In our company we've recently migrated from Drupal 6 to Drupal 7 and I'm having troubles configuring the LDAP. Authentication is working ok, but the ldap groups aren't created as drupal roles.
With Drupal 6 and LDAP Integration the configuration was easy:
Check "Groups exist as LDAP entries where a multivalued attribute contains the members' CNs" + set groups DN to "ou=Groups,dc=htrueta,dc=intranet" and "Attribute holding group members:" to "memberUid".
Width Drupal 7 I've activated the modules "LDAP Authorization" and "LDAP Authorization - Drupal Roles" (I attached the configuration here (Configuration.txt). I've activated the debug log, I attach the syslog and watchdog logs for a successful login here (logWatchdog.txt and logSyslog.txt).
The strange thing is that I can view in the logs that Drupal is searching in the "ou=Groups,dc=htrueta,dc=intranet" search base and the filter "(&(objectClass=posixgroup)(memberuid=12345678Z))". And that's ok! I try that in Apache Directory and the search returns the user groups.
Can anybody help me? Is this a bug?
Thx
Comment | File | Size | Author |
---|---|---|---|
#23 | 1917254-group-roles-broken.patch | 1.63 KB | dgtlmoon |
Configuration.txt | 14.94 KB | Dimas_ | |
logWatchdog.txt | 11.22 KB | Dimas_ | |
logSyslog.txt | 7.53 KB | Dimas_ |
Comments
Comment #1
Dimas_ CreditAttribution: Dimas_ commentedNobody? :(
Comment #2
johnbarclay CreditAttribution: johnbarclay commentedDoes the ldap_authorization test produce any results for this user?
Comment #3
Dimas_ CreditAttribution: Dimas_ commentedNo, no results. But I don't understand the reason, because the watchdog and syslog seems to search ok. The result of the test:
12345678Z drupal role drupal_role LDAP_Golum
Prefiltered and Final Mappings
Below are the "raw authorizations" and which strategy they are derived from. If enabled, the mapping filter is applied to these.
Derive from DN (without filter)
disabled
Groups DNs (without filter)
After "Convert full dn to value of first attribute before mapping"
Convert full dn to value of first attribute before mapping
After Mappings and Filters Applied
Use Mappings as Filter = 0
No Mappings Configured
Results after any filtering and mappings applied
Comment #4
katannshaw CreditAttribution: katannshaw commentedMarked LDAP Authorization/SSO: 'user/login/sso' authenticates but does not log user in as duplicate issue.
@Dimas_: Did you ever resolve this issue with your install? I'm having the exact same problem, except that my "After Mappings and Filters Applied" sections says the following:
Use Mappings as Filter = 1
Configured Mappings
CN=DrupalAuthor,OU=Security Groups,OU=All Users,DC=SERVERNAME,DC=com|author
CN=DrupalEditor,OU=Security Groups,OU=All Users,DC=SERVERNAME,DC=com|editor
...and so on...
Also for me, this is what the debug logs say when I test the Authorization setup against my username "jayhawkfan75":
Comment #5
Dimas_ CreditAttribution: Dimas_ commentedjayhawkfan75 I didn't, I haven't Drupal 7 sync with LDAP, I've to update it manually :-/ I'd like to try with new versions of LDAP Integration, but not yet.
Comment #6
katannshaw CreditAttribution: katannshaw commented@Domas_: That stinks. I hope that I don't have to resort to that, as it's one of the coolest features of this module. I really want user's accounts to be automatically-updated by this setup.
@johnbarclay: Is there any word on the status of this issue report?
Comment #7
katannshaw CreditAttribution: katannshaw commentedAfter some further testing and debugging, I solved my own issue by checking the Authorization test closely using the "Use 10 random users" option. (This is a very nice debug feature!)
So I thought I'd share what worked for me:
Comment #8
Snake1980 CreditAttribution: Snake1980 commentedHi..I've got a problem with the mapping.
I created a new ROLE called "members".
And this is the my user's DN (for example):
uid=1234444,OU=Dipendenti,OU=Astro,O=Astro Group
Now I'd like to assign role called "members" to my user "1234444" or...if it's possible...to all user of OU "Dipendenti".
Can you tell me how to configure the section "Mapping of LDAP to drupal role (one per line)" ?
Thanks.
Comment #9
katannshaw CreditAttribution: katannshaw commentedSure. I can share how I've set it up. I first created three new security groups in Active Directory named DrupalAuthor, DrupalEditor and DrupalNews.
Then I added the following three mappings under "Mapping of LDAP to drupal role (one per line)":
So I guess in your case, after you've created a AD security group named "DrupalMembers" or something similar, you'd enter the following under that section:
CN=DrupalMembers,OU=Drupal Groups,OU=Security Groups,OU=All Users & Groups,DC=YOURDOMAIN,DC=com|members
The "OU=Drupal Groups,OU=Security Groups,OU=All Users & Groups" part all depends on how you set that up in AD.
Hope it helps.
Comment #10
tresstylez CreditAttribution: tresstylez commentedSo, is the requirement that the GROUP be listed FIRST?? I also have it such that my users specific name is listed first as the CN. "CN=User Name, OU=My Users, etc...".
Aside from changing the AD itself, is there a way to tweak the plugin to search for the group name further down the DN?
Comment #11
katannshaw CreditAttribution: katannshaw commentedI *think* that it all depends on how you have your server set up at admin/config/people/ldap/servers. I currently have one server set up to use group settings, so it searches for the groups. You may be able to set up that section to use users instead, and then reference them on the Authorization's mapping section at admin/config/people/ldap/authorization/edit/drupal_role.
But I'd need verification of that from someone more knowledgeable.
Comment #12
keykan CreditAttribution: keykan commentedI have the same problem here but the solution that jayhawkfan75 said didn´t work for me. Using devel to check the DN here I just copied and pasted to the field: 'Mapping of LDAP to drupal role (one per line)'.
I wonder if the attribute 'cn' is really needed because in our corporation we only use 'ou' and 'dc' (ou=users;dc=domain;dc=com) to organize the ldap server. Can anyone please give me a light?
Comment #13
kenorb CreditAttribution: kenorb commentedComment #14
gash7 CreditAttribution: gash7 commentedPrefiltered and Final Mappings
Below are the "raw authorizations" and which strategy they are derived from. If enabled, the mapping filter is applied to these.
Derive from DN (without filter)
inativo
Groups DNs (without filter)
Mostrar After "Convert full dn to value of first attribute before mapping"
Esconder After Mappings and Filters Applied
Use Mappings as Filter = 1
Configured Mappings
cn=group1,ou=groups,ou=intranet,ou=services,dc=dominio,dc=com|node:group1:member (raw: node:3:5)
cn=group2,ou=groups,ou=intranet,ou=services,dc=dominio,dc=com|node:group2:member (raw: node:2:5)
cn=group3,ou=groups,ou=intranet,ou=services,dc=dominio,dc=com|node:group3:member (raw: node:5:5)
cn=group4,ou=groups,ou=intranet,ou=services,dc=dominio,dc=com|node:group4:member (raw: node:4:5)
cn=group5,ou=groups,ou=intranet,ou=services,dc=dominio,dc=com|node:group5:member (raw: node:6:5)
Also I am not able to map the groups, someone came to the solution?, Above is my output when I test the organic groups
Comment #15
kenorb CreditAttribution: kenorb commentedComment #16
Renee S CreditAttribution: Renee S commentedI'm seeing this as well. I have it working in D6, and while it's deriving groups from the LDAP DN, it isn't searching any groups. It just isn't doing it.
Comment #17
Renee S CreditAttribution: Renee S commentedgash7: try turning off "use mappings as filter". That filters out the groups, rather than including them. (There doesn't appear to be a way to have both includes and a filter.)
Comment #18
Renee S CreditAttribution: Renee S commentedDebugging note, when I include a Test Group LDAP Entry, it is returning an arrays of cn, objectclass, and uniquemembers (which is correct, as far as I can see). So, that part works. It's just not doing the next steps...
(Note, this is from the server config test. Where it's failing is in the Authentication, where it's deriving default DN fine, but not even looking for groups.)
eta: In Drupal 6 there was a box for "LDAP DNs containing groups". That seems to be missing.
Comment #19
kinglok CreditAttribution: kinglok commentedI found a working setting!
In ldap configuration, "LDAP Group Configuration",
Name of Group Object Class: group
uncheck "A user LDAP attribute such as memberOf exists that contains a list of their groups...."
LDAP Group Entry Attribute Holding User's DN, CN, etc.: member
User attribute held in "LDAP Group Entry Attribute Holding...": dn
The weird point is that you have to uncheck the memberOf related setting to make it working.
Comment #20
nullkernel CreditAttribution: nullkernel commented#19 worked for me! Thank you kinglok!
I spent a couple of days spinning my wheels trying all sorts of combinations to try to get the roles to map over from Active Directory. I could see the roles when I would test "Server configuration" page but not when I would run a test from the LDAP Authorizations page.
This has got to be a bug! Apache Directory Studio shows the memberOf attribute with a list of group DNs. I could not understand why one test would show the roles and another would not.
Comment #21
jeff.k CreditAttribution: jeff.k commentedI agree with @nullkernal
#19 also worked for me after days of trying to asses why this was not working. MemberOf "should" work but it seems to do nothing.
Comment #22
buddym CreditAttribution: buddym commented#19 worked for me too.
Thank you very much kinglok!
Comment #23
dgtlmoon CreditAttribution: dgtlmoon commentedI found some clues while looking into this (2008 ActiveDirectory), I suspect that ldap_servers_attributes_needed() is not returning all the fields required
Name of Group Object Class = "groups"
Attribute in User Entry Containing Groups = "memberOf"
LDAP Group Entry Attribute Holding User's DN, CN, etc. = "distinguishedname"
User attribute held in "LDAP Group Entry Attribute Holding..." = "dn"
Groups are derived from user's LDAP entry DN. is ENABLED
Attribute of the User's LDAP Entry DN which contains the group = "ou"
LDAP TO DRUPAL ROLE MAPPING AND FILTERING = "CN=drupal,OU=webadmin,DC=drupal,DC=local|editor"
When LdapServer::groupUserMembershipsFromUserAttr() is called $user['attr'][$this->groupUserMembershipsAttr] was empty, this was my first clue - I knew I set that value but it's not set in the $user attributes returned from the LDAP server, I performed a command line query and could confirm the values I was after were coming across the wire
In userUserNameToExistingLdapEntry(..) it loads the attribute maps that are required
But $attributes does NOT contain distinguishedname nor memberOf
The ldap_servers_attributes_needed(...) implements a hook_ldap_attributes_needed_alter.
There is ldap_user_ldap_attributes_needed_alter and ldap_authorization_ldap_attributes_needed_alter which adds DN, mail_attr (mail), picture_attr (picture) etc BUT never $ldap_server->groupMembershipsAttr nor $ldap_server->groupUserMembershipsAttr values
So, it seems to be
1 - ldap_authorization_ldap_attributes_needed_alter(...) never adds groupMembershipsAttr to the $user attr, ever.
2 - ldap_authorization_ldap_attributes_needed_alter(...) is called with an $ldap_context of 'all' which means it's skipping adding 'groupUserMembershipsAttr' to the $user attr.
This feels to me like the concept of 'contexts' needs a little bit of a tidyup, supplied patch got me going but I'm not sure it's totally the right way forwards
The steps I followed are at https://www.drupal.org/node/1302070
Comment #24
cherner CreditAttribution: cherner commentedHello!
Just in case this helps anyone else, #19 SORTA worked for me :)
The only thing is, the Name of Group Object Class for my LDAP setup is "posixgroup" and not "group"
Comment #25
Saoirse1916 CreditAttribution: Saoirse1916 commentedI agree with #19 as well, though I had a completely different configuration than https://www.drupal.org/node/1302070, so here it is if it helps:
Connection Settings
Machine name: anything
Name: Anything
Enabled: Checked
LDAP Server Type: Active Directory
LDAP Server: IP address of our server
LDAP Port: 389
Use Start-TLS: Unchecked
Follow LDAP Referrals: Unchecked
Binding Method
Binding Method for Searches: Service Account Bind
DN for non-anonymous search: (a user on my AD) CN=username,OU=A_Department,OU=A_Branch,DC=domain,DC=local
Password: that user's AD password
LDAP User to Drupal User Relationship
Base DNs for LDAP user, groups, and other entries: OU=A_Branch,DC=domain,DC=local (in our AD, everything is grouped under a single branch first.)
AuthName attribute: samaccountname
Email attribute: mail
(everything else blank)
LDAP Group Configuration
Name of Group Object Class: group
Nested groups are used in my LDAP: unchecked
A user LDAP attribute such as memberof exists...: checked
Attribute in User Entry Containing Groups: memberof
LDAP Group Entry Attribute Holding User's DN, CN, etc.: distinguishedname
User attribute held in "LDAP Group Entry Attribute Holding...": dn
Groups are derived from user's LDAP entry DN: unchecked
(everything else blank)
On the Authorization tab I used the following to set up my three groups and map them to the three roles under Mapping of LDAP to drupe role
CN=Department Admins,CN=Users,DC=domain,DC=local|Department Administrator
CN=IT Admins,CN=Users,DC=domain,DC=local|IT Administrator
CN=HR Admins,CN=Users,DC=domain,DC=local|HR Administrator
Hope this helps someone! I felt like dancing when it finally worked for me.
Comment #26
grahamtk CreditAttribution: grahamtk commented@Saoirse1916 #25
I wonder what version of the ldap module you are using, as I have tried replicating your results with the latest 7.x-2.beta-8 version, but cannot succeed, and I can see the groups by listing the memberof attribute in the ldap query test page.
did you use the dev version?
Thanks.
Comment #27
oranges13No patch required, the suggestion from #19 worked for me. Even though the attribute "memberOf" does exist on the User object, this did not work properly until I unchecked that selection in the server groups settings.
Comment #28
Saoirse1916 CreditAttribution: Saoirse1916 commented@grahamtk sorry I didn't see your reply -- I'm using the dev version at the moment.
Comment #29
grahlComment #31
grahlSince there wasn't any additional input here for two years I'm closing this issue as outdated.
If you are still running into this with 2.3 or a current dev version, please open another issue.