Hi,
Got an issue (with an Active Directory integration) where the system is unable to authenticate some users. Details as follows.
Most users are creating/authenticating correctly. However some users, for example a user called "1208" fail. Incidentally AD is using a number in samaccountname as the username and the postofficebox (UID field) usually holds the same value.
Anyway, the debug logs look fine up to this point:
1208 : Success at connecting to mgsldap
However, after that, the system makes a LDAP search for a *different* account:
ldap_search() call: base_dn: DC=mgs,DC=local, filter = (samaccountname=43911), attributes: name,memberof,dn,samaccountname,userprincipalname,,postofficebox, attrsonly = 0, sizelimit = 0, timelimit = 0, deref = , scope = 3
Consequently, it fails.
1208 : Testing user credentials on server mgsldap where bind_method = 1. Error: Invalid credentials
I've checked several times, my login requests are asking for the wrong user :-(
The other user "43911" is a previously created account that as far as I can see, has nothing in common with "1208". None-the-less, if I delete "43911", "1208" will be able to login
Some of my settings are as follows:
LDAP Server Type: Active Directory
LDAP server: mgs.local
LDAP port: 389
Use Start-TLS: No
Follow LDAP Referrals: No
Binding Method: Service Account Bind
Base DNs: DC=mgs,DC=local
AuthName attribute: samaccountname
AccountName attribute: (blank so, effectively samaccountname)
Email attribute: userprincipalname
Email template: (blank)
Thumbnail attribute: Blank
Persistent and Unique User ID Attribute: postofficebox
Nested groups are used in my LDAP: Yes
A user LDAP attribute such as memberOf exists: Yes
Attribute in User Entry Containing Groups: memberof
Any suggestions, or requirements for further info?
Thanks.
Cheers
Brett
Comments
Comment #2
BrettSh CreditAttribution: BrettSh commentedOK, I have figured out that if an LDAP username is an integer and there is a Drupal UID with the same integer then code in ldap_user.module assumes the username is actually a Drupal UID.
The function in question is this:
function ldap_user_get_authname_from_drupal($data) {
The code inside that function is this:
I am run off my feet right now, but I will attempt a patch when a have time.
Comment #3
grahlComment #4
grahlI believe this is no longer relevant since ldap_user_get_authname() no longer contains this check but rather derives uid consistently from attributes.