12 November 2020, 22:50

We have a small number of users who are unable to login to our Mahara despite *definitely* using the correct credentials. We use LDAP for authentication so the password is not internal anyway. 

I've looked long and hard at database tables (and our LDAP setup) and cannot see anything different about these users. 

Is there anything that might account for this that I may have missed?

28 November 2020, 19:15

Hi Howard,

Apologies for the late reply. So some people from your LDAP can log in and others can't and the only differences are username and password? Their accounts are not suspended in any way? Double check by going to the account preferences page in the administration (from the User / People search click on the username) and check that there is no expiry date. In some rare instances we encountered the problem that people were set to suspended, but didn't have the suspended flag, which would highlight their account in the search.

If that's not the case, I assume they can log in properly in another application? Did you check the Mahara error and access logs for any entries after they tried their login?

Best,

Kristina

05 February 2021, 6:37

I thought this had gone away (after an upgrade) but has come back to haunt us.

Can you walk me through the suspended stuff. I can't see any suspended date on the account settings screen. There is a suspend/delete link.

The database record has NULLs for the three 'suspended' fields. 

We have a test site with exactly the same version and exactly the same LDAP authentication and that works fine. 

There's nothing in the log tables for these users. It looks exactly like a failed login.... "You have not provided the correct credentials to log in. Please check your username and password are correct."

05 February 2021, 10:57

Hi Howard,

That error message is the catcall one so it doesn't tell us if the person can't login because they are not allowed to or if some other configuration issue is in play.

Can I get you to add the following bit of code

log_debug('can reach here');

to the htdocs/auth/ldap/lib.php file

inside the authenticate_user_account() function on line 118

put one just after the { 

and another at the end of the function before the `return false;` line

to see if we actually get all the way thru the ldap authentication (or if it is using ldap at all)

You should be able to see the log_debug output in the error logs for the site

Cheers

Robert

08 February 2021, 22:32

Thanks Robert.

Unfortunately, there is a great deal of resistance to debugging on the live servers so that's my last resort. We're going to do some debugging from the LDAP side today to see if the LDAP server is even asked. 

Possibly like you, I'm wondering if Mahara is looking at the wrong authentication for some reason. The user is pointing at LDAP authentication as the default, but...