I have an installation that I'd like to add LDAP authentication to. In this environment, (corporate intranet) users have only a single legitimate email address. The site already has several users, and many of them have users names that are different from their LDAP usernames. In my test environment, I've added LDAP authentication -- doing so allows users to log-in using using either their LDAP username -- which creates a new Drupal account -- or, if they have one, their previously created Drupal usernames. This means that two accounts can be created that use the same email address (I've tested, and this does happen).
The fact that this happens seems like a bug (my impression is that Drupal has a 'one account per email' policy...?). But I'd also like to make a feature request to resolve it:
Before it logs in a user, can the LDAP Integration module check whether an LDAP record uses an email that is already in use on the Drupal site and, if so, simply log the user in as his/her Drupal ID? (provided the user has supplied the appropriate LDAP password...)
Thanks
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedI've run across a number of issues where the derived email a user may deliberately conflict with an existing user. In all of these use cases the user is intended to be one account. Many times its a drupal account being converted to an ldap authentified account.
If we added the following options to the server interface, many of these use cases could be dealt with more readily:
Username Attribute:
[sAMAcountName]
The attribute that holds the users' login name. (eg. cn for eDir or sAMAccountName for Active Directory).
Email attribute:
[mail]
The attribute that holds the users' email address. (eg. mail).
[x] Email attribute uniquely identifies a user. No 2 accounts will have same email in ldap.
LDAP ID:
[GUID]
Must uniquely identify a user and not change. If no such attribute exists, leave empty. This will be used in instances where an ldap user's email or username changes, but they need to retain existing account.
This would allow many of these use cases to be dealt with correctly. The ID attribute would also help in the case where a user's username or email changed, but was still the same person.
Comment #2
johnbarclay CreditAttribution: johnbarclay commentedHere are some related issues that could all be solved at the same time:
email, realname, username, unique_id mapping/relations:
#638798: Associate LDAP & Drupal user accounts via email
#685122: Generating email address from username
#355138: Ability to convert Drupal Account to LDAP Account
#1209556: Need to check for existing emails in ldapauth.module
deriving email from attribute + string constant
#233210: ldapdata & non-standard mail attribute
#118711: Email setting and the use of LDAP authentication
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedComment #4
johnbarclay CreditAttribution: johnbarclay commentedComment #5
eiriksmI had the same problem as OP. My solution posted here:
#1209556: Need to check for existing emails in ldapauth.module
Comment #6
cgmonroe CreditAttribution: cgmonroe commentedI'm marking this fixed because the just commited dev version now has support of Persistent Unique IDs which will prevent duplicate LDAP ids from mapping to a single Drupal user.
In addition, the new hook_ldap_drupal_user_name_alter() will allow you to have a custom module to modify the drupal user name that an authenticated ldap user maps to.
With these you should be able to set up two LDAP server entries that point to the same server. On one you use the "uid" or similar attribute for the user name and then on the other, you use the email attribute for the user name.
With a bit of custom code, you can then cause users who authenticate with their e-mail to be mapped to the "real" user name.
See Comment #10 of #1475272: 6.x-1.0 Release Candidate 1 Status