Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm successful at mapping Drupal roles at the time of authentication. This much works great. However, I'm not able to successfully assign/revoke Organic Groups and their corresponding roles. When I run tests on users, I get the proper group / group role, but it just doesn't seem to save / assign anything. I've included screens of my configuration, test, and the logs at the time of authentication.
Here's some info. on my site:
- Drupal 7.19
- Organic Groups 7.x-1.5
Any help with this would be appreciated.
Comment | File | Size | Author |
---|---|---|---|
#22 | 10907782-22.patch | 7.5 KB | johnbarclay |
#16 | ldap_7.x-2.x-dev_authorization.patch | 299 bytes | vgalindus |
#14 | group_audience.png | 18.87 KB | scottAtRoot802 |
LDAP-7.x-2.0-authorization-og-role-log.png | 2.42 MB | scottAtRoot802 | |
LDAP-7.x-2.0-authorization-og-role-test.png | 334.57 KB | scottAtRoot802 |
Comments
Comment #1
Kazanir CreditAttribution: Kazanir commentedI'm having the same issue, with very similar looking tests/logs, using the latest dev.
Comment #2
johnbarclay CreditAttribution: johnbarclay commentedAside from on logon, I don't see any code to remove og groups. An option to remove via cron batches should be added at http://drupalcode.org/project/ldap.git/blob/refs/heads/7.x-2.x:/ldap_aut... or integrated in the ldap_user modules batch process.
When you say you are testing and the groups are not removed, are you testing by logging on?
I will be working on this later in the week, with the following steps:
Comment #3
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedYes, I've been logging in to test whether OG roles have been assigned/revoked. The log I attached is at login.
Comment #4
johnbarclay CreditAttribution: johnbarclay commentedComment #5
Kazanir CreditAttribution: Kazanir commentedjohn your comment makes me think you are assuming his issue is really specific when it isn't. The point is that the OG assignment / revocation is completely broken when it shouldn't be -- the testing part of the interface appears to indicate the correct assignment of OG membership (for both OG 7-1.5 in his case and 7-2 in mine) but it doesn't actually work on logon in practice.
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedI'm going through this now. Kazanir is correct, there are a number of issues with the og 7.x-1.5. Its broken in a non subtle way, so hopefuly will be easy fixes.
Comment #7
Kazanir CreditAttribution: Kazanir commentedHere's hoping that the same stuff applies to the 7-2 implementation. What I'm seeing looks extremely similar to Scott's results except for the initial OG mapping text (mine is mappingresult|node:nodeid:roleid naturally) -- functioning tests and mappings being mapped correctly in the logs, but no actual group memberships being created.
Comment #8
foo CreditAttribution: foo commentedOG assignment appears broken for me as well, on 7.x-2.x-dev (2013-Feb-14). I made a group, configured the LDAP server, configured the authorization, added a group mapping, and the test seems to run fine. It correctly finds the 3 groups my test user is in, finds the match for the one mapping I made, and the "Results after any filtering and mappings applied" section says "node:2:2", which if I understand the syntax, means that my test user should be be assigned to group 2 with role 2. However, I log in with that user in another browser, and he never shows up in the member list.
So, to be clear, I can't get LDAP users into a group to begin with.
Aside: I'm using CAS auth, not LDAP auth, but it's an otherwise vanilla install.
Comment #9
johnbarclay CreditAttribution: johnbarclay commentedIn the initial comment, the configuration is off. If only using first attribute in mapping/filter, they should look like:
Intranet HIS Content Manager|gid=170,rid=5
not
CN=Intranet HIS Content Manager,...|gid=170,rid=5
Comment #10
foo CreditAttribution: foo commentedThe og_group mapping filter I'm using (based on the Harry Potter examples from the config page) looks like this:
InformationTechnologyGroup|node:2:2
It shows as enabled on the /admin/config/people/ldap/authorization/ page. The results of a test on a known-good LDAP user are pasted below. The test results make me believe that the mapping works and is enabled, but my test users are never added to the InformationTechnologyGroup og group (/group/node/2/admin/people). Is "node:2:2" a valid end result for the group mapping?
Note: my test user belongs to three LDAP groups (InformationTechnologyGroup, AdmGroup, Faculty), but only one is mapped in the og_group authorization configuration.
Another note: this problem still affects me on ldap 2-0-dev (2013-Feb-18), and the recent OG 2.0 final release.
PREFILTERED AND FINAL MAPPINGS
Derive from DN (without filter):
disabled
Groups DNs (without filter)
AFTER "CONVERT FULL DN TO VALUE OF FIRST ATTRIBUTE BEFORE MAPPING"
Convert full dn to value of first attribute before mapping
AFTER MAPPINGS AND FILTERS APPLIED
Use Mappings as Filter = 1
Configured Mappings
InformationTechnologyGroup|node:2:2
Results after any filtering and mappings applied
Comment #11
johnbarclay CreditAttribution: johnbarclay commentedYour mappings are correct and looks like all is working well except the actual saving of the group membership. This is likely a bug in the saving part. The og_role_grant() calls in LdapAuthorizationConsumerOG.class.php are where the group memberships should be saved.
Are you using ldap_authentication?
Its remotely possible that its an artifact of a previous bug. By this I mean:
- if you have regrant ldap provisioned unchecked and
- there is a record in $user->data['ldap_authorization'] indicating the group was already granted
- but the group membership was never actually granted
It will not grant the group membership. To eliminate this as a possibility, delete the test user and test again.
Comment #12
Kazanir CreditAttribution: Kazanir commentedThe second part is unlikely, as the watchdog logs indicate the step where OG authorization strips "previously granted" group memberships. Since I have the "re-grant" checkbox checked, my authorization result makes it past this step, but is still not saved. It seems clear that something about saving the OG membership is going wrong.
Comment #13
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedI've updated to 7.x-2.0-beta3+23-dev and changed my mapping/filter, to:
Intranet HIS Content Manager|gid=170,rid=5
In "Test LDAP Authorization Configuration" I still get the same result after any filtering and mappings applied
170-5
Again, after logging in with my test account, the OG membership is not applied.
I also tested deleting the test user from Drupal and re-logging in with that same test account. The result is the same. It authenticates and creates a user but OG membership is not applied.
Comment #14
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedFYI - I just notice something I hadn't before. After viewing the test user edit page, I now see "Information Systems" which is gid 170 under My groups but it's not selected (see attached). This indicates that it was once or is somehow linked to that group. Alas the test user is not subscribed to that group.
Comment #14.0
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedJust fixing some typos.
Comment #15
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedAfter doing some more testing I discovered the following.
Deleting the test user and disabling the ldap_authorization_drupal_role config, leaving only the ldap_authorization_og config enable I was able to successfully assign an og membership / role on login. However, this only works if I kill the process (e.g. adding die;) at the end of the grantsAndRevokes function in LdapAuthorizationConsumerAbstract.class.php. Removing the "die;" in grantsAndRevokes and repeating process (deleting the user and logging in) the og membership is not assigned. It seems to be granting og membership and then revoking it later in the proccess. I'm not familiar with the whole LDAP proccess to figure out where it is revoked or why.
I also tested revoking the og membership of the test user through the standard method (denying membership with the og ui). I then logged out and logged back in to see if the og membership would be reassigned through LDAP. The og membership was not reassigned. Again, I killed the process at the end of the grantsAndRevokes function and echoed out several variables. In my test, $user_has_authorization equals 1 which is preventing the reassignment. In this case, $user_has_authorization should not be based on authorizations in the $user->data[ldap_authorizations] because the og membership is not determined by LDAP alone and Organic Groups won't, nor should it alter $user->data[ldap_authorizations]. Maybe there should be a varifyGroupMembership function to check if a user is, in fact a member of a group.
Again, my limited knowledge of how the LDAP module works as a whole is preventing me from offering any real solution, but I hope my clues might help in some capacity.
Comment #16
vgalindus CreditAttribution: vgalindus commentedThere seems to be a problem saving mapings in user object. When og_groups are saved user_roles are deleted and on sync when ldap maps first roles already mapped og_groups are deleted, this caused the process to always apply current mapping and avoid revoke of groups. This small change seems to fix the problem.
Comment #17
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedMy issue isn't that og_groups avoids revoke. My issue is that og_groups are not getting assigned at all, or they are assigned and then quickly revoked. I tested your patch to see if it would help, but it does not.
Comment #18
foo CreditAttribution: foo commentedThey're never assigned for me, either. I'm not using any other parts of LDAP; just the server config and the og_groups.
Comment #19
johnbarclay CreditAttribution: johnbarclay commentedThere are a number of issues including simpletest coverage. I'm adding test coverage of the 1.5 og then will start working through the mapping and record keeping part. Part of that is #16 patch. Part of its already been resolved by some ldap_user and ldap_authentication patches. Lets keep this thread open until all the mappings to og are functional. I realize this will be a rather broad issue, but some of these are closely related.
Comment #20
johnbarclay CreditAttribution: johnbarclay commentedPatch #16 should have no effect. I'm committing it to avoid confusion since it will not hurt the user->data array either. Its pushed to 7.x-2.x-dev.
Comment #21
johnbarclay CreditAttribution: johnbarclay commentedThe function hasAuthorization() for og 1.x was broken. I committed a fix:
http://drupalcode.org/project/ldap.git/commitdiff/44650af7e9a6cd473f915c...
This will help with some og 1.x issues.
Comment #22
johnbarclay CreditAttribution: johnbarclay commentedAttached is a patch that does the following:
- fix loading og group in revokeSingleAuthorization. This would have resulted in og 1.5 group roles never being removed since the group would never have been found.
- changes og_invalidate_cache() to only invalidate cache of single group being worked with. This will be a performance improvement.
I will commit this after the test coverage for og 1.5 is better; but please look at over and try it out.
Comment #23
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedI installed this mornings dev (7.x-2.0-beta3+46-dev) and applied 10907782-22.patch.
This patch helps, but the membership doesn't seem 100% committed. After deleting the test account and re-logging in the test user is a part of the correct group and the correct group role is assigned. However, if I add this user to another group through the standard method (adding membership with the og ui) then the original group that was assigned through ldap disappears.
One hint that the membership doesn't seem 100% committed is the same as before (#14). "Information Systems" is under My groups but it's not selected.
I also tested logging out and back in again to see if the group would be reassigned. It was not reassigned. Revoking the user memberships from other groups doesn't work either, at least not the group membership that was added through the og ui.
Comment #24
johnbarclay CreditAttribution: johnbarclay commented@#23. Thanks. This is helpful. This will clarify itself as I work through the functional tests for og 1.5. I will be sure to add tests to compare against a membership assignment via the UI rather than the api/functions.
Comment #25
johnbarclay CreditAttribution: johnbarclay commentedI committed a patch for a number of issues for og 1.5. The gist of the fixes are:
The commit is: http://drupalcode.org/project/ldap.git/commitdiff/285fa26e0a5f5f3043761e... and is specific to og 7.x-1.5 (not og 7.x-2.x). I still need to finish the simpletests for og 1.5 to make sure all the edge cases are functional and the functional tests for logins are covered.
See also [#http://drupal.org/node/1115704#comment-7162346]
Comment #26
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedGreat! The latest dev fixes my issue for newly authenicated users. Both Drupal roles and OG w/role are assigned / revoked as expected for new AD users loggin in. However, preexisting AD authenticated users are no longer able to login. I get the following error.
Error
The website encountered an unexpected error. Please try again later.
The logs show what appears to a duplicate user entry. For some reason it's attempting to create a new (duplate) user.
PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'TestUser' for key 'authname': INSERT INTO {authmap} (uid, module, authname) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2); Array ( [:db_insert_placeholder_0] => 93 [:db_insert_placeholder_1] => ldap_authentication [:db_insert_placeholder_2] => TestUser ) in user_set_authmaps() (line 2029 of /srv/www/html/connect.cvmc.org/drupal/modules/user/user.module).
Leading up to the error above,
If I delete the Drupal user account and login, everything works but it seems users who were authenticated in a previous version of LDAP fails in the new version. I would really prefer not to have to delete all the previously authenticated users. Is there a fix for previously authenticated users?
Comment #27
johnbarclay CreditAttribution: johnbarclay commentedI can make a fix for previous users. If you can send me a couple of their user records I'll figure out what is going on. I suspect it has to do with the authmap.authname being set correctly. The fix/patch will be both to catch the error and fix past user data when appropriate.
Can you send me a few user records that do not function. That way I can replicate it and make sure its fixed. Here is a query:
select u.uid, u.mail,u.init, cast(data AS char(1000)) as data, a.authname, a.module from users u left outer join authmap a on a.uid = u.uid
Comment #28
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedI realized this morning why preexisting AD authenticated users were no longer able to login. I accidentally installed 7.x-1.x-dev instead of 7.x-2.x-dev. After some internal reflection, I uninstalled 7.x-1.x-dev and installed 7.x-2.x-dev. Now, preexisting AD authenticated users can login but OG mappings isn't working. This time, the groups aren't in the My Groups field as they were before. Drupal role mappings continue to work.
FYI, I also updated the drupal core to 7.21 this morning.
Comment #29
johnbarclay CreditAttribution: johnbarclay commentedI gave up on the og 7.x-1.x code within ldap authorization and rewrote it. The recurring issue was overriding individual grant and revoke functions in the LdapAuthorizationConsumerAbstract class. By trying to do individual grants/revokes a number of issue came up and I eventually got tired of chasing in circles.
The new code overrides the whole grants and revokes (grantsAndRevokes()) so so efficiencies are also gained. This is committed, but not thoroughly tested yet.
Comment #30
johnbarclay CreditAttribution: johnbarclay commentedI'm making this thread specific to LDAP Authorization 7.x-2.x and Organic Groups 7.x-1.5.
Comment #31
Kazanir CreditAttribution: Kazanir commentedI was experiencing precisely the same issues with OG 7.x-2.x -- does the code you have touched so far ONLY deal with OG 1.5?
I can test the latest dev with OG 2.x later today I suppose.
Comment #32
johnbarclay CreditAttribution: johnbarclay commentedGenerally it doesn't touch og 2. Many of the changes are applicable to og 2, but I'm unclear if og2 works or not. I had some funding to get the og 1.5 working and found several issues. og 2 is a little easier to work with so am not clear if the same issues are there. Also ldap authorization for og 2 has much better test coverage so is easier to code.
Please tests and start a thread "LDAP Authorization 7.x-2.x and Organic Groups 7.x-2: Group Granting and Revoking" if anything comes up.
Comment #33
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedI installed the latest dev and I found that og and og roles are being assigned correctly. The previous issue from (#14) is now fixed. Everything seemed to work great, until I logged out and back in again. What I found is the og and og roles that had been assigned were removed on the second login. I logged out and back in once more and the og and og roles were reassigned. This cycle continues with each login, the og / roles being assigned and then revoked.
Comment #34
johnbarclay CreditAttribution: johnbarclay commentedThanks. I'll test and debug this. I just finished the test coverage for og 1.5 and committed it. There was also a small array bug. This is all committed (see http://drupalcode.org/project/ldap.git/commit/eb390c1)
I'll test/fix the revoke/unrevoke pattern and add simpletests for it next.
Comment #35
johnbarclay CreditAttribution: johnbarclay commentedI can't replicate #33. I'm trying to recreate it in the test coverage also, but haven't finished the test coverage.
Comment #36
johnbarclay CreditAttribution: johnbarclay commentedI managed to replicate #33! Hopefully will be an easy fix. I cannot replicate it with any roles other than OG Admin role. With default roles or custom global roles, the issue doesn't seem to happen; I could be wrong about this as I have a small test set of groups.
The second mapping below is granted and revoked on alternating logons. The other 2 behave correctly.
Are you having issues with any other types of roles being revoked?
Comment #37
Kazanir CreditAttribution: Kazanir commentedEdit: I'll make a new issue for this.
Comment #38
johnbarclay CreditAttribution: johnbarclay commentedThe latest patch http://drupalcode.org/project/ldap.git/commitdiff/1e346a8747a0440726d1ab... is committed to 7,x-2.x-dev and deals with the alternate revoking and granting of og 1.5 roles. Please test.
The basic approach was to create an authorizationDiff($existing, $desired) method which dealt with og 1.5 cases differently.
Comment #39
johnbarclay CreditAttribution: johnbarclay commentedComment #40
scottAtRoot802 CreditAttribution: scottAtRoot802 commentedThe latest dev seems to fix my grant/revoke issues. Thanks for your hard work on this.
Comment #41
johnbarclay CreditAttribution: johnbarclay commentedComment #43
katannshaw CreditAttribution: katannshaw commentedI'm having this exact issue. I tried patch #38, but this test feature for granting and revoking OG roles is still not working for me at admin/config/people/ldap/authorization/test/og_group. For me, it says that it's successful, but doesn't actually grant/revoke the OG roles. The regular grant/revoke feature for LDAP to Drupal roles is working fine: http://test/drupal/admin/config/people/ldap/authorization/test/drupal_role
I'm using 7.x-2.0-beta5. Do you have any suggestions on what else I can do to get this working? I don't want to use a dev version with my live site for obvious reasons.
Comment #44
senorincognito CreditAttribution: senorincognito commentedIt seems, I am having the same problem as jayhawkfan75. I'm using 7.x-2.0-beta5 as well and have already tried the current 7.x-1.0-beta12 as well as 7.x-2.x-dev. The problem persists.
Roles are assigned just fined while any groups are revoked as soon as a user logs on. Deactivating LDAP_Authorization for OG or LDAP Authorization for roles separately doesn't help. Deactivating both at least stops the complete revocation of user groups.
Something strange that I noticed: Manually revoking/resetting ROLES from a user seems to trigger something as on the next log on the user is granted the correct roles as well as the correct groups. However on the next log on all groups are revoked again.
I can at least tell that the problem comes from the LDAP-module. Commenting the else part from the following code lines (in ldap.authorization.module) puts an end to the revoking problem, but obviously also stops the granting of roles or groups altogether.
I have no idea what even happens at this part as the function just returns to the login hook as some point with the revoking and granting happening somewhere inbetween.
Any help would be appreciated.
Comment #45
katannshaw CreditAttribution: katannshaw commentedI don't want to step on any toes, but I feel that I have to mark this issue as active since it's still occurring for me and senorincognito with the newest release versions. I did a thorough check of my LDAP OG mappings before responding, and the grant/revoke feature is still not working at all for me. I'm currently using LDAP 7.x-2.0-beta5 (including LDAP OG) and Organic Groups 7.x-2.3.
The test reports say that it was successfully granted, but that group is still not listed under by Group Membership list when I try to use this testing feature. Luckily, my OG groups get assigned properly when I log in normally. So at least that is working.
My only workaround to get this site going was to go through every user on the site and assign them to their groups. This grant/revoke feature would have saved me a lot of time, as it was a very time-consuming process.
If any additional reports will help the maintainers solve this issue, please let me know which ones you need. Hopefully it will get fixed soon.
Comment #46
johnbarclay CreditAttribution: johnbarclay commentedThis issue is specific to OG 7.x-1.x branch and LDAP Authorization 7.x-2.x. Please start another issue for anything related to OG 7.x-2.x; they are quite different.
Comment #47
senorincognito CreditAttribution: senorincognito commentedIt seems the problem is related to this issue: https://drupal.org/node/1588068
I've found three additional occurences of user_save() in the Authorization module. Applying the proposed fix to the user_save()-function in ldap_authorization.inc fixed the issue to a certain degree. Applying the fix to the other two occurences didn't seem to do anything at all.
In conclusion: At least group memberships are not randomly deleted while still being applied normally on user login. The only issue remaining is when a user already has any roles assigned to him no group memberships are assigned whatsoever.
Comment #47.0
senorincognito CreditAttribution: senorincognito commentedOne more correction.
Comment #48
micahw156As noted by johnbarclay in #46 above, this issue was fixed for OG 7.x-1.x.
The following new issues have picked up the conversation with new reports of similar problems.
Setting this issue back to Closed (fixed).