← Back to team overview

mahara-contributors team mailing list archive

[Bug 536959] Re: Multiple institutions with separated LDAP servers authentication

 

Hi -
I've committed to head - [master b57da3b] Allow the trial of an individual auth instance to fail gracefully so that others in the chain can still be tried (bug #536959).

This enables auth plugins to fail but not kii the chain, and auth/ldap
has been modified to reflect that.  There is a log_warn("LDAP connection
failed: "...) given if the bind fails for what ever reason, which should
enable you to track down which one is giving trouble.

Please cherry-pick this, and let me know how you get on.

Cheers,
Piers Harding.

-- 
Multiple institutions with separated LDAP servers authentication
https://bugs.launchpad.net/bugs/536959
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: New

Bug description:
Hello Mahara people,

I'm running Mahara 1.2.2 with several institutions, each using a different LDAP server for authentication.
A normal procedure is when guest is logging in, Mahara loops through array of all LDAP servers defined as institutions auth methods. When binding within certain LDAP is successful loop will be braked and Mahara will login user.
However if one of LDAP servers is experiencing difficulties, i.e. network problems, server unavailable, expired SSL certificate etc, Mahara will throw an exception and loop will be braked, resulting as bad-login. In another words, if any of LDAP servers goes offline authentication will be "disabled" for all institutions despite the fact that each institution uses different LDAP server. Of course if first LDAP in array is offline the rest is useless as loop is interrupted by exception, if last one is offline the chance of bad-login is much lower as previous one may pass...

 The problem is in auth/ldap/lib.php line #146

throw new AuthUnknownUserException('Cannot connect to any LDAP hosts');

I solved the issue by commenting this line and adding code for logging LDAP errors, though I would like to avoid code hacking. Will someone consider this for upcoming releases?

Thanks for reading.

Cheers,

Andrej





References