Creating new users fails when Delegated LDAP is configured with Stash
In a Stash instance with "Delegated LDAP" configured and first on the User Directory list (before the Internal Directory), when trying to create a new user from the Administration -> Users page the following scenarios can be observed:
1) If you checked the box for "Email a link to the user to set their password" and provided an email address, following link and attempting to set the password fails. An error banner shows:
Could not update password for <user>
2) If you uncheck the box for "Email a link to the user to set their password" and then provide a password, you're able to successfully create a user. However, you're unable to log in as that user with that username/password combination. You get an error banner:
Invalid username or password.
3) If you look up the user as an
administrator, click the "change password" button and enter a new password, you get an error banner with a message:
Could not update password for <username>
4) User creation through LDAP works fine.
There is no actual problem here if that is your scenario - it is working as intended. The RFC 2307 OpenLDAP configuration you are using is read-only - as it says in the name: "OpenLDAP (Read-Only Posix Schema)". The ability to add users with this configuration is a bit ugly, given its "read-only" nature.
In the delegated authentication case, specifically if you don't have "Copy User on Login" checked, you need to manually add the user to Stash first and then they can use delegated authentication to login. It is assumed that a matching user will be found in LDAP for the user you just created, and their credentials will be drawn from the external directory to allow them to authenticate. Sometimes even in the case of using "Copy User on Login" administrators may wish to create the user in Stash first (for example, so that they can specify groups for that user).
The functionality explained above results in the following symptoms:
- When you e-mail the new user they can't set their password – the credentials are read-only because they are never used.
- When you create the user with an explicit password you can't update it.
- When you try to authenticate as that user you can't – the password defined in Stash doesn't exist in LDAP so the delegated authentication fails.
If you want to be able to create local users with Stash handling the authentication internally, you can move "Stash Internal Directory" above "Delegated LDAP Authentication" on the "User Directories" screen. When manually creating users, users are created in the first listed directory that allows it. That means if you change the order users will be created in "Stash Internal Directory" instead. In that directory users are allowed to change their password.