Last updated 29 June 2012. Created on 11 February 2007.
Edited by cgmonroe, Tresler, kreaper. Log in to edit this page.

ldapgroups module integrates LDAP Groups with Drupal roles. In addition, it can define "access rules" that define which LDAP group members can or cannot access the site.

Please note that to configure this module, you will need to know a little bit about how groups are stored on your LDAP server. You may need to work with your LDAP/AD admin to get the information needed.

To configure the group settings:

  • Goto Administer >> Site configuration >> LDAP >> Groups

Settings Tab

This page will display a list of the configured LDAP server settings created in the LDAP Authenticate module. These can be configured with individual LDAP Groups settings to determine group and access information.

The configuration that was used to authenticate a user into Drupal will be used to perform groups and access actions.

  • Select edit to configure Groups to Roles mapping for a specific LDAP server.

Server Groups Setting Page

This page allows you to define the setting needed by the LDAP Groups module for each server.

Group Definitions

    This section allows your to define which way group membership is defined in your LDAP server. There are three basic ways to determine membership. You only need to configure the one(s) that apply to your situation.

    Group by DN

    This method extracts group membership by looking at the user's LDAP distinguished name (DN). E.g. if the DN is cn=John Smith, ou=Sales, ou=HQ,, you can "imply" membership in the groups/roles Sales and HQ from the ou attributes in the DN.

    • Group is specified in user's DN: Check this to enable this method of determining groups.
    • Attribute on the DN which contains the group name Enter the LDAP attribute which will be used to find group names. E.g.ou

    Group by attribute

    This method extracts group membership by looking at the specified attributes that may be part of the user's LDAP entry. For example, AD will add a MemberOf attribute to each group member's UIDObject.

    • Groups are specified by LDAP attributes: Check this to enable this method of determining groups
    • Attribute names (one per line) Enter one or more attributes that contain group name information.

    Group by entry

    This method uses the LDAP standard way of defining groups using an LDAP entry that contains a list of members. E.g., a groupOfNames object type with a multi-valued member attributes.

    • Groups exist as LDAP entries where a multivalued attribute contains the members' CNs Check this to enable this method of determining groups.
    • Base LDAP DNs containing groups Enter the base dn's where your groups are located. E.g., ou=Groups,
    • Attribute holding group members Enter the name of the attribute containing group member, e.g. member or uniqueMember

LDAP Groups Server Access Rules

    This section allows you to define access rules that will control which LDAP Group members can or cannot access the server. These rules can take two forms:

    First, it can just be a list of groups. In this case, the user must be a member of at least one of these groups to be allowed access.

    The second form uses rules of the format: "action-type: group-name". Each rule group-name is compared to the user's groups. If the user is a member of the rule's group, the action is applied. The last matching rule determines the user's access rights. Note that all rule sets start with access denied.

    The action types are:

    • ALLOW - Access granted if user is in the group and not denied by rule below it.
    • ALLOW-X - If the user is in the group, access is granted and rule processing ends
    • DENY - User is denied if they are in the group unless granted by a rule below this one.
    • DENY-X - User denied if in group and no further rules are processed.

    In addition, there are two "PSEUDO" groups that can be used in rules:

    • ALL - Matches all authenticated LDAP users
    • EXISTING - Matches existing users who have been authenticated by LDAP in the past.

    Here's an example ruleset to deny all Group1 users but allow existing users and (new) Group2 users to access the server.

    • DENY-X: cn=Group1,ou=Groups,dc=myorg
    • ALLOW: cn=Group2,ou=Groups,dc=myorg

    Note that rule types and groups are case insensitive. However, group names must have the same spacing as returned by the server to match. E.g. if server return cn=X,ou=Groups... then a rule group name, cn=X, ou=Groups... will not match because of the space after the comma.

    • Group Access Rules Enter either your simple list of group dn's or your list of access rules.

LDAP group to Drupal role filtering

    This section defines how groups are mapped to Drupal roles. If automatic mapping is selected, Drupal role names will be automatically determined using the LDAP group names. For example:
    • LDAP group; Admins => Drupal Role: Admins
    • LDAP group; ou=Underlings, => Drupal Role: Underlings
    • Select how to map LDAP groups to Drupal roles Select the method you want to use.
    • Mapping of LDAP groups to Drupal roles Enter a list of LDAP groups and their Drupal role mappings, one per line with a | delimiter. Should be in the form [ldap group]|[drupal role],[drupal role] such as:
      • cn=ED IT NAG Staff,DC=ad,DC=uiuc,DC=edu|admin
      • cn=Ed Webs UIUC Webmasters,DC=ad,DC=uiuc,DC=edu|author, reviewer
    • PHP to filter roles by (Optional) This is an advanced way to change the way groups are mapped to roles. Beyond the scope of this page.
  • Click Save configuration to save this configuration.

Test Group Settings Tab

This page will help you validate your settings by testing against specific users.

User selection

    You may specify users by one of two methods. You can use an existing LDAP authenticated Drupal user (e.g. a user who logged on and was authenticated by LDAP sometime in the past) or you can use a user's LDAP DN and server information.
    • Drupal User name to test Enter a Drupal user name. Must be empty if you are using a DN.
    • Select a server Select the LDAP server where the user can be found.
    • LDAP DN to test Enter the user's DN to test with. Must be empty if you are using a Drupal user name.
    • Test Clicking this will display the results below.

Test Results

    The results of the test will include the following information about the specified user:
    • Basic Drupal user information
    • Basic LDAP user information
    • LDAP Groups the user was found to be a member of.
    • If the user can access the server or not, based on the results of the Access Rules and group membership.
    • The Drupal roles the user will be mapped into

Looking for support? Visit the forums, or join #drupal-support in IRC.


txyoji’s picture

If your looking for a way to explore active directory check out sysinternals AD Explorer.

This was very useful for figuring out what groups to place in the "LDAP group to Drupal role filtering".

earwax’s picture