Configuration of ldapgroups module

ldapgroups module integrates LDAP Groups with Drupal roles. In addition, it can define "access rules" that define which LDAP group members can or cannot access the site.

Please note that to configure this module, you will need to know a little bit about how groups are stored on your LDAP server. You may need to work with your LDAP/AD admin to get the information needed.

To configure the group settings:

Goto Administer >> Site configuration >> LDAP >> Groups

Settings Tab

This page will display a list of the configured LDAP server settings created in the LDAP Authenticate module. These can be configured with individual LDAP Groups settings to determine group and access information.

The configuration that was used to authenticate a user into Drupal will be used to perform groups and access actions.

Select edit to configure Groups to Roles mapping for a specific LDAP server.

Server Groups Setting Page

This page allows you to define the setting needed by the LDAP Groups module for each server.

Group Definitions

This section allows your to define which way group membership is defined in your LDAP server. There are three basic ways to determine membership. You only need to configure the one(s) that apply to your situation.

Group by DN

This method extracts group membership by looking at the user's LDAP distinguished name (DN). E.g. if the DN is cn=John Smith, ou=Sales, ou=HQ, dc=my.com, you can "imply" membership in the groups/roles Sales and HQ from the ou attributes in the DN.

Group is specified in user's DN: Check this to enable this method of determining groups.

Attribute on the DN which contains the group name Enter the LDAP attribute which will be used to find group names. E.g.ou

Group by attribute

This method extracts group membership by looking at the specified attributes that may be part of the user's LDAP entry. For example, AD will add a MemberOf attribute to each group member's UIDObject.

Groups are specified by LDAP attributes: Check this to enable this method of determining groups
Attribute names (one per line) Enter one or more attributes that contain group name information.

Group by entry

This method uses the LDAP standard way of defining groups using an LDAP entry that contains a list of members. E.g., a groupOfNames object type with a multi-valued member attributes.

Groups exist as LDAP entries where a multivalued attribute contains the members' CNs Check this to enable this method of determining groups.
Base LDAP DNs containing groups Enter the base dn's where your groups are located. E.g., ou=Groups,dc=my.org
Attribute holding group members Enter the name of the attribute containing group member, e.g. member or uniqueMember

LDAP Groups Server Access Rules

First, it can just be a list of groups. In this case, the user must be a member of at least one of these groups to be allowed access.

The second form uses rules of the format: "action-type: group-name". Each rule group-name is compared to the user's groups. If the user is a member of the rule's group, the action is applied. The last matching rule determines the user's access rights. Note that all rule sets start with access denied.

The action types are:

ALLOW - Access granted if user is in the group and not denied by rule below it.
ALLOW-X - If the user is in the group, access is granted and rule processing ends
DENY - User is denied if they are in the group unless granted by a rule below this one.
DENY-X - User denied if in group and no further rules are processed.

In addition, there are two "PSEUDO" groups that can be used in rules:

ALL - Matches all authenticated LDAP users
EXISTING - Matches existing users who have been authenticated by LDAP in the past.

Here's an example ruleset to deny all Group1 users but allow existing users and (new) Group2 users to access the server.

DENY-X: cn=Group1,ou=Groups,dc=myorg
ALLOW-X: EXISTING
ALLOW: cn=Group2,ou=Groups,dc=myorg

Note that rule types and groups are case insensitive. However, group names must have the same spacing as returned by the server to match. E.g. if server return cn=X,ou=Groups... then a rule group name, cn=X, ou=Groups... will not match because of the space after the comma.

Group Access Rules Enter either your simple list of group dn's or your list of access rules.

LDAP group to Drupal role filtering

LDAP group; Admins => Drupal Role: Admins
LDAP group; ou=Underlings,dc=my.org => Drupal Role: Underlings

Select how to map LDAP groups to Drupal roles Select the method you want to use.
Mapping of LDAP groups to Drupal roles Enter a list of LDAP groups and their Drupal role mappings, one per line with a | delimiter. Should be in the form [ldap group]|[drupal role],[drupal role] such as:
- cn=ED IT NAG Staff,DC=ad,DC=uiuc,DC=edu|admin
- cn=Ed Webs UIUC Webmasters,DC=ad,DC=uiuc,DC=edu|author, reviewer
PHP to filter roles by (Optional) This is an advanced way to change the way groups are mapped to roles. Beyond the scope of this page.

Click Save configuration to save this configuration.

Test Group Settings Tab

This page will help you validate your settings by testing against specific users.

User selection

Drupal User name to test Enter a Drupal user name. Must be empty if you are using a DN.
Select a server Select the LDAP server where the user can be found.
LDAP DN to test Enter the user's DN to test with. Must be empty if you are using a Drupal user name.
Test Clicking this will display the results below.

Test Results

Basic Drupal user information
Basic LDAP user information
LDAP Groups the user was found to be a member of.
If the user can access the server or not, based on the results of the Access Rules and group membership.
The Drupal roles the user will be mapped into