Trouble redirecting users after implementing LDAP

Question

We had a feature on our site where we redirected users with certain roles to a particular landing page upon logging in. In a custom module, we implemented hook_user_login(\Drupal\user\UserInterface $account) to examine the roles the user had, and redirect them to a particular landing page, depending on the user's roles.

Recently, we installed and configured the ldap module, so that users could log on with their LDAP credentials, and Drupal accounts would be auto-generated. However, we quickly found out that users with particular roles were not getting redirected on their very first login. Users belonging to other groups were correctly redirected upon creation of their Drupal account by means of _hook_user_login(), so it's strange that it only affects particular groups.

What happens is that, the first time you authenticate with LDAP credentials, the LDAP module creates a new Drupal user after successful authentication, then looks at your LDAP groups and assigns your user corresponding Drupal roles, mapped in the module's configuration.

I haven't been able to figure out why the redirection works for some roles but not others. Obviously, those roles are attaching to the account object earlier in the process than others. But where or why this happens, I haven't been able to figure out.

The second time the user logs in, the Drupal account has the roles at that point, and the redirect (running on hook_user_login) happens correctly. I am wanting to say that this works well enough, but my stakeholders want it to work correctly the first time.

My attempt to address the issue was to look at hooks implemented in the LDAP module, and see if any of those give me a user object with all of the assigned roles, from which I can figure out which landing page I should redirect the user to. I couldn't find robust documentation on the hooks, so I implemented each one in a custom module and debugged their arguments to see if any one gave me what I wanted. I found that hook_ldap_user_edit_user_alter($account, $ldap_user, $context) gave me an $account object. However in testing, at the time the hook fires, the account object only has the role anonymous. So, this attempt to use hooks defined in the ldap module seems stymied.

Is there a hook later on in the login/authentication process where I can get a fully fleshed-out user object, with all the roles that the LDAP module is assigning the newly-created user? Or is there another way I can redirect the user?

Answer 1

I was not able to find a hook that gave me what I wanted, but as a sort-of work around, I created an event subscriber that uses checkAuthStatus() to check the user and path, and redirect when necessary.

This is sub-optimal, because this event fires on every page load, as far as I can tell, but at least we got our feature.