This is a spin-off of the work done on #1740978: LDAP Authentication and LDAP User: LDAP not allowing to authenticate to multiple servers.

When you have multiple servers handling authentication for different domains it can be beneficial from a performance standpoint for the LDAP module to prioritize the order in which it queries the LDAP servers based on the last known success for a user.

For example:

  • We have 2 LDAP servers managing two completely independent domains.
  • When a user logs in, if they belong to the 2nd domain they still get an authentication check against the 1st domain.

This patch adds a bit of logic to the ldap_authentication.inc file to detect if their are multiple servers defined and if the user has previously had a successful login. If these two conditions are met, the patch changes the order of the $auth_conf->enabledAuthenticationServers array so that the server they last successfully authenticated against is the first server tried during this login attempt.

CommentFileSizeAuthor
ldap-prioritylogin.patch1.49 KBshawn_smiley
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

johnbarclay’s picture

johnbarclay CreditAttribution: johnbarclay commented

I agree with the spirit/essence of the patch, but have not tested it. I'll commit it after more testing/review. Thanks.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Issue summary: View changes
Status: Needs review » Needs work

Looks good, just a couple of nitpicks

  1. +++ b/ldap_authentication/ldap_authentication.inc
@@ -208,6 +208,22 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state, $re
+    if ($auth_conf->ldapUser->drupalAcctProvisionServer == LDAP_USER_AUTH_SERVER_SID) {

    This should be === 

  2. +++ b/ldap_authentication/ldap_authentication.inc
@@ -208,6 +208,22 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state, $re
+      if ($preferred_sid && $preferred_sid != LDAP_USER_AUTH_SERVER_SID && isset($auth_conf->sids[$preferred_sid])) {

    !==

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Needs work » Needs review
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Version: 7.x-2.x-dev » 8.x-3.x-dev
Issue tags: -Performance
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Version: 8.x-3.x-dev » 7.x-2.x-dev
Status: Needs review » Closed (outdated)

Patch only relevant for 7.x and not really applicable to 8.x, would need rewrite and currently no effort here.