Drupal 6 External Authentication

I have a non-Drupal site which authenticates with a simple MySQL user database. I want to share that user information with my Drupal site. So I guess either:

• have some system whereby the external user database is automatically / regularly copied into the Drupal user database, which has the advantage of not messing with Drupal's login system; or
• change Drupal's login system so it checks the username and password against this external database and then presumably (knowing that Drupal likes to keep things local) creating a local account if it hasn't already.

The problem here though is that there are two user databases and if information such as passwords gets changed on one, this is not reflected on the other. Drupal would need to check the username and the password against the external db, and not keep its own password record. But I also want to take some profile information from the external db, and this would run into the problem of duplicate records.

So I guess the first solution is preferred, but then if the script is only set to run, say, once per hour, then the user cannot login to the Drupal site within an hour of signing up with the external site. Also it seems to be a very "non-Drupal" way of doing things.

A further problem is that the user will have to log in twice, but the Drupal site is meant to be a seamless extension of the external site so logging in twice isn't preferred. However, this is the least priority as there could be a message telling users to log in again "for security reasons".

Any suggestions??

EDIT: I do have some scope to edit the external site. Perhaps a simpler way would be to have the external site authenticate through Drupal's user db? The best way seems to be if the Drupal db replaces the external db so the external site's user db IS Drupal's. Or the user s开发者_JS百科imply logs in via Drupal and the external site knows somehow that he has done so. Either of those sound simpler?

---

This is exactly why I handed everything over to OpenID/OAuth. Drupal can be an OpenID provider, sites like this (StackOverflow) allow many providers. OpenID Provider

Drupal has a great OpenID selector implementation: OpenID Selector it's the same one you see on StackOverflow.

This would of course require your non-drupal site to transition to OpenID/OAuth as well, which might not be quite as easy.

---

If you have scope to edit external site then You can use Drupal's services module and write your user login service and call that service from external site. You can return session id from user login service if success. Hope this will help you.

---

The way I'm currently doing it is to have Drupal authenticate against the external DB and just ignore the password stored in the Drupal DB. If the username doesn't exist in the external DB, then it just reverts to authenticating normally against the Drupal DB.

In hook_form_user_login_alter, you can search through the $form['#validate'] array and replace user_login_authenticate_validate with your own function that checks the external DB.

Something like:

function MYMODULE_form_user_login_alter(&$form, $form_state) {
    $array_key = array_search('user_login_authenticate_validate', $form['#validate']);
    if ($array_key === FALSE) {
        $final_validator = array_pop($form['#validate']);
            $form['#validate'][] = 'mymodule_validate';
            $form['#validate'][] = $final_validator;
    }
    else {
        $form['#validate'][$array_key] = 'mymodule_validate';
    }
}

function mymodule_validate($form, &$form_state) {
    if (mymodule_user_exists($form_state['values']['name'])) {
        if (mymodule_check_password($form_state['values']['name'], $form_state['values']['pass'])) {
            user_external_login_register($form_state['values']['name'], 'mymodule');
            user_authenticate_finalize($form_state['values']);
            // maybe sync some data here
        }
    }
    else {
        user_login_authenticate_validate($form, $form_state);
    }
}

You can also make use of hook_user to sync some data (or prevent editing) when the user registers or tries to update their account.

---

Where I work, we do something similar to what you're describing. We have a Java-based backend "platform" that acts as the main source of account information. The platform team wrote a REST API for account creation, authentication, and updates. We wrote a series of custom Drupal modules to interface with the platform API during registration, login, and account editing respectively. I'll warn you though, it turns out to be a lot of custom code to write, test, and maintain.