Auth.php: User->getFromSSO() returns deleted user with new user #21896
Description
Code of Conduct
- I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- I have searched the existing issues
Version
11.0.2
Bug description
When logging-in with SSO using HTTP headers, with a username matching two accounts:
- one deleted account (in trash, but not completely deleted)
- one new account created manually.
The SSO fails with an error due to User->getFromSSO() query returning both User accounts.
Relevant log output
glpi.CRITICAL: *** Uncaught PHP Exception Glpi\Exception\TooManyResultsException: "`User::getFromDBByCrit()` expects to get one result, 2 found in query "SELECT `id` FROM `glpi_users` WHERE `name` = '[email protected]'"." at CommonDBTM.php line 432
Backtrace :
./src/CommonDBTM.php:432
./src/User.php:582 CommonDBTM->getFromDBByCrit()
./src/User.php:2548 User->getFromDBbyName()
./src/Auth.php:604 User->getFromSSO()
./src/Auth.php:816 Auth->getAlternateAuthSystemsUserLogin()
./src/Auth.php:1046 Auth->validateLogin()
./front/login.php:69 Auth->login()
...Glpi/Controller/LegacyFileLoadController.php:64 require()
./vendor/symfony/http-kernel/HttpKernel.php:181 Glpi\Controller\LegacyFileLoadController->__invoke()
./vendor/symfony/http-kernel/HttpKernel.php:76 Symfony\Component\HttpKernel\HttpKernel->handleRaw()
./vendor/symfony/http-kernel/Kernel.php:197 Symfony\Component\HttpKernel\HttpKernel->handle()Page URL
No response
Steps To reproduce
- configure GLPI to auth via HTTP headers (basic auth,...)
- disable automatic user creation with SSO.
- add a user with username 'test-user'
- delete it, but keep it in trash
- add a user with username 'test-user'
- try to login with username 'test-user' using HTTP headers
Your GLPI setup information
GLPI information
GLPI: 11.0.2 ( => /var/www/glpi) Installation mode: DOCKER Current language: fr_FR Source Integrity: 1 files changed A: public/.index.php.swp
Server
Operating system: Linux 17198bd20934 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64PHP: 8.4.14 apache2handler
PHP extensions: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, hash, iconv, json,
mbstring, SPL, session, PDO, pdo_sqlite, bz2, posix, random, Reflection, standard, SimpleXML, tokenizer, xml, xmlreader,
xmlwriter, mysqlnd, apache2handler, apcu, bcmath, Phar, exif, gd, intl, ldap, mysqli, redis, soap, sodium, zip, Zend OPcacheSetup: disable_functions="" max_execution_time="30" max_input_vars="10000" memory_limit="512M" post_max_size="8M"
session.cookie_secure="0" session.cookie_httponly="1" session.cookie_samesite="Strict" session.save_handler="files"
upload_max_filesize="2M"Web server: Apache ()
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0
Database:
Server Software: mariadb.org binary distribution
Server Version: 11.8.4-MariaDB-ubu2404
Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
Parameters: g_assistance-cobredia-bzh@mariadb/glpi_assistance-cobredia-bzh
Host info: mariadb via TCP/IP
Requirements:
PHP version (8.4.14) is supported.
OS and PHP are relying on 64 bits integers.
Sessions configuration is OK.
Allocated memory is sufficient.
Following extensions are installed: dom, fileinfo, filter, libxml, simplexml, tokenizer, xmlreader,
xmlwriter.
mysqli extension is installed
curl extension is installed
gd extension is installed
intl extension is installed
mbstring extension is installed
zlib extension is installed
bcmath extension is installed
The constant
SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
openssl extension is installed
Database engine version (11.8.4) is supported.
The log file has been created successfully.
Write access to
/var/glpi/files/_cache has been validated.
Write access to /var/glpi/files/_cron has been validated.
Write access to /var/glpi/files has been validated.
Write access to /var/glpi/files/_graphs has been validated.
Write access to /var/glpi/files/_lock has been validated.
Write access to /var/glpi/files/_pictures has been validated.
Write access to /var/glpi/files/_plugins has been validated.
Write access to /var/glpi/files/_rss has been validated.
Write access to /var/glpi/files/_sessions has been validated.
Write access to /var/glpi/files/_tmp has been validated.
Write access to /var/glpi/files/_uploads has been validated.Sessions configuration is secured.
exif extension is installed
ldap extension is installed
Following extensions are installed: bz2,
Phar, zip.
Zend OPcache extension is installed
Following extensions are installed:
ctype, iconv, sodium.
Write access to
/var/glpi/marketplace has been validated.
Timezones seems loaded in database.
GLPI constants
GLPI_ROOT: "/var/www/glpi"
GLPI_VERSION: "11.0.2"
GLPI_SCHEMA_VERSION: "11.0.2@ea2dbba0e1edbf5128d73bdb23c2c9b9f68468ba"
GLPI_FILES_VERSION: "11.0.2-e6b8e30d"
GLPI_MIN_PHP: "8.2"
GLPI_MAX_PHP: "8.5"
GLPI_YEAR: "2025"
GLPI_I18N_DIR: "/var/www/glpi/locales"
GLPI_CONFIG_DIR: "/var/glpi/config"
GLPI_VAR_DIR: "/var/glpi/files"
GLPI_MARKETPLACE_DIR: "/var/glpi/marketplace"
GLPI_LOG_DIR: "/var/glpi/logs"
GLPI_INSTALL_MODE: "DOCKER"
GLPI_ENVIRONMENT_TYPE: "production"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["^\n (http|https|feed)://!$&'()+,;=:@]|%[0-9A-Fa-f]{2}) )* # a path\n
# protocol\n (\n (?:\n
(?:xn--[a-z0-9-]++\.)*+xn--[a-z0-9-]++ # a domain name using punycode\n
|\n (?:[\pL\pN\pS\pM\-\]++\.)+[\pL\pN\pM]++ # a multi-level domain
name\n |\n [a-z0-9\-\]++
# a single-level domain name\n )\.?\n |
# or\n \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
# an IP address\n | #
or\n \[\n
(?:(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){6})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:::(?:(?:(?:[0-9a-f]{1,4})):){5})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){4})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,1}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){3})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,2}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){2})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,3}(?:(?:[0-9a-f]{1,4})))?::(?:(?:[0-9a-f]{1,4})):)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,4}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,5}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,6}(?:(?:[0-9a-f]{1,4})))?::))))\n
\] # an IPv6 address\n
)\n (?:/ (?:[\pL\pN\pS\pM\-._\
(?:\? (?:[\pL\pN\-._\~!$&'\\+,;=:@/?]|%[0-9A-Fa-f]{2}) )? # a query (optional)\n
$~ixuD"]
GLPI_DISALLOWED_UPLOADS_PATTERN: "/\.(php\d*|phar)$/i"
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_NETWORK_MAIL: "[email protected]"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ENABLE: 3
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DOCUMENTATION_ROOT_URL: "https://links.glpi-project.org"
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_LOG_LVL: "warning"
GLPI_SKIP_UPDATES: false
GLPI_STRICT_ENV: false
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_CENTRAL_WARNINGS: "1"
GLPI_SYSTEM_CRON: false
GLPI_TEXT_MAXSIZE: "4000"
GLPI_WEBHOOK_ALLOW_RESPONSE_SAVING: "0"
GLPI_WEBHOOK_CRA_MANDATORY: false
GLPI_ALTCHA_MODE: "interactive"
GLPI_ALTCHA_MAX_NUMBER: 50000
GLPI_ALTCHA_EXPIRATION_INTERVAL: "PT20M"
GLPI_DOC_DIR: "/var/glpi/files"
GLPI_CACHE_DIR: "/var/glpi/files/_cache"
GLPI_CRON_DIR: "/var/glpi/files/_cron"
GLPI_GRAPH_DIR: "/var/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/glpi/files/_lock"
GLPI_PICTURE_DIR: "/var/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/glpi/files/_inventories"
GLPI_THEMES_DIR: "/var/glpi/files/_themes"
GLPI_PLUGINS_DIRECTORIES: ["/var/glpi/marketplace","/var/www/glpi/plugins"]
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
Réplicats SQL
Not active
Notifications
Way of sending emails: SMTP(smtp://mailer:587?verify_peer=0)
Name: 'Collecteur O365'
Active: Yes
Server: '{outlook.office365.com:993/imap-oauth-1/ssl}'
Login: '[email protected]'
Password: No
Plugins list
actualtime Name: ActualTime Version: 3.2.0 State: Installé / non activé
Install Method: Manual
fields Name: Additional fields Version: 1.22.2 State: Installé / non activé
Install Method: Marketplace
advancedforms Name: advancedforms Version: 1.0.0 State: Activé
Install Method: Marketplace
news Name: Alerts Version: 1.13.0 State: Installé / non activé
Install Method: Marketplace
behaviors Name: Behaviours Version: 3.0.1 State: Activé
Install Method: Marketplace
formcreator Name: Formcreator End-of-Life Update Version: 3.0.0 State: A mettre à jour
Install Method: Marketplace
glpiinventory Name: GLPI Inventory Version: 1.6.0 State: Installé / non activé
Install Method: Marketplace
mreporting Name: More Reporting Version: 1.9.1 State: Installé / non activé
Install Method: Marketplace
oauthimap Name: OAuth IMAP Version: 1.5.0 State: Activé
Install Method: Marketplace
samlsso Name: samlsso Version: 1.2.2 State: Installé / non activé
Install Method: Marketplace
singlesignon Name: Single Sign-on Version: 1.5.1 State: Activé
Install Method: Manual
tag Name: Tag Management Version: 2.13.0 State: Activé
Install Method: Marketplace
vip Name: VIP Version: 1.9.1 State: Installé / non activé
Install Method: Marketplace
Anything else?
No response