Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have a posixGroup that has a list of authorized users. (Currently just one for testing.)
DN: cn=authenticateduser,ou=drupal,ou=groups,dc=blah,dc=edu
objectClass: groupOfNames
objectClass: posixGroup
objectClass: Top
cn: authenticateduser
gidNumber: 0
ACL: 2#entry#[Root]#member
memberUid: L00467966
Where do I tell the module to look at that group?
Or, to word it a bit differently, how do I configure the module to only allow users who are listed in groups like the above to log in?
I would have a group per drupal role.
Comments
Comment #1
jerrac CreditAttribution: jerrac commentedI just built a small test drupal install with the latest LDAP dev release. Still can't get it to work.
So, let me rephrase my question. Is it possible to create a group per role (posixgroup or groupofnames), store each authorized user's cn in a memberuid attribute on that group, and then tell the LDAP module to check that group for a users role?
Comment #2
jerrac CreditAttribution: jerrac commentedI can just add the authenticated user group to the user entry as a groupMembership. That does make the authorization work with the "A user LDAP attribute such as memberOf exists that contains a list of their groups. Active Directory and openLdap with memberOf overlay fit this model." checkbox option. But it makes more sense to me to have a group entry per role that lists all the users in that role.
I know doing it that way is possible. We have a third party CakePHP app doing so. And the "LDAP GROUP ENTRY ATTRIBUTE HOLDING USER'S DN, CN, ETC." field on the ldap server configuration screen makes me think this LDAP module is supposed to be able to do so as well. When I was first searching the issue queue before posting this issue, I didn't see anything indicating that the feature was broken or not implemented yet. I don't see any errors in either Drupal's logs or my system logs.
I suppose the next thing to do is browse the source code. Maybe something will give me a clue there.
Any other suggestions? More information I could provide that would help?
Comment #3
jerrac CreditAttribution: jerrac commentedStill have the same problem on 7.x-2.0-beta6.
Comment #4
jerrac CreditAttribution: jerrac commentedI lost the test install I was using a year ago. Now my role/group entries look more like:
On admin/config/people/ldap/servers/edit/ldap_server_01 I set:
On admin/config/people/ldap/authorization/edit/drupal_role I set:
Mapping of LDAP to drupal role (one per line):
cn=authenticateduser,ou=drupal,ou=groups,dc=blah,dc=edu|authenticated user
When I run the authorization test on testuser, no drupal roles are assigned.
If I switch the settings around to look for a groupMembership on the testuser ldap entry, the correct roles are assigned. That is how my prod site is set up, and it works. But I shouldn't have to edit every single users entry to add a groupMembership.
If I'm reading the options on the server settings page correctly, I should be able to tell it to look at a single group entry, and then check to see if the user is in that group entry before assigning a role. Is that right? Thoughts on why it doesn't work?
Comment #5
larowlanno update for > 12 months - closing