Discussed this with snufkin the other day...
Recently came across a site migrating from using LDAP to simplesaml. The site still had entries in the authmap table from the LDAP integration e.g.
+-----+-----+----------+-----------+
| aid | uid | authname | module |
+-----+-----+----------+-----------+
| 1 | 123 | username | ldap_user |
+-----+-----+----------+-----------+
This caused a problem when simplesamlphp_auth tried to add its own entries to the authmap table, as it did so with the same value for authname (based on the user name), and there's a UNIQUE constraint on that field in the db schema:
> DESCRIBE authmap;
+----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+---------+----------------+
| aid | int(10) unsigned | NO | PRI | NULL | auto_increment |
| uid | int(11) | NO | | 0 | |
| authname | varchar(128) | NO | UNI | | |
| module | varchar(128) | NO | | | |
+----------+------------------+------+-----+---------+----------------+
It's perhaps not particularly well documented, but it looks like in order to support the ability to have more than authmap entry for a given user (which the docs for user_set_authmaps suggest should be possible), the authname should be namespaced by each module.
See #920908: {authmap}.authname should not be unique. and #1118422: Document unique key on authname in {authmap}.
So perhaps something like:
+-----+-----+-----------------------------+--------------------+
| aid | uid | authname | module |
+-----+-----+-----------------------------+--------------------+
| 1 | 123 | username@ldap_user | ldap_user |
| 2 | 123 | username@simplesamlphp_auth | simplesamlphp_auth |
+-----+-----+-----------------------------+--------------------+
I'll look at whether it's appropriate to file a companion issue for LDAP too.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | simplesamlphp_auth-2718645-4.patch | 551 bytes | mayankladoia |
Comments
Comment #2
mcdruid commentedComment #3
vsawant commentedI was wondering if anyone used multiple authentication providers ( in Drupal 7 ) such as simpleSAMLphp and LDAP together with Active Directory at the backend.
We have been using LDAP and AD (with mod_auth kerberos) for SSO on our network for a while now, however, for our wireless access points the only option we have is to use ClearPass and AD to authenticate the wireless devices and I am planning to use simpleSAMLphp to authenticate. So I will need both auth providers to work together
However, I am having problem authenticating with two different providers when a user with same user id in both providers tries to authenticate.
It throws unique key (on authname column in authmap table) constraint violation error.
Anyone having this issue? or know how to resolve this issue?
Not sure the resolution provided above is implemented in D7 yet. what is the solution to resolve this issue in D7?
Comment #4
mayankladoia commentedI think this patch fixes the issue. I tried it on my website and it seems to work.