LDAP Authentication: Allow entering of email on initial logon before acct created and editing of email afterward

That's a mistake. I'm using 7.x.1.x-dev
The issue remains however, there is no way to change the email field. This is a rather detrimental feature.

With LDAP enabled, a person logs in via LDAP, their Drupal account is created. Their drupal email is populated by their LDAP retrieved email attribute.
But if the person has no email for LDAP to retrieve then they have an account with an empty email field.
Now when you go to manually update this account in drupal you cannot make any changes because LDAP has locked the email field. Since the email field is empty but required by drupal, you are unable to do anything to the account.

Drupal's email requirement is not at issue here. The issue is LDAP has only two choices, 1- hide the email field, 2- disable the email field. What about a 3rd choice which is to allow editing of the email field. then if the email is missing from the ldap source it will leave the manually entered email, if an email is present it can overwrite it.

The specific case I have experience with is as follows.

LDAP gathers from Active Directory. In Active Directory, the account(s) in question have an empty email field in the general properties of the account.
LDAP settings are that "mail" is used to populate the "Email attribute". So Active Directory email property is populating the drupal email field.

Authentication is Mixed mode, drupal fails, ldap is checked. Drupal User Account Creation is that "Associate local account with the ldap entry" and "Create accounts automatically for ldap authenticated users".

So the Active Directory user successfully logs into Drupal, their account is created on their first login even though they have a blank email property in ldap, so their drupal account has an empty email field. They can login and operate just fine, only their account can't be updated via the direct "/users/username" because the the email requirement. They can be updated in the "admin/people" list.

In my specific case I had also migrated from Drupal 6 to 7 where many of these empty email fields existed. In 7 it seems only one "empty email account" can be created because then additional ones collide on creation by having duplicate emails (duplicate empty but still duplicate). However that actually only lends more weight to the argument that removing the ability to change the email field is detrimental. A better behavior is that if all the users logging in via LDAP had no email, then they should be able to manually enter one on their first attempt instead of being told they can't login at all and having no recourse at that point.
ie. If you had 100 users in Active Directory that had no email, only the first could create account and the other 99 would be told they can't login.

This is easy enough to fix in the database for existing accounts, and of course the AD is obviously setup incorrectly, but that is beside the point =)

Thanks for opening and clarifying this issue. I agree that the proper fix is to use AD as a Directory, but we have *thousands* of users with blank email addresses (around 10,000), and absolutely do not want to store or manage passwords.

It would be great to just prompt them for a valid email address if the LDAP/AD mail attribute is returned blank. (Obviously this LDAP integration is for internal sites, so we're not expecting spammers.)

Hi,

I'm still pretty new at this, so please forgive me if anything is out of place :).

I had to fix this same issue, for the launch of the University of Ottawa's new Drupal-based multi-site configuration. After reading this issue, I decided to code the second option presented in #9 as a separate module.

http://drupal.org/sandbox/ottawadeveloper/1678050

To use it, you would specify a fake email template using the email template available the LDAP module already, using another unique property and a fake sub-domain like @fake-email.uottawa.ca for example. Then you can configure my module to look for users with those emails as they login and force them to update their information.

If you'd like to include this in your larger LDAP module, that would be great, if not I'll see if I can make it a full project so that people can add it in as needed to fix this issue.

Here's my first attempt at a patch (ever!) to include this in ldap_user. I've added the hook to update email on login, and configuration settings to the Users tab for setting the regular expression for temporary (or 'fake') emails created by LDAP. I also, as you recommended, added validation options - it will check to make sure it does not match the fake email and also provides an option to match against a valid pattern (in case you want to specify that it has to be a corporate email for example).

Attachment	Size
email_on_login_support-1321258-12.patch	19.16 KB

I like it - should we move it into ldap_servers though (so you can use a different LDAP attribute for each server)? Perhaps beneath the Email Template field that's already there. I really combining the fields - it will make for a cleaner user experience when using this feature.

If a site is primarily using the ldap_user provisioning parts to provision accounts to ldap, there should also be an option in the email fieldset to allow entering an email on registration and updating it. This will allow the provisioning code to push those updates to the ldap server. Does this make sense?

I've added the ability to leave the email field editable.

ottawadeveloper's patch will deal with the issue of empty email fields when provisioning drupal users. The third option simply helps when provisioning to LDAP or when a user's email derived from ldap is known to be bad, fake, or editable by the user. This is committed to 7.x-2.x-dev.

I'm leaving this as needs work for ottawadeveloper's patch.

Please try out the patch referenced in #19.