Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
When I try to login with an AD user it Authenticates no problem but fails to pull in and create the groups from AD, I get this error message posted in the log file.
PDOException: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'name' at row 1: INSERT INTO {role} (name, weight) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1); Array ( [:db_insert_placeholder_0] => cn=planning,ou=planning,ou=tadcaster,ou=innserve,dc=innserve,dc=local [:db_insert_placeholder_1] => 3 ) in drupal_write_record() (line 6851 of /var/www2/includes/common.inc).
Any help would be appreciated.
Thanks Dan
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedthere are a number of issues:
You are using the wrong version of ldap. use the 7.x-1.x branch, not 2.x.
The group name you are using is too long for the db field in the role table: (cn=planning,ou=planning,ou=tadcaster,ou=innserve,dc=innserve,dc=local)
Try using the filter:
cn=planning,ou=planning,ou=tadcaster,ou=innserve,dc=innserve,dc=local|planning
to map that big name to a smaller role.
Comment #2
danharper CreditAttribution: danharper commentedSorry I am using 7.x-1.x-dev,
When you say use the filter do you mean adding that to the LDAP USER TO DRUPAL USER RELATIONSHIP box?
I have tried that and it came back with same error message, I do not have any roles created in drupal yet other than the default ones and so when my users start logging in I would like all the roles to be created.
Cheers Dan
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedYes. In 3A.
Thanks for pointing this out. I'm changing this to a bug, so the validation is fixed. The code that needs to be changed is in the error catching. It should check for role name length and watchdog the result. The authorization test page should also flag long roles.
Comment #4
danharper CreditAttribution: danharper commentedThe role name length should only be the same as the group name If I'm not mistaken and my AD groups have 20 characters maximum, so it doesn't explain why they're not being created.
Thanks Dan
Comment #5
johnbarclay CreditAttribution: johnbarclay commentedIts trying to create the role:
"cn=planning,ou=planning,ou=tad caster,ou=innserve,dc=innserve,dc=local"
Map it as follows:
cn=planning,ou=planning,ou=tad caster,ou=innserve,dc=innserve,dc=local|planning or some such.
I'm just guessing since I don't know your configuration. If this doesn't help, post your configuration as directed in the create issue instructions.
Comment #6
danharper CreditAttribution: danharper commentedI haven't got anything in the box 3A as I don't have any drupal roles created and I am not trying to map them.
In box 2B I have this ticked and memberOf in the box, when a user logs in I would like to to create all the groups they're are a member of as drupal roles. I am not trying to map roles to an OU.
Thanks Dan
Comment #7
johnbarclay CreditAttribution: johnbarclay commentedI see. Let us know your configuration and we may be able to help.
Comment #8
danharper CreditAttribution: danharper commentedBackground,
I am currently using drupal 6.22 with the ldap_integration module installed, the way that works is when a user logs in if they are already in AD they get authenticated and all the relevant drupal roles added that match the groups they're a member of. If there is a security group the user is a member of that does not exist as a drupal role the role is automatically created. I am trying to replicate this in drupal 7.4 with the ldap as I need to upgrade fairly shortly.
The problem is stated in the first post, when I try login with some Active Directory credentials it authenticates me and logs me in but shows the following error message.
Current config.
Drupal 7.4
ldap 7.x-1.0-beta2
ldap config
Microsoft Active Directory
all users are in many OU containers under the following OU containers
OU=Tadcaster,OU=INNSERVE,DC=innserve,DC=local
OU=Sunderland,OU=INNSERVE,DC=innserve,DC=local
All user are members of specific security groups, I thought that these security groups could be mapped to drupal roles automatically using the memerOf attribute, this is how it worked in ldapgroups previously.
ldap module config
SERVERS
One server setup, AD Ldap
Base DNs for LDAP user entries
OU=Tadcaster,OU=INNSERVE,DC=innserve,DC=local
OU=Sunderland,OU=INNSERVE,DC=innserve,DC=local
User Name Attribute
sAMAccountName
AUTHORIZATION
Derive Drupal Roles by Attribute used with memberOf added for attribute
ldap to drupal role mapping and filtering nothing added as I have no drupal roles created and I want all the security groups a user is a member of
On a side note I have created a development environment that mirrors my D6 installation and I will be running through an upgrade to D7 my whole login requirements rely on ldap so what would be the best way of doing this having ldap_integration already installed.
Thanks Dan
Comment #9
johnbarclay CreditAttribution: johnbarclay commentedThanks for the detailed info. Your setup should work so I'm changing this to a bug. I use the same configuration with filtering so it should be easy to test.
As far as your old ldap_integration data, since theres no upgrade path, I would just delete the old ldap tables and remove the authmaps, see #1183192: Authentication: Duplicate entry in modules/user/user.module
Comment #10
johnbarclay CreditAttribution: johnbarclay commentedThis is committed to head. Please test. There is a check for long drupal roles and the ability to map a drupal role to the value of the first DN attribute. This is configured in the ldap authorization interface.
I added a simpletest for this. Its the second from the last test in ldap_autorization/tests/Derivations.test testDeriveFromAttr()
Comment #11
danharper CreditAttribution: danharper commentedHi John,
The module now lets me login and it creates roles for the user, but I am a little confused about how this is supposed to work as the names of the roles it has created are as follows
CN=IT,OU=IT,OU=TADCASTER,OU=INNSERVE,DC=INNSERVE,DC=LOCAL
CN=DOMAIN USERS,CN=USERS,DC=INNSERVE,DC=LOCAL
My User dharper is a member of the following security groups (not OU containers)
Domain Admins
Domain Users
IT
Planning
System Support
UAT
unixusers
I would expect that when I login the above are created as drupal roles and not the ones that have.
My user sits in the following OU container
OU=IT,OU=TADCASTER,OU=INNSERVE,DC=INNSERVE,DC=LOCAL
Hope this makes sense.
Thanks Dan
Comment #12
danharper CreditAttribution: danharper commentedAhah,
I ticked the box which reads
and everything works as expected many thanks.
Dan
Comment #13
johnbarclay CreditAttribution: johnbarclay commentedThe role name
"cn=planning,ou=planning,ou=tadcaster,ou=innserve,dc=innserve,dc=local"
is too long for a role name. Try something shorter.
One approach is to map that dn to a role in the mapping/filter dialog:
Another approach is:
cn=planning,ou=planning,ou=tadcaster,ou=innserve,dc=innserve,dc=local|planning
in the filter dialog box.