12 May 2022, 18:57

Hello

I am an administrator of a Mahara site and I have a problem with user authentication that I don't know how to solve.

In my Mahara there are 56 institutions and users can join more than one institution. All users must authenticate to my Mahara through LDAP and then decide which institutions they want to join. All institutions have internal authentication as the only authentication method, so that they can create other users that only authenticate internally.

The problem is:
When an administrator of an institution edits the data of an LDAP-authenticated user, this user automatically changes his authentication method to internal authentication.

How can I do so that the authentication method of these users does not change automatically?

Thank you very much

17 May 2022, 9:29

Hi Juan,

Can you please confirm for me a couple of things as I have not been able to replicate this issue yet?

1. Are all your accounts in one 'proper' institution, i.e. not in 'No institution' (shortname 'mahara')? I.e. that all your account holders can be in multiple institutions?
2. The institution administrators are only administrators in their own institution but also regular members in the all-encompassing institution?
3. Which version of Mahara do you have? Ideally, you are on the latest release of one of our supported versions of Mahara (either 21.04, 21.10, or 22.04) so we know what your level of patching is and that you have the latest code.

Thank you

Kristina

17 May 2022, 18:54

Hi Kristina,

I will try to clarify those things that you ask me.

All user accounts are initially in "No Institution" (mahara) because they authenticate through LDAP and choose which institution they want to participate in after logging in for the first time.

LDAP authentication is only configured for the institution "No Institution" (mahara).

Institutions do not have any authentication method configured, only internal authentication, because new users that can be created manually by the administrators of these communities must have internal authentication and not LDAP authentication.

After authenticating to Mahara with LDAP, users can choose to join any of the institutions. They can join one or several institutions.

Community administrators are only administrators of their own community, they are not administrators of the site.

So the problem is:
When a user with LDAP authentication is already in one or several communities, if an administrator of that community clicks on the “username” in the "Users - User search" menu and changes any of its data, it automatically also changes the authentication method of this user to internal authentication.

The version of Mahara that I am currently using is 21.10, but the same thing happened in the previous versions: 21.04, 20.10 and 20.04.

Thank you very much for your help and your answer.

Juan

18 May 2022, 5:10

Hello Juan,

I think I'm having a similar problem. I also noticed that authentication methods change automatically. My users have authentication method "no institution: saml".

As soon as I just click the user's username via /admin/users/search.php, the authentication method gets changed to internal authentication. Just by clicking the username and entering /admin/users/edit.php...Without even clicking "save".

I described this behaviour in the comments of a similar bug over 2 years ago: bugs.launchpad.net/mahara/+bug/1835688

I never really found out whats going on here. Just recently I was looking again at this whole authentication method and institution problems we have and posted some questions: mahara.org/interaction/forum/topic.php?id=9111

Robert Lyon told me that it is not allowed to have users in "no institution" AND in one or more actual institutions. It is just allowed for a a person to be in "no institution" OR in one or more actual institutions. But we are having hundreds of users like this. Do you perhaps have the same or a similar problem? I think it has something to do with it.

Unfortunately Robert didn't anwser me again until now.

18 May 2022, 6:37

Hi Ma,

I understand what you are saying and I think we are both describing the same problem.

What I don't understand is the answer that Robert Lyon has given you, that is, I understand that a person can't be in the "Non-institution" area AND also in another real institution at the same time, but I don't understand why the method changes authentication of that user in Mahara when he enters another institution.

On my Mahara site the authentication method is used to identify users in Mahara (all with LDAP authentication) and this does not depend on the institution to which the user belongs.

That is, only users registered in an LDAP database can access my Mahara site, so their authentication method should not be changed.

I'm going to wait and see what Kristina tells me.

Thank you very much for your input.
 
Juan

18 May 2022, 9:18

Hi Juan,

what I understand is your users are initially only in the "No institution" and there you have configured your LDAP authentication. Then you add users to other institutions, right? After you have added users to other institutions, are these users still in the "No institution" too at this point? And are they still able to authenticate with LDAP then?

If they are still in the the "No institution" in addition to their other institutions to which you have added them, I don't understand why Robert told me that it is not possible for a person to be in the "No institution" AND in one or more actual institutions.

If they aren't in the "No institution" anymore then, I don't understand how LDAP authentication can still work, since you said that LDAP authentication is just configured in the "No institution". When the users are no members of the "No institution" anymore, how could LDAP authentication still work? 

I would be very happy to understand your configuration. Maybe this helps with my problem.

18 May 2022, 10:16

Hi again ;-)

My Mahara site is set up so that users can be members of multiple institutions at once.

In the menu "Admin - Site options - Institutions settings" the option "Users allowed multiple institutions" is selected.

In this way, all users are initially in the "No institution" area and can also join all the other institutions they want.

Their authentication method on the Mahara site should not change when they join other institutions and should remain only LDAP authentication which is enabled for the "No institution" area and never really changes until an administrator of a community edits their   data.

Greetings :-)

Juan

18 May 2022, 21:47

Hello everyone,

After rereading my previous messages and seeing Ma's contributions, I realized that maybe I didn't explain myself correctly.

The problem I'm trying to expose is that when a user joins a community, as soon as that community's admin clicks on that user's username via /admin/users/search.php, the authentication method gets changed to internal authentication.

This is a big problem on my Mahara site, because that user can no longer log in with LDAP authentication configured for the "No institution" area, which should be the only default authentication for all users on my Mahara site.

Saludos

Juan

19 May 2022, 7:42

Hi Juan and Ma,

What Robert wrote is correct. You cannot be in 'No institution' and another institution at the same time unless you customised your Mahara instance to allow for that. You can view 'No institution' as sort of holding pattern for people who aren't yet or aren't any more in an institution so that their accounts aren't deleted automatically. But as soon as someone joins an institution, they are moved out of 'No institution' and also lose the authentication method associated with their account in 'No institution' as that authentication method then is not available in the institution or institutions they joined. The only exception is the internal authentication as that stays the same.

Several years ago we changed it so that when a site admin views the account settings page of a person in an institution or multiple institutions, that they can only see the authentication methods available in those institutions instead of all on the site. Institution admins always only see the authentication method of the institution for which they are institution admins.

Because you only have the authentication methods available to an account holder that are allowed in the institutions to which they belong, their auth method is switch automatically away from the one they have in 'No institution' when they join another institution. It should be first one listed, which is often internal.

If you don't want someone to lose their 'original' authentication method, you would set everyone up in an institution that hold everyone (not 'No institution') and then allow them to join other institutions. Then they will keep the authentication method from the original institution even when an institution admin updates their account settings page, which I verified on one of our sites.

Cheers

Kristina

P.S. A similar conversation is held elsewhere.

19 May 2022, 10:06

Hi Kristina,

First of all, thank you very much for your answer and for your clarifications.

From what you tell me, I understand that the only way that the users of my Mahara site do not lose their authentication method is that all of them are in a real initial institution that has the LDAP method configured and then they can already join other institutions .

Can this be done automatically? That is, how can I make it so that all users who authenticate for the first time on my Mahara site automatically join a certain institution?

My Mahara site has about 9500 users, so it's not possible to do it manually.

Thank you very much, again, for your help.

Greetings

Juan