Co-Existing of local users and AD users & their database entry creation

[jonaskindermann]

Hello,

i am trying to have both, local users and AD users in my application, with the option to create local users via my UI. Additionally i allow admin users to adjust the ldap config using the UI to adjust port, host, base dn ...

Now lets say a admin user has not configured the connection to the AD yet and a local user is created with their AD mail as the (unique) email field. Now i got a local user in my database using their AD mail address (but without guid & domain, which i am storing for AD users).

Now to the problem: If the admin then enables AD users to join and the user (who already created a local user) now uses their email address of their AD account and tries to log in, i get a 500 error due to LdapRecord trying to create a database entry, even though the email already exists in the database.

Does anyone have an idea on how to catch that specific edge case?

Any help is appreciated :)

[stevebauman]

Hi @jonaskindermann,

Yes this use-case is built into LdapRecord-Laravel:

https://ldaprecord.com/docs/laravel/v3/auth/database/configuration/#sync-existing-records

Add the sync_existing configuration option in your LDAP auth user provider defined inside of the config/auth.php file:

'providers' => [
    // ...

    'users' => [
        // ...
        'database' => [
            // ...
            'sync_existing' => [
                'email' => 'mail',
            ],
        ],
    ],
],

[jonaskindermann]

Hi @stevebauman,
thank you for your quick response!

That's however not entirely what i meant, sorry for not explaining correctly.
This is my config/auth.php:

    'providers' => [
        'users' => [
            'driver' => 'ldap',
            'model' => LdapRecord\Models\ActiveDirectory\User::class,
            'rules' => [],
            'database' => [
                'model' => App\Models\User::class,
                'sync_passwords' => false,
                'sync_attributes' => [
                    'name' => 'cn',
                    'email' => 'mail',
                ],
                'sync_existing' => [
                    'name' => 'cn',
                    'email' => 'mail',
                ],
            ],
        ],

As you can see, i already got that entry set in my config and it is working as intended. If a user is logging in, an entry with their mail attribute is created in my database, so far so good.

However the issue i'm experiencing is occuring in the following scenario:
The Active Directory connection is configured and established and working.

A local user is created using the web UI, which creates an entry in my DB using the App\Models\User model. This user is created using their Active Directory mail as the email field in my DB.

Now this user is logging in using their mail. I think the package is trying to create the user entry at that point because now i got a duplicate key violation (i've removed my personal mail from the error):

SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '[_insert AD mail here_]' for key 'users.users_email_unique' 

[stevebauman]

Hi @jonaskindermann,

Remove 'name' => 'cn' from the sync_existing array and try again. This is likely the cause:

'sync_existing' => [
-   'name' => 'cn',
    'email' => 'mail',
],

[jonaskindermann]

Hey @stevebauman ,

thank you very much for your help, that did actually resolve the problem.
Great package btw :)