I've been using this module for some time on an internal site with a small number of users authenticating against ldap only and thought everything worked great. Because we have such a low turnover of users I've only just noticed that some upgrade long ago of either Drupal or this module has stopped new users from being able to log in successfully.

New users from ldap (not necessarily recently created in ldap, just never having logged into drupal before) do have rows created in Drupal's user table, but receive 'access denied' even though they're logged by watchdog as a successful login; and the ldap authentication seems to go ok. The data created in Drupal's user table looks alright to me and so I can't see what's not happening which used to be.

If I delete a user from Drupal who previously worked then they meet the same problem as a new user, and if I enter an invalid password for either working or broken users then this is logged as a bind failure and access denied as would be expected. I've tried rolling back to earlier (6.x) versions of the module with no success. The problem now what should I do next to go about debugging it?

Any offers gratefully received!

CommentFileSizeAuthor
#1 ldap_integration-949560.patch798 bytesmdryan

Comments

mdryan’s picture

mdryan
he/him/his
Primary language English
commented
Version: 6.x-1.0-beta2 » master
Category: support » feature
Status: Active » Needs review
StatusFileSize
new ldap_integration-949560.patch798 bytes

Well, it took a long while and lots of tracing of code, but the error turned out to be restrictions on which LDAP groups allow automatic account creation (in the ldapgroups module). For some reason this configuration string was corrupt in my database and was not a valid ldap group.

At the moment when a new user attempts to login who's not a member of an approved ldap group the anonymous user account is loaded which successfully prevents the login but doesn't offer any indication of what's going on. I've attached a one line patch which logs the event to watchdog, but it would probably make more sense if the Drupal user was never created in the first place and a successful login wasn't recorded. This involves modifying the architecture of the module somewhat though.

I guess this is now a feature request not a support request since I've fixed my original problem although it's the same issue.

mdryan’s picture

mdryan
he/him/his
Primary language English
commented
Title: Hints on how to start debugging » Successful login recorded in watchdog even when ldap user is not member of an ldap group allowing automatic account creation
johnbarclay’s picture

johnbarclay commented
Version: master » 6.x-1.x-dev
Category: feature » bug
cgmonroe’s picture

cgmonroe commented
Status: Needs review » Fixed

This is fixed in the changes just committed. ldapgroups now uses the new hook_ldap_user_deny_alter function which allows other modules to tell ldapauth/ldapsync not to create/login users.

For details of these changes see #1475272: 6.x-1.0 Release Candidate 1 Status

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.