I've setup the module and configured it but when I create new users they aren't created on the LDAP server. I can see the new users on the USERS table and on the LDAPPROV table but not on the LDAP server.

CommentFileSizeAuthor
#15 screens.jpg134.25 KBadeelkhan1
#2 ScreenShot059.jpg56.87 KBd00p
#2 ScreenShot060.jpg50.88 KBd00p
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

miglius’s picture

Version: » 5.x-1.x-dev

The user in drupal should be created only if the user has been successfully created in ldap.

I would recommend to debug the problem by printing out to the screen or to the file the ldif entry which will be send to ldap server for account creation and feed this ldif file directly to ldap server and look for ldap logs (you might have to enable debugging in ldap server) to find out why the account has not been created in ldap.

To print out the ldif, uncomment couple of lines at line 2270.

d00p’s picture

FileSize
50.88 KB
56.87 KB

I've uncommented those lines to see the ldif, but I don't see it at all. I've also enabled openldap logging and I don't see any traces when creating a new user. I can see traces on the openldap log when deleting an user but not when creating one, it seems as if the user creation functions on the module where disabled.

Also, there's a strange behavior when deleting LDAP users. If I create a new user called test from Drupal User Management, that new user appears on the Users Management page (it's on the Drupal DB) but it isn't created on the LDAP server. As I said before, I don't even see the ldif nor any movement on the openldap log. Then I create manually that user on the LDAP server and, when I try to delete that user from the User Management page, the user is deleted from the Drupal DB and I get an error stating that it was impossible to delete the user from the LDAP server.

On the other hand, I create manually a new user on the LDAP Server I can use it to login without problems and, if I delete the user, it's deleted from the Drupal DB and the LDAP server.

I've attached two printscreens with my LDAP Provisioning configuration. What I would like to achieve is to create new users on LDAP whose UID, CN and SN are the user's username.

miglius’s picture

Hey,

First, if you have enabled ldapprov module, don't create users using Drupal user creation interface any more (this interface creates drupal users, but not in ldap). You should enable registration for users to register to the site themselves, or as admin (or other user with create users access access right) you should go to Administer->User Management->Account management->new and use this form to create a new user.

In the module configuration you disabled custom username. In this configuration system is trying to build a username in the form first.last, but you don't use nor first and last names in profile, no a custom defined fields in ldapprov.conf.inc file for the first and last names. So the system doesn't know how to construct a username.

Try allowing custom username and then use Administer->User Management->Account management->new form.

d00p’s picture

I've enabled the custom username and now, I can create new users from Administer->User Management->Account management->new. To make it work, I've had to edit the LDAP attributes and comment the mail attribute. If the mail attribute is enabled I get the following error on the ldap.log and I'm sure there's no other account using the same mail address.

Nov 7 01:09:47 wrdev slapd[4111]: daemon: select: listen=6 active_threads=0 tvp=NULL
Nov 7 01:09:47 wrdev slapd[4111]: daemon: select: listen=7 active_threads=0 tvp=NULL
Nov 7 01:09:47 wrdev slapd[4111]: do_add
Nov 7 01:09:47 wrdev slapd[4111]: >>> dnPrettyNormal:
Nov 7 01:09:47 wrdev slapd[4111]: <<< dnPrettyNormal: ,
Nov 7 01:09:47 wrdev slapd[4111]: do_add: dn (uid=test,ou=users,dc=wikirutas,dc=info)
Nov 7 01:09:47 wrdev slapd[4111]: conn=35 op=2 ADD dn="uid=test,ou=users,dc=wikirutas,dc=info"
Nov 7 01:09:47 wrdev slapd[4111]: send_ldap_result: conn=35 op=2 p=3
Nov 7 01:09:47 wrdev slapd[4111]: send_ldap_result: err=20 matched="" text="mail: value #0 provided more than once"
Nov 7 01:09:47 wrdev slapd[4111]: send_ldap_response: msgid=3 tag=105 err=20
Nov 7 01:09:47 wrdev slapd[4111]: conn=35 op=2 RESULT tag=105 err=20 text=mail: value #0 provided more than once
Nov 7 01:09:47 wrdev slapd[4111]: daemon: activity on 1 descriptor
Nov 7 01:09:47 wrdev slapd[4111]: daemon: activity on:

On the other hand, when users creates new account themselves, the new account is still not created on LDAP.

miglius’s picture

Hey,

I have added the configuration option, called debugging, which once enabled will print the ldif entry on the screen upon ldap account creation. It should help to troubleshoot this issue.

You could pull the latest code from the cvs or wait until nightly snapshot has created the dev release.

c4mden’s picture

I'm having similar problems.

I know that it's communicating with our ldap server fine. I can create a user in ldap, and log in to drupal with that l/p. I can even delete that user from ldap from drupal.

But whenever I try to create a user, I get not errors at all, but no user created in ldap. I tried turning on custom usernames, should I see an extra field in the add user page, or will it just use the username that's already there? I tried commenting out the mail field in the ldif, as well, since our schema doesn't contain that.

Could you give me some more information on where to find the dev release, and how to turn on debugging? I tried uncommenting the lines to print the ldif, but no luck there either.

Final question, how can we make this create samba/ldap users? That might be another thread...

miglius’s picture

First, don't use drupal user creation pages, use Administer->User Management->Account management->new instead.

The dev release is automatically build couple of times a day directly from the cvs. If you don't want to wait for that, you could use cvs commands to pull the latest code from the cvs (http://drupal.org/handbook/cvs) or you can use the cvs ui http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/ldap_provis... to pull the latest code.

Under the LDAP provisioning settings now there is an "Enable debugging" checkbox. If checked, it will print out the ldif entry on the screen on the user creation in ldap. This should help to troubleshoot the problems.

c4mden’s picture

Ah, I had been using users->new, not account management->new. That would explain why I wasn't seeing errors!

After seeing the debugging, it was having problems connecting. I use TLS, and I had configured the drupal server to work with it by editing the ldap.conf file. I even confirmed that I could do the following from the drupal server:

ldapsearch -xZZ cn=* -D cn="{admin dn}" -w {admin pass} -H ldap://ldap-server:389

What I ended up needing to do was placing "ldap://" in front of the ldap server domain name in the ldap integration module. Works perfectly now!

Thanks again, this module makes my day!

d00p’s picture

Hi.
I've been doing some testing more after enabling debug and I've noticed one bug. To create an user I've had to comment the mail attribute on "Basic LDAP attributes". But even with this attribute commented the user is still created with the mail attribute on LDAP. The LDIF displayed hasn't the mail attribute but it's inserted on the LDAP.

If I enable the mail attribute on the configuration the user creation fails. The LDIF displayed has the mail attribute but the user creation fails on the LDAP server and the following message is seen on the openldap server log.

Nov 12 01:57:33 wrdev slapd[2082]: do_add
Nov 12 01:57:33 wrdev slapd[2082]: >>> dnPrettyNormal:
Nov 12 01:57:33 wrdev slapd[2082]: <<< dnPrettyNormal: ,
Nov 12 01:57:33 wrdev slapd[2082]: do_add: dn (uid=sgasdaf,ou=users,dc=wikirutas,dc=info)
Nov 12 01:57:33 wrdev slapd[2082]: conn=31 op=2 ADD dn="uid=sgasdaf,ou=users,dc=wikirutas,dc=info"
Nov 12 01:57:33 wrdev slapd[2082]: send_ldap_result: conn=31 op=2 p=3
Nov 12 01:57:33 wrdev slapd[2082]: send_ldap_result: err=20 matched="" text="mail: value #0 provided more than once"
Nov 12 01:57:33 wrdev slapd[2082]: send_ldap_response: msgid=3 tag=105 err=20
Nov 12 01:57:33 wrdev slapd[2082]: conn=31 op=2 RESULT tag=105 err=20 text=mail: value #0 provided more than once
Nov 12 01:57:33 wrdev slapd[2082]: daemon: activity on 1 descriptor
Nov 12 01:57:33 wrdev slapd[2082]: daemon: activity on:

It seems as the mail attribute was always inserted, even when disabled. If the mail attribute is enabled the attribute is inserted twice and fails.

Another question, is it possible to enable new users to register themselves on the LDAP server using the standard user creation form on http://server/?q=user/register ? With the current configuration only admin users can create new accounts on the LDAP from the config pages, but I would like that the users could register themselves on the LDAP server.

Thanks!!

miglius’s picture

I have changed the code so that now the debugging ldif entry is printed out just before sending it to the LDAP server, so it should have the same data which receives LDAP server. Can you pull the latest code now and print out the ldif to see if the mail is printed twice?

When the ldap provisioning module is enable, it overwrites the ?q=user/register with it's own workflow. The users which register to the site are created in ldap.

d00p’s picture

This is the output.
When configuring LDAP attributes without mail:

objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: %uid
sn: %uid
cn: %uid
#mail: %mail
userPassword: %pass

I get this LDIF output and the user is created:

dn: uid=test1,ou=users,dc=wikirutas,dc=info
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: test1
sn: test1
cn: test1
userPassword: {md5}IN1or8oZZsRzruHYEAQphA==
mail: test1@testxxxxxxxxxxxxxxxxx.com

When configuring LDAP attributes with mail:

objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: %uid
sn: %uid
cn: %uid
mail: %mail
userPassword: %pass

I get this LDIF output and the user creation fails:

dn: uid=test2,ou=users,dc=wikirutas,dc=info
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: test2
sn: test2
cn: test2
mail: test2@testxxxxxxxxxxxxxxxxx.com
mail: test2@testxxxxxxxxxxxxxxxxx.com

userPassword: {md5}4uufAgdALW+c4YJSoRAEPw==

On the other hand, when I create an user from the ?q=user/register, that user is only created on the database. And while I'm creating it I don't see anything on the LDAP log. It seems that it's not writing anything on the LDAP. How could we debug this?

miglius’s picture

I just looked again at your configuration snapshots and noticed that under LDAP Attributes you have set "Email:" as a required field in the registration form. LDAP provisioning picks up all LDAP attributes defined in LDAP Data module and marked as "Editable by User" and display them under LDAP provisioning configuration above the "Basic LDAP attributes:" for admin to decide if he wants them to appear on the registration form.

Email is a special case since the LDAP provisioning module prints email field in the registration form anyway, because it needs a valid email to send the verification or account creation information. In your configuration the other email field in the registration form comes from the LDAP data module and you then have two email fields in the registration form.

To solve this set "Email:" under LDAP attributes to "not shown".

rok-2’s picture

Version: 5.x-1.x-dev » 6.x-1.0-alpha2

hi,
i allowed custom username and then use Administer->User Management->Account management->new to create a account,but failed and this is the error message:
• User validate: user data could not be read in the LDAP directory. Please contact site administrator.
• Error! User data could not be read in the LDAP directory. Please contact site administrator.
• The new user was not created. Please contact site administrator.

could someone tell me how to config it? and where can i config the user data,in provisioning module or in my ldap server ?

thanks,

miglius’s picture

adeelkhan1’s picture

Title: User created on database but not on LDAP » The new user was not created. Please contact site administrator.
Version: 6.x-1.0-alpha2 » 6.x-1.x-dev
Priority: Normal » Critical
Issue tags: +The new user was not created, +Please contact site administrator, +account creation ldap
FileSize
134.25 KB

I am new to Drupal and ldap . Trying to figure out account creation on ldap server.

I can update/delete accounts on ldap server but cant create new account.

I also see entry in ldapprov table beside faliure of ldap account creation.

please see attached screen.

objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: Test123
givenName: test
sn: me
cn: test me
userPassword: 8hVUg5

**** The new user was not created. Please contact site administrator********