Contrib.social

Updating and Deactivating a User Created via Query with an LDAP Filter

Open on Drupal.org →
Created on 27 January 2025, 4 months ago

Problem/Motivation

I’m unsure whether this is a bug or if we’ve made a configuration mistake.

The observation has shown that users are neither updated nor deactivated when their LDAP group memberships, which are specified as filters in the LDAP query, are removed.

What we aim to achieve is that users are deactivated when they no longer meet the filter criteria in the query used to create them. One use case is that users may change departments or roles within the company, which should also update their access rights or access levels for specific systems. The LDAP system should take the lead in this process. The assignment is typically managed via group memberships defined by "memberOf" attributes.

Debug Report

We have configured the LDAP module to create users in Drupal using the query. Additionally, role assignments are managed through the LDAP Authorization Provider, which grants administrative rights.

There is only one query configuration, which is used both for creating and updating users. It seems there is no way to differentiate between the two processes, which might be part of the issue.

The query uses an LDAP filter in the form of: "(|(memberOf=DRUPAL_USER)(memberOf=DRUPAL_ADMIN))"

When a user no longer belongs to any of the specified LDAP groups, the following occurs:

  • The user is not deactivated by the OrphanProcessor (via cron) and retains access to Drupal.
  • The user is no longer updated by the GroupUserUpdateProcessor (via cron), meaning that authorizations are also not updated.
  • The user is updated but not deactivated when they log in to the system again.

The lack of role updates via cron is less critical, though it is inconvenient and causes confusion because users retain outdated role assignments in Drupal until they log in again. More concerning, however, is that users are not deactivated and can still authenticate. Depending on the configuration, content may remain associated with these users and is not updated according to the settings.

Proposed resolution

I believe the OrphanProcessor should be adjusted to apply the same filter when checking a user against LDAP as is used when creating the user.

The patch illustrates the intended functionality. However, an additional option may need to be added to the LDAP User module to make this behavior configurable.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

4.12

Component

Code

Created by

🇩🇪Germany dke

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 4 months ago
    🇪🇸Spain fjgarlin
  • Comment 3 months ago
    🇩🇪Germany dke

    I have created an issue fork (ldap-3502469) and added the option as a selectable choice.
    This would be my suggestion for how it could be implemented, if that's the intended approach.

  • Comment 3 months ago
    🇩🇪Germany dke
  • First commit to issue fork.
  • Comment about 2 months ago
    tenguiz

    As a colleague of dke, I have reviewed his suggestion in the context of our use case and made a few small improvements:

    1. Removal of the Update Hook: I have removed the update hook, as it was only setting the new configuration to false. This is unnecessary because undefined keys are treated as null, which is equivalent to false in a boolean context.
    2. Adjustment of the Query Filter: I adjusted the query filter to ensure that it prevents invalid LDAP queries, regardless of whether the parentheses are present or not.

    This code change now successfully deactivates users who no longer meet the filter criteria, thereby resolving the issue we encountered.

  • Merge request !106Updating and Deactivating a User Created via Query with an LDAP Filter → (Open) created by Unnamed author
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024