During login the username is converted to lowercase, but not for the role checking with groups as entries. The other group/role strategies do use strtolower in the code, but there is no case-fixing in ldap/ldap_authorization/ldap_authorization.inc lines 415-434. Adding drupal_strtolower() on line 417 would fix this issue.
Steps to reproduce:
Make an LDAP user with a lowercase UID and add this uid as a memberUID in a group.
Log in (for the first time) with a uppercase letter in the UID.
Logging in works fine, but no roles are assigned.
Logging in with an incorrect username does not work, as expected.
When the first log in is with a lowercase uid, all will be fine, even if later logins use mixed case.
A workaround is adapting the username in the admin panel.
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedThanks. This is fix was applied in beta10. There are still case sensitivity issues in beta10 I'm working through in 7.x-1.x-dev.
Comment #2
kasperl CreditAttribution: kasperl commented(Bracking and me work for the same association, on the same LDAP/Drupal setup)
We have updated our configuration, but unfortunately some part of the patch broke all our role mapping. On log in all LDAP-granted roles are revoked, and we cannot seem to get them back, no matter what we do. We've tried applying the patch in http://drupal.org/node/1607024 , but that does not help.
I'm afraid we cannot pinpoint what exactly broke our setup either, nothing in the config changed (that we know of), but of course, during the debugging process we have been trying a lot of different options. Once we know if this has been fixed, we'll post here, but now we are very interested in any hints as to what exactly changed.
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedHere's what I think off the top of my head. beta10 removed the roles from the users, but perhaps not the user->data array so its not trying to add them back. I would return your settings to their original state and treat it as a bug.
First, Try the following:
query the db with
select name, cast(data as char(1000)) from users
deserialize the array (I use http://unserialize.net/).
If a user has no groups, the ldap_authorizations part of the array should be an empty array.
Comment #4
kasperl CreditAttribution: kasperl commentedWe checked one of the problematic users. There were roles associated in the data attribute, but we couldn't delete the user from the Drupal UI, and removing in MySQL did not work as expected. The user could still log in, but no roles were assigned at any point. In the users table, there were only a few users, and it seemed that it was only those who had non-LDAP assigned roles. We are not sure what happened to the other users (most of whom have LDAP roles and could log in). Anyone who logs in seems to keep the roles they have, and no changes in LDAP propogate to Drupal anymore.
More help is welcome, but it seems that for our release (planned this Monday, fairly hard deadline) we will have to drop Drupal roles support.
Comment #5
johnbarclay CreditAttribution: johnbarclay commentedThis origin of this problem is unclear, but the symptons indicate the roles our out of synch with the $user->data authorizations. The code needs to be more robust and alter the actual authorizations when they are out of synch. I'm moving this to 7.x-1.x-dev.
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedComment #7
johnbarclay CreditAttribution: johnbarclay commentedThis seems like a duplicate of #1607024: authorization drupal role not mapping roles because of case mismatch.. I'm closing this as a duplicate. Follow up in #1607024: authorization drupal role not mapping roles because of case mismatch. for any case sensitivity issues in authorization.
Comment #8
sarvesh001 CreditAttribution: sarvesh001 commentedCan anyone give me any suggestion, how to make the username case sensitive for default user login?