Hi LDAP module maintainers!
I am wondering if there's been any thinking on the track of supporting LDAP usage when there are several contexts, where they may contain conflicting usernames.
The most common example involves educational institutions with a "student" and "staff" contexts. Let's imagine for my examples that "student" context is listed first in the configuration.
Right now, when logging in, "first context wins", AFAICS. When running sync, however, sync dies. I could declare this an inconsistency, just fix the sync breakage, and move on.
However, I think that the "first context wins" behaviour is bogus and buggy.
What if we have a johnsmith student account, and we add a johnsmith lecturer? The lecturer can't login.
Let's start again. Say lecturer johnsmith is there first. Things are even more fun now. He is quite good with Moodle so let's give him some admin rights. Then add student johnsmith to LDAP. New student logs in and... hmm! lots of extra power to the newcomer.
I see two paths forward on this track:
- Allow admins to set a prefix for the username string. So the "contexts" config option can list a prefix with each contexts. So a config like "ou=students,o=myorg; prefix=s:ou=staff,o=myorg" would mean that "staff" accounts would have their moodle username as "s:johnsmith".
- Change the auth API so that active modules can "inject" form elements to the login form, so the login form would perhaps have a drop down menu. This would be a much bigger project.
Thoughts?