Contrib.social

ldap_last_authserv is not implemented in D8+?

Open on Drupal.org β†’
Created on 23 November 2023, about 1 year ago
Updated 23 February 2024, 11 months ago

Problem/Motivation

We have multiple LDAP server for the purpose of authentication. In D7, this works perfectly as we can choose ldap_last_authserv as the provisioning server.

However, I can't find this option anymore in D8.

Steps to reproduce

1. Create 2 LDAP server configurations to connect to the same LDAP server with different auth name attribute, or connect to 2 different LDAP servers. (There is also a bug where account name attribute is not the same as auth name attribute, see πŸ› Drupal\ldap_user\Processor\DrupalUserProcessor::createDrupalUser() uses Drupal account name instead of authName value in the authmap table Needs work )
2. Go to LDAP User Settings form and choose the first LDAP server as the provisioning server.
3. Enable Detailed LDAP Watchdog logging.
4. Try to log in (for the first time) with a user from the second LDAP server.
5. Check watchdog entries which show that authentication works, but provisioning does not:
- Authentication result is "Authentication successful (no issue)"
- Failed to find associated LDAP entry for username in provision.

Questions

1. Is it intentional to not port ldap_last_authserv feature to D8? Why so?
2. If not, what and how can I help to port this over?

Partial workaround

I create 1 more server and call it "provisioning server". For our use case, LDAP server 1 & 2 actually point to the same LDAP server, but with different base DN and different authname. So the users authenticating to either server has unique CN and I use it to provision and map the user fields in Drupal. It works well for first time login (user creation), but not so for subsequent login: authentication works, but there is no update done from LDAP to Drupal because there is mismatch authname against the provisioning server. Authname stored in authmap table is taken from the authname attribute defined in LDAP server 1 & 2. DrupalUserProcessor::syncToDrupalAccount() only recognises the provisioning server in order to pull the LDAP entry, and there is only 1 provisioning server, which authname attribute does not agree with the authname previously stored in authmap table.

Remaining tasks

  1. Fix the logic for both provisioning new user and authenticating existing user
  2. Write test for ldap_last_authserv
✨ Feature request
Status

Needs work

Version

4.0

Component

Code

Created by

πŸ‡ΈπŸ‡¬Singapore loziju

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @loziju
  • Comment about 1 year ago β†’
    πŸ‡ΈπŸ‡¬Singapore loziju
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bluegeek9
  • Merge request !62Add back ldap_last_authserv feature from D7. β†’ (Open) created by loziju
  • Status changed to Needs review about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΈπŸ‡¬Singapore loziju

    @bluegeek9 appreciate your guidance for my first attempt to add this feature in MR62. Please let me know what needs to be improved.

  • Pipeline finished with Failed
    about 1 year ago
    Total: 349s
    #54482
  • Status changed to Needs work about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bluegeek9

    The tests are failing.

  • Pipeline finished with Failed
    11 months ago
    Total: 164s
    #101335
  • Pipeline finished with Success
    11 months ago
    Total: 167s
    #101495
  • Status changed to Needs review 11 months ago
  • Comment 11 months ago β†’
    πŸ‡ΈπŸ‡¬Singapore loziju

    @bluegeek9

    > This file should be removed: DrupalUserProcessor.php.orig
    My bad, the file was added inadvertently.

    The tests should pass now.

    Besides the failing test, I also identified another error (not caught by any test!) when creating a new user. Apparently my previous fix only solved the authentication of user, but not provisioning of user.

    Let's see if the latest few commits should do it.

  • Status changed to Needs work 11 months ago
  • Comment 11 months ago β†’
    πŸ‡ΈπŸ‡¬Singapore loziju

    MR past the tests, but it's because there's no test on ldap_last_authserv yet. The feature not working yet for creating new user.

    Remaining things to do:
    - Fix the logic for both provisioning new user and authenticating existing user
    - Write test for ldap_last_authserv

  • Comment 11 months ago β†’
    πŸ‡ΈπŸ‡¬Singapore loziju
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024