I have CAS (7.x-1.2) / LDAP (7.x-1.0-beta12) and CAS Attributes configured to the point where I can log-into my Drupal site through CAS.

The issue I'm coming across is assigning a role to a CAS user using attributes from LDAP.

I was able to setup CAS Attribute Mappings fine using LDAP Tokens for username and email fields.

However, I haven't had any luck with Role Mapping. The system I'm working with doesn't seem to store any attributes (that I have access to) on its CAS Server, with everything being pulled from LDAP. The Role Mapping feature stresses that it only recognizes CAS attributes, and not token syntax.

Is there a setting/configuration/add-on module I should look into?


katrialesser’s picture

I am using CAS to authenticate, and I'm pulling the email & name with CAS attributes, but I cannot figure out the syntax for Role Mapping.

- check which roles - do i check one?

- the example says 'department'

I have a CAS attribute of: [cas:attribute:activeparttimeinstructor]
so would I use: activeparttimeinstructor ?

If someone could provide an example of working syntax that would be SOOOOO helpful!
Thank you!

katrialesser’s picture

Hasn't anyone else wanted to use this & run into this problem?

Please, if anyone has an idea or knows how to do this / what to enter in...that would be so helpful..


Olarin’s picture

delajed: Interesting point - if we can use LDAP attributes for other fields I don't see why we can't use them for roles as well; perhaps we should switch the Role Mapping section over to using token syntax.

girlwithquestions: My apologies for the delay in reply, but please try not to hijack threads - the original poster was referring specifically to trouble using LDAP attributes, not just how to get Role Mapping working in general. Please check out #1814654: add text to configuration page to explain how to get roles from attributes and provide some input on making the description text more helpful, and post follow up questions there. Meanwhile, I'll try to help you out here:

  • You may only want some of your roles to be drawn from CAS attributes. So first of all, you must check the checkboxes for each role you want to draw from attributes. For each checked role, if any of the attributes you specify contain that role, the user will get that role, and if they don't contain it, the user will lose that role. If the checkbox for a particular role is not checked, this module won't do anything to it.
  • You are correct on not using token syntax for Role Mapping (for now at least) - so yes, you would use just "activeparttimeinstructor", not [cas:attribute:activeparttimeinstructor].
  • The name of the attribute is not what's important, it's what's inside it (in PHP array parlance, what we care about here is the value, not the key). So if the name of your attribute-managed role is "activeparttimeinstructor", for instance, then whether a user gets that role is dependent upon whether one of the attributes you specified has a value of "activeparttimeinstructor" for that user. (So if you specified a Role Mapping attribute named status (or department, or activeparttimeinstructor, or purplemonkeydishwasher, or anything really) and it has a value of "activeparttimeinstructor", the role will be given; but if you specified an attribute named activeparttimeinstructor and it simply has a value of TRUE, or 1, or "yes", or anything other than "activeparttimeinstructor", the role will not be given.) Attributes can be multivalued - so you can specify multiple roles for a user in one attribute - but you can also use multiple attributes, and the role will be given if it is present in any of them.

If you have any other questions, please post them in #1814654: add text to configuration page to explain how to get roles from attributes. If you understand it perfectly now and have it working, then if you can, please help me improve the text in #1814654: add text to configuration page to explain how to get roles from attributes.

katrialesser’s picture

Sorry, I thought from "The issue I'm coming across is assigning a role to a CAS user using attributes from LDAP." we were asking the same question - how to get the CAS attributes to assign a role.

I'll go post on that other issue. thanks for responding! :)

Olarin’s picture

Category: support » feature
bkosborne’s picture

Issue summary: View changes
Status: Active » Closed (duplicate)
Related issues: +#2190967: Mapping roles from ldap attributes

Related: #2190967: Mapping roles from ldap attributes. Looks like token support has been added, but using LDAP tokens is still not supported for role mapping. I think it's appropriate to close this issue in favor of that one.