"User edit" page enforces wrong check for editing the "LDAP User DN"
| Project: | LDAP provisioning |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
In the "LDAP authentication settings" panel on the User edit admin page, there is a checkbox to change the "Authenticate via LDAP" flag and an edit field to modify the "LDAP User DN" for that user.
Currently, making any change to that field requires that the newly entered DN does not already exist, or an error is displayed. However if you enter a non-existing DN, no new LDAP record is actually created at this time. This implies that it should actually be requiring the admin to enter an already-existing LDAP record.
My patch reverses the sense of the check and only allows you change a user's DN to reference an existing record. This functionality is useful when the admin needs to manually reassociate an existing Drupal user to the correct LDAP record. Is my interpretation correct about how this is intended to work?
| Attachment | Size |
|---|---|
| ldapprov2.module.diff | 961 bytes |
#1
Another option might be: if the newly specified DN does not exist, then prompt the admin if it should be automatically created right then. (That sort of functionality would be more in-line with the theme of being in the ldap_provisioning, otherwise this edit panel might have been more appropriately implemented by the ldap_integration module.)
#2
Well, it is a slightly different use case. "LDAP User DN" shows the mapping between the drupal local user and the LDAP account. Changing this field will perform dn change operation in LDAP. The LDAP account will be moved to other dn in the ldap tree. The ldap search you altering in the patch is performing correctly, i.e, it is searching for the new dn, you want to rename ldap account to, and if it is not already taken the validation passes and a rename can occur. Otherwise there is a validation error that the new dn already exists in LDAP.
This action is not for associating drupal user with the preexisting LDAP account but rather for renaming the LDAP account itself.
Associating local drupal user with existing LDAP account might be pretty useful, but I guess to avoid confusion this feature should be implemented in some other section, not in user edit form. The local drupal search should be performed to make sure no other drupal account is mapped to the same LDAP account before the action.
#3
Whether or not to associate an user with an existing DN, or whether to rename the DN could be decided by whether or not the user has a DN already. I think it would be fine to accomplish both tasks from the same admin panel. Regardless, there needs to be some explanatory text of what the purpose of the panel is.
#4
Agree. If there is an explanation text, both tasks can be accomplished.