17 February 2011, 5:41

If a user (with say username: moodl01) logs into Mahara via the usual method (LDAP) the account created is indeed moodl01.  However as Mahara only seems to accept one login method per user, if the same user (moodl01) then logs in via Moodle (i.e. Mahoodle - an institution login) the username created is moodl011 (i.e. moodl01 + the character '1').   The profile data is correct under this circumstance - everything is carried across but this second 'mirror' username is still undesireable. 

Is this inevitable or is there a 'solution' to this - in other words, can this second 'mirror' username be avoided?

28 February 2011, 9:50

There's a "solution" to it, but you should be aware of all the implications of it before enabling the relevant option.

There's a setting called "usersuniquebyusername" that can only be set manually in the config file. This is on purpose to avoid someone turning it on by mistake and opening a big security hole in their Mahara install.

This is what the code says about the setting:

        // When turned on, this setting means that it doesn't matter
        // which other application the user SSOs from, they will be
        // given the same account in Mahara.
        //
        // This setting is one that has security implications unless
        // only turned on by people who know what they're doing. In
        // particular, every system linked to Mahara should be making
        // sure that same username == same person.  This happens for
        // example if two Moodles are using the same LDAP server for
        // authentication.
        //
        // If this setting is on, it must NOT be possible to self
        // register on the site for ANY institution - otherwise users
        // could simply pick usernames of people's accounts they wished
        // to steal.

So unless you are absolutely sure that the same username equals the same person in every single authentication system that you use, and that all institutions defined in your Mahara install have auto-registration disabled, you will get in Big Trouble(tm). E.g., someone can auto-register an account wth the same username as an existing Moodle user and effectively act as that user. In fact, they will be the same user!!! (as a bonus, think what happens if that Moodle user is a privileged user in Mahara)

So don't enable this setting unless you are really sure you know what you are doing!

Saludos.
Iñaki. 

10 March 2011, 3:26

Thanks Iñaki Arenaza for your reply.  If I understand you correctly the creation of a second 'mirror' username 'username1' for user 'username' is in fact not a bug at all, but rather it is simply the way that Mahara works when using a second login method (in this case SSO from Moodle) as opposed to the primary login method (in this case LDAP).  Am I correct?

Gracias por adelantado!

06 April 2011, 2:34

Hi Adrian,

yes, you are correct. As Mahara doesn't know whether the (real) users are the same when using different login methods, it simply creates a new user for each login method (unless you use the setting I mentioned before).

Saludos.
Iñaki.