Help needed with debugging

Try testing the server.

admin/config/people/ldap/server/localhost_ldap_ds/test

I tried with an authentication name and a password of a user that is not known within Drupal.
The user is found in the directory service and the associated information is correctly retrieved, thanks!
The issue arises when attempting to use those credentials to log in: "Unrecognized username or password.".

How can I go on?

Thanks in advance!

Andrea

configuration is set to not create new accounts.

The ldap user settings have Application of Drupal Account settings to LDAP Authenticated Users set to: user_settings_for_ldap
'Account creation policy at /admin/config/people/accounts/settings applies to both Drupal and LDAP Authenticated users. "Visitors" option automatically creates and account when they successfully LDAP authenticate. "Admin" and "Admin with approval" do not allow user to authenticate until the account is approved.'

What is the account creation set to on, admin/config/people/accounts/settings
Who can register accounts?
Administrators only
Visitors
Visitors, but administrator approval is required

I would recommend changing "Application of Drupal Account settings to LDAP Authenticated Users" to the first option:
'Account creation settings at /admin/config/people/accounts/settings do not affect "LDAP Associated" Drupal accounts.'

Before understanding what you were suggesting, I went on /admin/config/people/accounts and on the choice Who can register accounts? I checked Visitors and I saved. (I cannot recall for sure now if the previous choice was Administrators only or Visitors, but administrator approval is required). As a result I could magically login with a user that was known only to the directory server and not to Drupal, besides the corresponding Drupal account was created and the user data found on the directory server were stored in Drupal.

Then I made the change you suggested, but I didn't notice any change in the behavior.
Later I had an idea. I got back on and in Who can register accounts? I checked Administrators only and I saved. Then I removed the recently created Drupal account and I repeated the login with the credential of a user known just to the directory server and not to Drupal. The outcome: I could again successfully log in and the user was created in Drupal - as well the data were fetched and stored. So I guess now I know why you suggested the mentioned change.

Now the issue is now I couldn't see any data synchronization between Drupal and the directory service. I mean I tried to change some data for the user in the Drupal interface, I received a Drupal message telling somehow the data had been saved, though actually old data from the directory service are still displayed. Then I tried to change a text at the directory service side. The Drupal user still logged in could not see the change. So I logged out, I logged in again and I could see the change. Apparently Drupal fetches user's data from the directory service just when the user logs in. This is acceptable. Though I expect I should be able to modify the data with Drupal and have the changes stored in the directory service...

Would you please help me in making the next necessary steps ahead?
In my mind I should be able to perform a bulk users creation at the Drupal side and then see the Drupal users registered in the directory service. This is because a small part of the user data is stored only in Drupal.

Thanks in advance!

Andrea

There are a number of open issues related to provisioning to LDAP. Let me know if you get it to work.

🐛 LDAP is not updated when user set his password Active
🐛 Can't create LDAP entry -- undefined attribute type Needs review
#3260525: Unable to Create/Sync Drupal Users to LDAP →
#3247641: Unable to update LDAP entry on User edit →

I examined all the four issues you pointed to.
#3260525 is the closest to my case, but it's almost two years old and didn't get any answer.
With the other three ones I couldn't get any inspiration, but I rather got some doubt about the configuration itself.
For example I still wonder why in LDAP mappings I may possibly want to use user tokens instead of field names, as someone did.

And I also realized in my case a user creation at Drupal side does not produce a user creation at the directory service side. In the dblog the only possibly related message is of type ldap_user and it tells Failed to derive DN..

And I still wonder why on users created at Drupal side upon successful login with the directory service credential the password input box is disabled and I read below This email address is automatically set and may not be changed..

I guess I have a twofold problem: I don't have all the required understanding of the configuration and at the same time I still don't know how to troubleshoot - the messages in the dblog were not enough for me so far...

I cannot tell how many people in the world are now still trying like me to use the ldap module, though, especially in case succeeding is not expected to be difficult, some sort of vademecum with a reference case would be definitely appreciable.

I feel kind of lost. Would you please tell me what would you check to troubleshoot problems like the ones I mentioned?

Thanks in advance!

Andrea

There is a new release of ldap, 8.x-4.7. None of the issues resolved in the new release are related to provisioning from Drupal to LDAP.

It does add a debug report. It lists your ldap settings, so you and copy and paste them to the issue so the community can help troubleshoot issues. Sensitive information is redacted, but still review the data before posting.

https://www.drupal.org/docs/extending-drupal/contributed-modules/contrib... →