment #17
grahlI'm marking this as wontfix since we don't have a viable patch here.
If someone is interested in getting email_registration and LDAP working nicely together, please feel free to reopen.