Hi,

Got an issue (with an Active Directory integration) where the system is unable to authenticate some users. Details as follows.

Most users are creating/authenticating correctly. However some users, for example a user called "1208" fail. Incidentally AD is using a number in samaccountname as the username and the postofficebox (UID field) usually holds the same value.

Anyway, the debug logs look fine up to this point:

1208 : Success at connecting to mgsldap

However, after that, the system makes a LDAP search for a *different* account:

ldap_search() call: base_dn: DC=mgs,DC=local, filter = (samaccountname=43911), attributes: name,memberof,dn,samaccountname,userprincipalname,,postofficebox, attrsonly = 0, sizelimit = 0, timelimit = 0, deref = , scope = 3

Consequently, it fails.

1208 : Testing user credentials on server mgsldap where bind_method = 1. Error: Invalid credentials

I've checked several times, my login requests are asking for the wrong user :-(

The other user "43911" is a previously created account that as far as I can see, has nothing in common with "1208". None-the-less, if I delete "43911", "1208" will be able to login

Some of my settings are as follows:
LDAP Server Type: Active Directory
LDAP server: mgs.local
LDAP port: 389
Use Start-TLS: No
Follow LDAP Referrals: No
Binding Method: Service Account Bind
Base DNs: DC=mgs,DC=local
AuthName attribute: samaccountname
AccountName attribute: (blank so, effectively samaccountname)
Email attribute: userprincipalname
Email template: (blank)
Thumbnail attribute: Blank
Persistent and Unique User ID Attribute: postofficebox
Nested groups are used in my LDAP: Yes
A user LDAP attribute such as memberOf exists: Yes
Attribute in User Entry Containing Groups: memberof

Any suggestions, or requirements for further info?

Thanks.

Cheers

Brett

Comments

BrettSh created an issue. See original summary.

BrettSh’s picture

BrettSh CreditAttribution: BrettSh commented

OK, I have figured out that if an LDAP username is an integer and there is a Drupal UID with the same integer then code in ldap_user.module assumes the username is actually a Drupal UID.

The function in question is this:
function ldap_user_get_authname_from_drupal($data) {

The code inside that function is this:

elseif (is_numeric($data) && intval($data) == $data) {
	// Integer - set uid number is an integer > 0
	if ($data > 0) {
	  $uid = $data;
	}
}

I am run off my feet right now, but I will attempt a patch when a have time.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Title: Some Users Not Authenticating » LDAP user name assumed to be Drupal UID
Category: Support request » Bug report
Priority: Normal » Minor
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Active » Closed (outdated)

I believe this is no longer relevant since ldap_user_get_authname() no longer contains this check but rather derives uid consistently from attributes.