Hello,
When logging into the system the first time using ldap_authentication against an active directory, the email address is not set. Our needs are very basic for this, we just need to authenticate, set up the account and forget it. We don't really use profiles, and don't need the ldap_data functionality at this time. I was looking at keathmilligan's article at: http://drupal.org/node/115146, and he has come up with a quick patch that makes this work exactly as we'd like it to as far as I can tell.
/**********************************************************
* KM: hack to get correct email address without ldapdata *
* see: http://drupal.org/node/115146 -jjv *
**********************************************************/
$ldap_user = _ldapauth_user_lookup($login_string);
if ($user) {
$dn = $ldap_user['dn'];
if ($ldap_user['mail'])
$mail = $ldap_user['mail'][0];
else
$mail = $dn;
}
I put this in directly after line 677 in ldapauth.module, and it works great. I didn't comment anything out as I didn't need to for KM's patch to work. People log in first time, get an account and pick up their email address from active directory. Then they can just start using the system. They don't need to set an email, and neither do I. Since the email is an important and required field for drupal, setting it by default just makes sense.
Can we have something like this in the next release of the module?
Thanks!
jjv
Comments
Comment #1
scafmac commentedThis functionality already exists by using the ldapdata module. When it is set up with the proper email attribute and set to "read only", it will populate the drupal email as you describe, even on first-time login.
Just to be clear, this has nothing to do with profiles per se. There are three modules in the ldap integrations suite:
ldapauth.module - used for checking AD or LDAP credentials;
ldapdata.module - used for reading or editing any AD or LDAP attributes (ie email);
ldapgroups.module - used for setting drupal roles based on attributes in the directory server;
I might be mistaken, but it seems like you want to move the email access out of ldapdata for some reason? Is there a compelling reason to do that, ie moving ldapdata functionality into ldapauth? This sounds a lot like feature creep...
What you describe is possible under the current version with less effort than hacking the code.
Comment #2
jeffvogelsang commentedSo there are several reasons:
1.) ldapauth.module doesn't just check credentials. It creates a drupal account if none exists using data from LDAP, i.e. the user account.
2.) In drupal email is not an optional field. You have to have a correct email address to create an account. If the the authentication module is going to create local accounts, it should at a minimum get the username and email correct without any additional modules (i.e. ldap_data). If the email isn't set right at creation, you could argue the account creation isn't done.
3.) The ldapdata.module requires that you enable the profile module. I don't want to do that. Email is not part of a user's profile. It's part of their account. I don't need to and shouldn't have to turn on profile, or map fields to set the minimum information required to have a complete account.
I'd argue this isn't feature creep. I think in this case, ldap_auth works pretty well, but it's not quite done yet. It think it should get the two items that are necessary for any other account creation and set them. Above and beyond that I agree that everything else should go in profile.
Comment #3
scafmac commentedYou make a good point, the fact that Drupal requires it for an account. It is not the only way, or even the most popular way to use the ldap module, but it is worth considering.
Comment #4
kreaper commentedTalking about ldapauth.module itself, do you think we should provide a config option for taking a email format and use that to set the default address ? (have the admin specify for e.g %user@mydomain.com and use that to set the default email for all newly registered users ?
Or another option is to re-direct the newly created user to the Account page so that they are prompted to fill out the correct email address..
Comment #5
kreaper commentedComment #6
jeffvogelsang commentedHello,
In our situation, what is in the mail attribute of ldap is exactly what we want. Our use case is that users in our active directory can log into Drupal and start using it immediately without having to enter any account information at all on their own. Our active directory serves as the authentication mechanism, and is authoritative for username and email information. We don't allow them to change their email or password or provide any profile capability. In fact we have the userprotect module installed and prevent any editing of account settings as this information is already in the active directory. Overall, with the patch mentioned here, we are really appreciating this module. I can bring up a Drupal installation in about 5 minutes, activate this module, and point it to our active directory. Then anyone in our organization that can log onto their computer can also log onto and be fully utilizing the drupal installation and getting notifications and emails instantly. It's a great use case for this module.
I think having an option to specify a default macro for creating usernames would be useful, but in our case would not work. Our logins are different from our email addresses, and can't be determined by a macro. Also, having the page redirect to the user account page could work too, but I'd be worried about that because the user could enter the wrong address or make a typo. If the information is in the LDAP server and is correct at the time of the account creation, I'd rather use that than put the onus on the user to get it correct.
The two things you mentioned along with the request I made I think would make great administrative options: 1.) Use the email in LDAP, 2.) Generate the email based on a macro, 3.) Redirect to the account page on login so the user can enter an email address.
Thanks again,
jjv
Comment #7
scafmac commentedKreaper,
I'm already working on a patch for this one for 5. It combines a number of user administrative options like disabling 'Request New Password' & preventing password change. Unfortunately it will not work in 4.7 because of some issues with Core. I've gotten it working on 5x, now I just need to add the interface to the admin pages. :)
Comment #8
fronbow commentedHi guys
What's the status of this?
I'm looking for a way to default users to %username@mailserver.com
I've tried doing this:
in ldapdata.conf.php but it doesn't seem to appear any where?
cheers
Comment #9
johnbarclay commentedClosing 5.x issues to clean out issue queue.