Hi. I'd like to request feedback on creating a sub-module that implements a login block per LDAP server. A small use-case description and list of issues this hopes to solves follows.
I wrote https://esci.id.ucsb.edu/ this is a drupal frontend for end-of-quarter campus course feedback. Currently its in limited Beta/Pilot stage and accruing a larger feature-set.
We have different user roles:
- students: take surveys
- faculty: view survey stats, submit survey questions
- departmental administrators: view per College or by grants many survey results
- ESCI admins: administer departmental ESCI data and drupal webapp
Currently we hit 2 LDAP servers with custom built code (attempting to move to LDAP 1x/2x). Our departmental Apple based LDAP, and separately a campus based LDAP for non "esci admin" users.
A majority of the time a user is devined 1 single role. For instance they are a student, or a faculty member, or perhaps an ESCI admin user.
But, there are a few cases where a staff/faculty member is also enrolled as a active student in course materials persuing a Masters degree (for instance). Such a user may be bombarded with options if the webapp grants all roles possible found from a given LDAP point since only 1 login form is used in LDAP.
Would anyone (other than myself) entertain creating discrete ldap login blocks per endpoint? This could help fix problems where:
- More than 1 LDAP endpoint is enabled and UIDs are not unique for a user.
- You want to give a specific user a limited set of role(s), based on where they authenticated from. Eg, setup a /student/login form with ou=university,affiliation=student vs. /faculty/login with ou=university,affiliation=faculty. In this case all registered students have a firstname.lastname@example.org account, a faculty email would not have 'umail' in the domain. So drupal could see 2 users from 1 LDAP point.
- In general you'd be able to say, "drupal login is at /user", and LDAP login as is "/SOME_ENDPOINT_TOKEN/login" as needed. Making it more clear that 1 form is drupal login and another form is some ldap server login authpoint.
I have an idea how to approach the code because I've done this myself a few times. I would like OPs and other user feedback on this idea and whether or not I'm crazy.