Users having the "administer users" permission granted will see a form to change the Username on the user edit form (user/UID/edit). However, this does not make sense on users authenticated via LDAP. Changing the username on these users will break their account. Thus, I am asking for an option that disables the possibility to change the username, maybe similar to the "[ ] Disable drupal user creation" option from LDAP provisioning.

Thanks for considering that.

CommentFileSizeAuthor
#5 ldapauth.patch1.54 KBrjmackay

Comments

miglius’s picture

miglius commented

If you're using LDAP provisioning, then changing the drupal username should not break the drupal account, but will rename account in ldap as well as local drupal account.

roball’s picture

roball commented

I do use LDAP provisioning. Unfortunately, the username change does dot work properly! At least when you login as an LDAP user that has the "administer users" permission, but NOT the "change own username" permission.

If you then change your own username from - let's say user1 to user2, Drupal says the change was successful. The LDAP server in fact has changed the username properly. However, Drupal's "users" table then has both usernames stored, but you will only be able to login again with the old username. The LDAP sync gets messed up, and you have lost all your Drupal roles, maybe other information as well.

In short, changing the (at least own) username makes lots of trouble - maybe due to some bugs of LDAP provisioning. Untile these bugs get fixed, I think it would be easier to just give an option to disallow username change at all.

miglius’s picture

miglius commented

In that case you should have opened a ticket in the LDAP provisional issues :)

It wired though as user renaming works fine on my setup, new row is not created in the users table, but rather the existing one is altered. Also drupal roles are not affected by the rename. Do you use the latest version of ldap_provisioning?

roball’s picture

roball commented

Renaming his own username also works fine on my environment when the user have granted the permissions administer ldap modules, choose roles for new accounts, create accounts, administer permissions and administer users.

However, when the user that renames his own username only have administer users from the above listed permissions, the problems arise. In that case, the authmap table's authname value did not get changed! After logging out, the user cannot login with the new username. The user table creates a new user with the new username, assigning a new uid. The old account with the original uid will be kept, but looses the roles.

And yes, I am using the latest dev versions of your modules.

rjmackay’s picture

rjmackay commented
Status: Active » Needs review
StatusFileSize
new ldapauth.patch1.54 KB

I've just made a patch that does this - adds an option similar to that for the email field to disable or remove the username field from the edit form.
I don't want to allow changing username, even for users with 'administer users' permissions - since this breaks the mapping.

Patch attached.

cgmonroe’s picture

cgmonroe commented
Status: Needs review » Fixed

A variation of the code from #5 has now been committed. If you don't have provisioning set up, a novice admin may cause problems by changing a user name, so having a way to prevent this is nice.

Sigh, comment patched:

- not been committed
+ now been committed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.