I am building a school website and most students do not have an email address to sign up with. I have a very big problem that I haven't solved yet which will effectively prevent the site from going live: drupal does not let anyone register without a unique email address in the email field - it cannot be left blank, even if an admin creates the account manually.
I am looking for an alternative method of authenticating about 700 students and teachers. I don't have my own web server with apache root access - the website uses a normal web-hosting company, which doesn't supply the resources to run an openID server, or any other authentication server like LDAP, cosign, etc.
Will the 'openID provider' module allow me to create 700 openID identities for our users without using any email identification, and which the students and teachers can then use to log-on to our website?
Thanks.
Comments
Comment #1
dirkjot commentedSorry, but I don't think openID will help here: How will you tell your 700 users what their (initial) password is without having their email addresses? Wikipedia has a good explanation of how openID works and how it basically only defers the password asking from one website (where you want to log in) to another (where you hold your openid).
However, Drupal has another option which you can find in the admin settings (under admin > user management > user settings) which may be of help to you. One of the settings for creating logins is:
"Visitors can create accounts and no administrator approval is required."
So now your students can sign themselves on and you don't have to do anything. I strongly recommend looking at CATCHA or similar to avoid spambots creating an account and pumping your site full of nonsense. Or choose "user create accounts but admin approval is necessary".
Slightly of topic, I would never run a site for 700 users on a server that has so many limitations. You will probably run into bandwidth problems also on such a limited site.
Dirkjot
Comment #2
-Anti- commented> How will you tell your 700 users what their (initial) password is without having their email addresses?
Print them out on a slip of paper and hand them to the students during an IT class.
> how it basically only defers the password asking from one website (where you want to log in) to
> another (where you hold your openid)
I was hoping that if I was 'my own openID provider', there would be a database somewhere with the students' allocated openID (eg. name@ourdomain.net) and a password, without them needing an external email address.
> Visitors can create accounts and no administrator approval is required.
For all of the different registration settings in D6, a unique email address is required. Even if you switch off email authentication, although drupal doesn't send the user an email, the user is *still* required to fill out the email field.
The only workaround that I can think of at the moment is so ugly that it doesn't bear contemplating: turn off registration completely; ask the children to request an account verbally; create the accounts myself, supplying an email address in the registration field such as: name@disposable-domain.net; then black-hole all mail sent and received on that domain; and disable all user contact forms until someone builds an internal messaging system for D6. Yuk.
Note that, I do not wish to create real email addresses for each student at our school domain. It would take far too long, be very difficult to manage, and would introduce the possibility of young children being targeted by inappropriate spam and other unwanted contacts.
I just don't understand why these CMS's are so insistent on obtaining an email address. If we want users just to register with name and password, and moderate the account creation ourselves, it shouldn't be hard to do. Email registration sucks anyway! What kind of identification or assurance does email give? None! It's so stupid.
> Slightly of topic, I would never run a site for 700 users on a server that has so many limitations
Really? It's a normal business account - quite fast, 8gb, excellent support and reliability, and a fairly decent price. But like all shared servers, the only thing you can't have is root access. And to be honest, I wouldn't know what to do with root access if I had it - it looks extremely difficult to install an LDAP server, for instance.
Apart from that, I didn't think 700 users was large at all - only a max of about 250 would use it at any given moment, and usually a lot less - maybe 50 - 100 simultaneous users. We sure as hell can't afford a dedicated server or reseller account.
Comment #3
sanduhrsHave a look at http://drupal.org/project/logintoboggan
Closing.
Comment #4
concretebox commentedI agree that it should be possible to easily disable any of the "requirements" for user registration, for your particular needs.
For most of us, building web sites that are accessible by and designed for unknown users, requiring an email is a normal part of the process; its the ONLY way to allow users to reset passwords, to send them updates if needed, and its the most valuable thing we might want to 'harvest' from them as well. So, its understandable why it is so hard-coded into the CMS.
That's why you so often see "confirm email address here" secondary text fields that check for a match. Capturing the email address is critical to everything including user satisfaction.
I haven't gotten to this yet, but your idea about providing your own OpenID reference seems promising.
http://wiki.openid.net/Run_your_own_identity_server
I'm still working with a login that requires only an email, but if I run across anything helpful I'll post it back here.
Comment #5
-Anti- commentedAs suggested, OpenID doesn't really seem appropriate for the purpose.
To run an openID server, you need a VPS account or equivalent.
And if you have that, running an LDAP server for authentication is probably more appropriate/useful.
However, there is some progress being made with regard to registering without providing an email - a module; a script for template.php; and a patch to core, are all currently being worked on within separate forum threads.
The biggest problem is that, whichever of these approaches is used, turning email off causes problems with any module which assumes email addresses are supplied, does not check for a null or false string, and so crashes or produces errors when the module tries to use the address. This actually includes the core 'contact' module!
As I understand it, the only solution to these problems is that module developers need to check whether an email exists rather than assume it exists, especially as there are already two or three existing 'user management' and 'import' modules which create user accounts without creating an email address. I would've thought checking for a null string was good practice anyway.
> its the ONLY way to allow users to reset passwords
Not if they were asked for a secret pass phrase or security question on registration. Then they could enter that to gain access to their account if they forgot their password.
> to send them updates if needed
We can always use simplenews if users want to receive info by email. Internal private messaging is also an option for those without email. It is arguably less reliable than email, as the user needs to visit the site to get the information, but after sending email you never know whether the user checks and reads the email they supplied anyway!
Comment #6
no2e commentedWhy that? http://siege.org/projects/phpMyID/ runs on shared LAMP hosting, I think.
Comment #7
mrwhizkid commentedThis definitely can be done using a relatively simple hack inside the user.module file. Basically, you can hide the email textfield and have Drupal generate a FAKE email address everytime someone registers.
http://www.nathanryan.com/drupal-6-registration-without-requiring-email-...
Is there anyway this could be made into a plugin perhaps?