Drupal\ldap_user\Processor\DrupalUserProcessor::createDrupalUser() uses Drupal account name instead of authName value in the authmap table

Open on Drupal.org →

Created on 11 July 2023, over 1 year ago

Updated 21 November 2023, about 1 year ago

Problem/Motivation

Drupal\ldap_user\Processor\DrupalUserProcessor::createDrupalUser() function stores Drupal account name as authName in authmap table. When new users are created in Drupal, the Drupal account name is derived from the value of the accountName attribute. This is fine when the authName and accountName share the same attribute, e.g. for AD usually it's sAMAccountName. However, when the accountName attribute is different than the authName attribute, the login function breaks.

Steps to reproduce

Configure a LDAP server, and set different attributes for authentication name and account name. E.g. we use userPrincipalName for authName attribute and sAMAccountName for accountName attribute.
Create / use existing user object in the LDAP server. Make sure that the values for authName and accountName are different in the LDAP server. E.g. we use johndoe for accountName and johndoe@realm for authName.
Configure the authentication to exclusive mode and user provisioning settings to sync user from LDAP to Drupal.
Make sure that the user does not exist in Drupal.
Log in as the user in Drupal. User should be created successfully. Observe the authmap table. You should observe abc in the authname column.
Log out, and try to log in again. You should encounter the error here.
Update the authmap table manually, change authname to abc@realm.
Try logging in as the same user again. This should be successful.

Proposed resolution

Store the authName value obtained from LDAP server (instead of Drupal account name) in the authmap table when creating a new Drupal user.

Remaining tasks

Review the submitted patch and merge to main.

User interface changes

None.

API changes

None.

Data model changes

The authname column in authmap table is changed from Drupal account name to LDAP authname.

This should be fine for sites which use the same accountName attribute as the authName attribute.
For sites which use different attributes, the only way those sites managed to get it to work in the first place is that the value of the authName attribute is the same as the value of the accountName attribute, and therefore there is no issue updating the code without updating the database value.

Conclusion: no hook_update_N is necessary.

Release notes snippet

Fix Drupal\ldap_user\Processor\DrupalUserProcessor::createDrupalUser() to store authName in the authmap table.

🐛 Bug report

Status

Needs work

Version

4.0

Component

Code

Created by

🇸🇬Singapore Lee Jun Long

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Merge Requests

!38Drupal\ldap_user\Processor\DrupalUserProcessor::createDrupalUser() uses Drupal account name instead of authName value in the authmap table
Open
🇸🇬Singapore Lee Jun Long
updated 8 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Merge request !38Store authname value in authmap instead of Drupal account name. → (Open) created by Lee Jun Long
Open in Jenkins → Open on Drupal.org →
Core: 9.5.x + Environment: PHP 8.1 & MySQL 5.7
last update over 1 year ago
42 pass, 2 fail
Pipeline finished with Failed
about 1 year ago
#44082
First commit to issue fork.
Comment about 1 year ago →
🇸🇬Singapore Lee Jun Long
Hi bluegeek9,

Just curious, why was branch '8.x-4.x' merged into my MR? I had thought it would be the other way round (or maybe I am not looking at the right place).
Comment about 1 year ago →
🇺🇸United States bluegeek9
Hi @Lee Jun Long,

Your branch was stale. It was 17 commits behind 8.x-4.x. Your pull request is still open. I am merging 8.x-1.x again to pull in the changes to Gitlab CI. Drupal 9 is no longer supported in the CI pipeline. The tests should run and pass now.

I don't know if this is needed since the username is mapped to the domain username.
Status changed to Needs work about 1 year ago5:27pm 21 November 2023
Comment about 1 year ago →
🇺🇸United States bluegeek9
The tests fail with your changes.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024