Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I have a Drupal site that should only allow a rarely changed subset of LDAP users to log in. When this option is enabled, an LDAP user who successfully authenticates with the directory but does not yet exist in Drupal should be denied access. The current behavior adds the user to Drupal. This option should be disabled by default, of course.
I intend to write this pretty soon and will post a patch when it's finished.
| Comment | File | Size | Author |
|---|---|---|---|
| #10 | ldapauth-256226-10.patch | 3.23 KB | paolomainardi |
| #7 | ldapauth-256226.patch | 3.13 KB | paolomainardi |
Comments
Comment #1
eporama@drupal.org commentedI just posted a Feature Request http://drupal.org/node/258974 that I wonder if it would be essentially the solution for this as well.
If the LDAPauth user creation process followed the settings in /admin/user/settings/ under "public registrations", then this could be solved by simply choosing the value 0 for user_register ("Only site administrators can create new user accounts.")
Comment #2
cpugeniusmv commentedI noticed your post and was just thinking that myself.
If we were to enforce the same rules for all new LDAP accounts from the local user registration settings like you suggest, it would alter the behavior that I (and probably many others) rely on for most sites. Most of the time I disable user registration, but I allow any account to be created that can authenticate from LDAP.
I propose that instead of the option detailed in my original issue, we could have an option (disabled by default) to enforce user registration settings from the local users settings. That way the current behavior doesn't change implicitly and different sites can continue to apply the different policies if desired.
How does that sound?
Comment #3
gp177 commentedI too would like to see this option available.
In the meantime I've added the following code to our server configuration under PHP to transform login name.
return db_fetch_object(db_query("select name from users where name like '%s'", $name))->name;Not ideal but it requires that the name exists in the database prior to authentication.
Comment #4
johnbarclay commentedI add this to the ldap project d7 (http://drupal.org/project/ldap) issue queue also #968574: Option to prevent new accounts from LDAP from being added to Drupal and have admin approve them.
Comment #5
johnbarclay commentedComment #6
shendric commentedWould it be at all possible to add that to the Drupal 6 queue? We've got some sites that can't easily be migrated as yet, and it would be helpful to have that in the Drupal 6 version.
Comment #7
paolomainardi commentedI've just created a patch to avoid new users creation, please test and review it.
Comment #8
cgmonroe commentedPatch will not apply to head. Contains file paths from a/sites/all/modules/contrib/ and b/sitesall/modules/contrib/. Please see:
http://drupal.org/node/707484
In addition, looking thru the patch file, I'm not sure the watchdog and form errors are worded clearly.
The deny form msg should say something along the lines of a 403 Access denied message rather than this account "is not a valid system account".
Also, the watchdog message of "LDAP user with DN.. has a naming conflict with a local drupal user..." is not valid.
Comment #9
paolomainardi commented@cgmonroe
Thanks for your feedback, got it, i'm sending an updated patch.
Comment #10
paolomainardi commentedPlease find attached an updated patch.
Comment #11
paolomainardi commentedUp
Comment #12
paolomainardi commentedUp
Comment #13
cgmonroe commentedI reviewed the code and did some testing... everything looks fine.
Did make a minor wording change to the watchdog message. The message for denied user is now:
"The valid LDAP account %name was denied access because there was no matching Drupal account."
Committed to 6.x-1.x branch.
Comment #14
paolomainardi commented@cgmonroe Great, glad to contribute to ldap module :)