Is it not possible to authenticate using multiple servers in Ldap.When i tried to authenticate with user 1 with server 1 and user2 with server2 using Ldap, its allowing me to authenticate with either severs but not with both at a time.
Below are the scenarios where authentication with multiple servers failing:
1)if i select only one server for example server 1, iam able to authenticate for user 1
2)if i select another server for example server2 , iam able to authenticate for user 2
3)if i select both servers for example server 1 and server2 , iam able to authenticate only for user1 but not for user 2
could you please advise on it.
Comment | File | Size | Author |
---|---|---|---|
#20 | ldap-multidomain-1740978-20.patch | 7.41 KB | shawn_smiley |
#19 | ldap-multidomain-1740978-19.patch | 4.31 KB | shawn_smiley |
#15 | ldap-multi-server-user-provision-1740978-15.patch | 1.71 KB | spruce-bruce |
#13 | ldap-use-correct-sid-1740978-13.patch | 1007 bytes | Mr.Echo |
#9 | ldap-use-correct-sid-1740978-9.patch | 1.3 KB | steven.wichers |
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedThis should work. I'll work on replicating this. Is anyone else succeeding with multiple servers for authentication?
Comment #2
johnbarclay CreditAttribution: johnbarclay commentedComment #3
carlovdb CreditAttribution: carlovdb commentedI have the same problem...
Comment #4
carlovdb CreditAttribution: carlovdb commentedI have installed the latest release of the ldap module.
I have these activated:
I have 2 Active directories to connect to. I have enabled them both and the test is OK. (In second tab: Servers)
So, they are both working.
In third tab: User.
Basic Provisioning to Drupal Account Settings > LDAP Servers Providing Provisioning Data
--> When I select none: None of the users can login.
--> When I select one of the 2 enabled Active directories: The user of the selcted AD, can login, the other can't
4th Tab: Authentication:
Mixed mode is selected
Both AD's are selected
When a user can't login, this is the message.
Comment #5
carlovdb CreditAttribution: carlovdb commentedIs there a sollution for this?
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedThere is no solution for this currently. Since the ldap to drupal mapping is for a single server, it simply will not work for mulitple servers. There are 2 ways a patch could be written to fix this:
-----------------
1.
- make "LDAP Servers Providing Provisioning Data" a checkbox so more than one can selected.
- the mappings would have to be the same for each server
- or add a checkbox to the effect of "provision from whatever server user is ldap associated with"
------------------
2.
- make "LDAP Servers Providing Provisioning Data" a checkbox so more than one can selected.
- allow for mulitple servers mappings to be stored.
-----------------
1 is much simpler to implement than 2 and avoids a complex UI. But only 2 accounts for structurally different ldaps. I believe patch 2 would be too disruptive for the beta process and should wait for the 8.x version.
Patch 1 would involve:
- adjusting LdapUserConf.synchToDrupalAccount() to use user associated ldap server, instead of LdapUserConf.drupalAcctProvisionServer
- I don't believe ldap_servers_get_user_ldap_data() or LdapUserConf.entryToUserEdit() functions would need any alteration.
Attached is a start at such a patch. It lacks configuration of which servers are used to provision and just assumes the server that the user is associated with is the one to get the ldap data from. The patch is completely untested, but if we can get it to work and have it tested well, we can work the UI in later.
Comment #7
yalet CreditAttribution: yalet commentedI don't this configuration for option 1 should be checkboxes. Done that way, the drupalAcctProvisionServer must become an array, and then every place where it is used must be converted to make a choice about the values in that array. For example, the code would have to loop through all servers in the array and then try provisioning from each server, presumably stopping after a success. There would also then be a hidden meaning to the order in which the servers appeared in the array.
I think the configuration should remain radios. There would be an option for each individual server, an option for none, and an option for 'provision from whichever server the user is associated with'. There are a few use cases where this option wouldn't work (n>2 servers, authentication for users handled by some subset, provisioning handled by some other subset), but that case seems quite outlandish. Additionally, we don't have to deal with looping through provisioning attempts and trying to deal with ordering.
Comment #8
steven.wichers CreditAttribution: steven.wichers commentedI think there may have been a jump here from "I want to allow logging in to different servers" to "I want to pull account information from different servers". This issue is about the former, not the latter.
The LDAP Authentication tab specifically states you can log in via multiple servers:
And you can select as many servers as you have configured because the form element is a set of checkboxes.
The LDAP Authorization tab is clear about only being usable on a single server, and uses radio options as expected.
If the LDAP module truly cannot handle User A authenticates against Server A, while User B authenticates against Server B then the authentication page is extremely misleading and confusing.
Is it the case that the Authentication functionality is purely authentication, and if you manually create User B they will be able to log in to Server B? That should be explained within that area if so.
Comment #9
steven.wichers CreditAttribution: steven.wichers commentedAfter some debugging it seems that ldap_authentication does go through and validate against each server you have configured until it succeeds (or all fail), but it does not use the correct sid when trying to create new users.
Here is a patch that changes the drupalAcctProvisionServer to the sid of the server that the user was authenticated on.
I have not noticed any functional change other than users from all servers being able to login. There may be a better way to update the sid of the ldapUser object that is being used. Maybe the wrong ldapUser object is being used. I am not familiar with the ldap module codebase so please review this.
Comment #10
denix CreditAttribution: denix commentedAnyway, if the module authentication can authenticate against multiple servers, then I think this issue should be closed.
As Steven correctly point out the issue is:
"I want to allow logging in to different servers"
that seems to be ok at the moment (I have to do another couple of tests)
thanks for the great work,
Denis
Comment #11
Mr.Echo CreditAttribution: Mr.Echo commentedThis still does not work. I have two servers that I need to authenticate against. I can do one or the other, but not both. If both are selected, only the first one in the list will be used for authentication. I am using the latest development release of the module.
Comment #12
Mr.Echo CreditAttribution: Mr.Echo commentedComment #13
Mr.Echo CreditAttribution: Mr.Echo commentedThe patch from comment #9 didn't quite work for me. The script wouldn't loop through the array of servers I had set up, so I found where the loop was being broken off with a break; statement and replaced with a continue; in addition to what what done in comment #9's patch.
This patch was done on version 7.x-2.0-beta5.
Comment #14
steven.wichers CreditAttribution: steven.wichers commentedThe patch in #13 needs to be re-rolled from the correct folder (and shouldn't leave the old code commented in).
Comment #15
spruce-bruce CreditAttribution: spruce-bruce commentedHere's a patch that will allow you to use the ldap user test form to pull in and create users from other servers. The module still won't pull info from the second server for your users, but I've used this to at least get these users in the site.
Comment #16
shawn_smiley CreditAttribution: shawn_smiley commentedJust a note that there seems to be multiple related issues in the queue. While these issues aren't exact duplicates I wanted to list them for reference purposes in hopes that the solution to one of these could address all of them.
The related issues are:
Comment #17
johnbarclay CreditAttribution: johnbarclay commented#9 is a reasonable quick fix. Coupled with a configuration option checkbox "provision from whatever server user is ldap associated with" would take care of many use cases.
Comment #18
shawn_smiley CreditAttribution: shawn_smiley commentedI was thinking the same thing johnbarclay.
I also have a client that needs this. I'll be working on a patch today/tomorrow based off the work in #9. I'll submit it for review as soon as possible.
My basic plan of attack on this is:
I'll also try to incorporate the work from #15 to update the test screen to work with these updates.
As a bonus, if I have time, I'd like to look at the code that handles selecting the server to authenticate against and see if we can add some configuration options to pre-select the correct server to authenticate against based on the user's login info. For example, add a configuration box to the server settings which allow specifying that all user accounts using the form of "mydomain1\myusername" or "myusername@mydomain1.com" get routed to server1 first and logins as "mydomain2\myusername" or "myusername@mydomain2.com" get routed to server 2 first.
Comment #19
shawn_smiley CreditAttribution: shawn_smiley commentedHere is an updated patch. This patch does the following:
I've tested the following funcationality on our clients network with 2 separate AD domains without issue:
I have not tested the Group/Role permission assignment functionality yet though since we're not using that functionality.
Comment #20
shawn_smiley CreditAttribution: shawn_smiley commentedSlight update to the previous patch to resolve an error when users log in via the SSO module when they do not have the $account->data['ldap_user'] info in their Drupal user account object.
Comment #21
johnbarclay CreditAttribution: johnbarclay commentedThanks. This is committed, but testing is in order. This along with some nested group issues in authorization are the only remaining bugs that I believe needed substantive code. Appreciate you following through on this.
Comment #22
shawn_smiley CreditAttribution: shawn_smiley commentedI wanted to drop in a quick status update on our internal testing of this update.
Our client has a fairly rigorous review workflow for regulatory compliance reasons. So as things stand right now, the committed patch has completed the internal review process by the client's IT team and has been moved into a QA environment for UAT by a small group of users. We expect to roll this update out to production within the next week or so.
So far, no issues have been identified other than an intermittent issue with logins taking a few seconds longer than normal. Though we think we've narrowed that down to routing/network latency issues on the corporate WAN.
Comment #23
kpmags CreditAttribution: kpmags commentedJust adding an error that I'm getting in testing beta6.
Please bear with me, I am four months in to drupal. I don't have any network/ldap/etc background to speak of.
I have 2 LDAP servers. On each I can successfully bind and can test drupal user names to pull data from AD - so I know I'm connecting.
Both servers are checked for authentication and "use server that performed authentication" is checked as well.
I can't create an account for a user on either platform. If I turn one or the other on, I can (as I could in beta5).
Watchdog logging turns up this error: Failed to load server object ldap_last_authserv in _ldap_servers_get_user_ldap_data
Any advice?
Should I add new instances of the servers with my same settings and disable the other ones?
Thanks for all the work on this module - and getting this patch in place - it's going to save me once I get it to work!
Comment #24
kpmags CreditAttribution: kpmags commentedI should add that the error I receive upon creating a user account is
Comment #25
Mr.Echo CreditAttribution: Mr.Echo commentedAre you able to authenticate users against the first server in the ldap server list (who have ldap entries in that server) when both are turned on?
Comment #26
kpmags CreditAttribution: kpmags commentedNo, I'm not.
It will only work if I select a specific server, not when I choose -- Use server which performed the authentication. Useful for multi-domain environments. --
Comment #27
johnbarclay CreditAttribution: johnbarclay commented