Issue on multiple user accounts for one person

Issue on multiple user accounts for one person

by Jack Lai -
Number of replies: 4

I set up my moodle 3.6.3 with both Microsoft OAuth2 and LDAP as authentication methods.

For my organization, every staff has an O365 email account and another LDAP user account. My LDAP server holds the user information with e-mail addresses, which are the same as their O365 email accounts.

However, the user name of LDAP user account is the user's staff ID, which is different from user's O365 email address.

Now, the problem is, when a new staff first logins with his/her email address using OAuth2 method, the login is successful and moodle creates a new user record in the database. Then afterwards, when he/she logouts but logins again with his/her staff ID using LDAP method, the login is also successful but moodle creates another new user record in the database. Thus, a single staff has two user records.

Is there any method to merge the new LDAP user login with his/her previous OAuth2 login in moodle?

Your feedback is highly appreciated.
Thank you very much.

Average of ratings: -
In reply to Jack Lai

Re: Issue on multiple user accounts for one person

by Dave Perry -
Picture of Testers

Off the top of my head, I would say no. This is where standardising user logins helps massively.
We have a local samAccountName eg abc12345678, and then an Office 365 login ID of abc12345678@ourdomain.ac.uk - it confuses students a bit if they aren't 365 users from elsewhere, but doesn't cause us problems technically.
Your best bet is to choose one or the other I'd say.

Whilst we still have to use both different values (I login to a domain attached PC, and most college systems with just my staff ID; but have to login to 365 with my full userPrincipalName of staffID@ourdomain.ac.uk), we have SSO to 365 from college domain-attached desktops and laptops via ADFS. Which saves time when on premise. Work is going on so if we hit a college web system from outside our firewall, for that to authenticate against Office 365 but also just know our local username for systems which work off that (as close as we'll get to a true SSO experience).

The only way I can think it MIGHT work is to go hacking one of the two authentication modules, to use a cross referencing value to see if there is a need to create a second account (and if there isn't end up with the existing user ID as the 'logged in' account - but this is probably quite hefty work).

Average of ratings: Useful (1)
In reply to Jack Lai

Re: Issue on multiple user accounts for one person

by Jon Bolton -
Picture of Particularly helpful Moodlers Picture of Testers
You can also turn off new account creation in the OAuth settings - see https://docs.moodle.org/36/en/OAuth_2_authentication#Preventing_new_account_creation - and then people will be prompted to link it to their existing account (the ldap one).

And you can link login accounts - see https://docs.moodle.org/36/en/Linked_logins
Average of ratings: Useful (1)
In reply to Jack Lai

Re: Issue on multiple user accounts for one person

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
I regularly have this problem because the local administrators of an ActiveDirectory authenticated Moodle site import courses - with user data! - from their previous site which was Office365. Those users end up being manual accounts in the current Moodle with identical data as the LDAP account. Pretty confusing.

The key to understand the cause is the column 'id' of the 'user' table. The 'id' is unique. Moodle doesn't have "duplicates", they are just different accounts!
Average of ratings: -