LDAP User: The OrphanProcessor deactivates/deletes users if the connection to LDAP fails

Open on Drupal.org →

Created on 11 March 2022, over 2 years ago

Updated 4 October 2023, about 1 year ago

Problem/Motivation

We use the LDAP connection to generate and update Drupal user accounts. For users, who were kicked out of the LDAP server, the module provides a cron job to remove the orphaned Drupal accounts.
The cron job runs even if the connection to the LDAP server fails. Depending on the setting for the "Periodic orphaned accounts update mechanism" under LDAP User Settings, this might result in all user accounts with an LDAP connection being blocked or deleted.

Steps to reproduce

The setup should be quite common. I tested against a standard Drupal 9.3.7 and LDAP-Module 4.3.0. All submodules, except LDAP Authorization Provider, are active. There is 1 server and 1 query configured. LDAP accounts are synchronized from LDAP to Drupal but not back to LDAP. Obviously, the orphan processor is on and, in that case, set to "Delete the account and make its content belong to the Anonymous user.". After the configuration is set up correctly:

Run cron to synchronize the accounts.
Mess up the server connection to force a connection failure. Removing credentials works. Something on LDAP side should work too. The Server Configuration itself needs to stay active though.
Run cron again.
Check if the accounts are still existent and active or if the are blocked/deleted.

Proposed resolution

I'm afraid this can't be solved with "just configure your connection correctly". The connection to LDAP might fail unexpectedly due to some network failure or the bind account for the server getting blocked for example.
I propose to check the connection as soon as possible in the process and abort on failure: log the issue but don't change any account.
Doing that directly in the cron hook might be too early, since each user validation triggers another communication with LDAP and each of these might fail. The current check in
/ldap_servers/src/LdapBaseManager.php::searchAllBaseDns() runs too late since the function is meant to return an array. That array will be empty for "user not found" as well as "connection failed".
I applied a patch in /ldap_user/src/Processor/OrphanProcessor.php::ldapQueryEligibleUser() right after the check if the server (Drupal LDAP configuration) is enabled. However that required injecting another service which might be a bit heavy.

Remaining tasks

check proposed sollution

User interface changes

none

API changes

hopefully none

Data model changes

none

🐛 Bug report

Status

Fixed

Version

4.3

Component

Code

Created by

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇫🇮Finland risse
Tested the patch, works well in our environments.

I think this is a critical issue, since LDAP server that is not available can block every single user in the site.
Status changed to RTBC over 1 year ago9:47am 31 July 2023
Open in Jenkins → Open on Drupal.org →
Core: 9.5.x + Environment: PHP 8.1 & MySQL 5.7
last update over 1 year ago
43 pass, 2 fail
Comment over 1 year ago →
🇳🇱Netherlands Roderik de Langen
Tested this patch and it works!
Plz merge this ASAP cause like others are saying, this is really critical
Comment over 1 year ago →
System Message
The last submitted patch, check_server_availability_in_orphan_processor.patch, failed testing. View results →
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.
First commit to issue fork.
Comment about 1 year ago →
System Message

bluegeek9 → committed 61c07590 on 8.x-4.x authored by lars.stiebenz →
Issue #3269111 by lars.stiebenz, bluegeek9: LDAP User: The...
Status changed to Fixed about 1 year ago4:40pm 4 October 2023
Comment about 1 year ago →
🇺🇸United States bluegeek9
Comment about 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024