Successful login with notification of unrecognized credentials

great. glad the install and authentication worked. To debug this I will need to know something about your configuration. Is ldap authorization being used? Is this a new account (created at logon) or an existing account? And generally the settings at: admin/config/people/ldap/authentication.

If possible, please also check in the database for:

1. When a user successfully authenticates, there should be a record in the authmap table with: uid = their uid, authname = their drupal username, and module = 'ldap_authentication'

2. their record in the users table should have name and mail populated and status = 1.

I will try to make it easier to add this information to a bug report with something like the ldap_help module did.

I am able to logon with a nonexistant user account and an existing one; but likely have different configuration options. Are you using a service account for the ldap server binding where you have server binding credentials in the ldap server configuration form?

subscribe

Hello, I have the same error. I checked the authmap and users table and they are both populated correctly. I am using a service account for the ldap server binding. I've disabled the role mapping for now.

I have the same issue as well. So I started digging into this.

In the function:

function _ldap_authentication_login_form_alter(&$form, &$form_state, $form_id) {

The order of the validation is being defined based on the configuration of drupal to use either Mixed Mode authentication (Drupal and LDAP) or exclusive mode (Just LDAP except for the user with the UID of 1 or administrator).

In my case, I am using exclusive mode and what is happening is that the user logs in, and then the credentials are validated against LDAP just fine as defined by:

$new_validation_sequence[] = 'ldap_authentication_user_login_authenticate_validate';

The problem is in the second validation routine. In my case, the $form_state is not being passed correctly and the UID is not being set, so the second validation unfortunately....does not validate. This is the reason that I see the error, even though at this point I am validated.

I might as well post this as well. For me in the LdapServer.class.php, in the disconnect function, why do you use ldap_unbind(). This was giving me serious headaches when used with OpenLDAP and TLS. I am not sure why, but using ldap_close() gave me better results. As development moves forward, I can see a need for a LDAP PDO just to deal with the idiosyncrasies of LDAP implementations. You would think all LDAP implementations would be the same.....

Is there a way to tell Drupal that "Yes I am authenticated, no need to go through anymore validation functions"

Thanks,

Randall

I am not sure you can use the default drupal authentication. May have to alter the function, _ldap_authentication_user_login_authenticate_validate to actually perform local drupal authentication so you do not have to alter drupal core. You could just take what core does and create your own function. I will test this out tonight. I am desperate to get this working because I have use cases that depend on it. Even if it is a hack job at this point.

this is the sequence I'm going for. http://www.gliffy.com/publish/2362004/

Basically we are adding a validation function to the form validate array as outlined in user.module When one succeeds it should set form_state['uid'] populated as user_login_authenticate_validate() does.

Here are the notes from user.module

* Set up a series for validators which check for blocked users,
* then authenticate against local database, then return an error if
* authentication fails. Distributed authentication modules are welcome
* to use hook_form_alter() to change this series in order to
* authenticate against their user database instead of the local users
* table. If a distributed authentication module is successful, it
* should set $form_state['uid'] to a user ID.

In theory, it sounds like it should work. Here is the order that these things are being processed:

1. Loading default validators
2. _ldap_authentication_login_form_alter
3. user_login_name_validate
4. user_login_authenticate_validate
5. _ldap_authentication_user_login_authenticate_validate
6. user_login_authenticate_validate
7. user_login_final_validate

If I comment out :

$new_validation_sequence[] = 'user_login_authenticate_validate';

Local users and LDAP users are authenticated just fine. I do not think it is necessary to have

$new_validation_sequence[] = 'user_login_authenticate_validate'; Everything works fine for me.

So regardless, you get mixed mode authentication.

O.K. I see the problem now. I've outlined it at #1022362: \Drupal\user\Form\UserLoginForm::validateAuthentication function does not follow user module validation rules. One of the validation functions in the user.module is not implemented per the user.module specs. I've put in a patch.

Until the patch is accepted, I've put drupal user validation before ldap user validation for ldap authentication exclusive mode (as it is for mixed mode). this will be in unstable4.

This is fixed in head. Please test. Thanks for digging into this.

Thanks for fixing this.