I have LDAP configured and working with active directory (initial sync, logins). I setup an LDAP query to populate users and roles, and it works.

Now I have removed a user, but that user is not removed from Drupal.

I took a look at "OrphanProcessor.php", and it appears to want to find the user accounts on the LDAP server before removing or disabling the accounts. (Line 155) Of course that wont work if the user is gone, right?

I am getting the error message from line 179 in my logs, which is how I located this spot in the code:

'LDAP server %id had error while querying to deal with orphaned LDAP user entries. Please check that the LDAP server is configured correctly'

Again, if that user is no longer on the LDAP server, the server will not be able to locate the user, so that 'error' is expected?

I dont think I am doing something wrong... but I am new to drupal8+ldap, so any help would be greatly appreciated.

Comments

netprince created an issue. See original summary.

netprince’s picture

netprince CreditAttribution: netprince commented

I just started fresh, used dev versions of authorization and ldap, and applied the 4 patches in the release notes...

All users, roles, and role membership are created and assigned on first sync.

Result is the same, remove a user from LDAP does not remove the user from drupal.

Also removing the user from a group in LDAP does not remove that user from the role in drupal.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Assigned: Unassigned » grahl
Issue tags: -orphaned users

Thanks for that follow-up and the detailed information, that looks like a valid bug.

Unfortunately I'm quite busy at the moment so a fix might take a while. If someone needs this resolved quickly, feel free to post a patch.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Assigned: grahl » Unassigned
Status: Active » Closed (works as designed)

Hi

So I took a look at this and I believe your configuration is to blame.

If the server your users were referenced on is configured correctly, no error should be thrown but rather an empty list should be received if the user is no longer available.

If you changed your server name (sid) or the puid attribute has changed you could update your users manually to bring this in sync.

If you still have issues, please retest with latest DEV since the refactoring which just took place might have accidentally fixed your issue but the thrown error suggests a misconfiguration.

netprince’s picture

netprince CreditAttribution: netprince commented

Thanks! You are correct, the error was from a reconfiguration, I solved that before I started fresh and re tested everything.

I am glad to see the code refactor... will test again now...

mozh92’s picture

mozh92 CreditAttribution: mozh92 commented

Hello all
very strange, I'm reconfigure servers, check all options, but I have problem with Blocked removed users yet.

I create user in AD, sync him, then I removed him from AD, and sync. I have active status for user.

My parapemters for server:
name: local
machine name: local
LDAP Server typeL Active Directory
Server address: 127.0.0.1
Server port: 390
Binding Method for Searches: Service Account Bind: Use credentials in the Service Account field below to bind to LDAP
DN for non-anonymous search: CN=IntranetADServiceAccount,CN=Managed Service Accounts,DC=mysd,DC=us
Password for non-anonymous search: ****
Base DNs for LDAP users, groups, and other entries: CN=Users,DC=mysd,DC=us
AuthName attribute: samaccountname
AccountName attribute: samaccountname
Email attribute: mail
Persistent and Unique User ID Attribute: dn
DERIVE FROM DN: memberof
Use LDAP Pagination Yes

UP: I found ,my problem. Empty value for:

$serverId = $user->get('ldap_user_puid_sid')->value;
      $persistentUid = $user->get('ldap_user_puid')->value;
      $persistentUidProperty = $user->get('ldap_user_puid_property')->value;
      if ($serverId && $persistentUid && $persistentUidProperty) {
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

@mozh92: Please don't comment on closed issues. If you are certain this is a bug and requires a fix you can reopen the ticket with the necessary information or open a new ticket if it differs and reference the related one.

I assume there is nothing this is still "works as designed" for now.