Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I am using the latest dev version and I am experiencing the following problem, when I remove a role from a user in active directory the role doesn't get removed from Drupal when the user logs in.
The only way I have managed to resolve this is to delete the user and let them login again.
I can't really delete every user to resolve this.
Thanks Dan
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedComment #2
danharper CreditAttribution: danharper commentedIs this a duplicate I couldn't find it in the issue que.
Thanks Dan
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedSorry. I must have closed too many of them. I'll make this the main issue for this. Here is the work that needs to be done on this:
If you can summarize your settings at admin/config/people/ldap/authorization/edit/drupal_role that will help.
Comment #4
johnbarclay CreditAttribution: johnbarclay commentedI found one bug so far and its fixed. See http://drupalcode.org/project/ldap.git/commitdiff/e312db36dc68fd1774e663...
Authorizations that were manually removed were being re added when regrantLdapProvisioned was set to 0 instead of FALSE. This is fixed and committed.
Comment #5
danharper CreditAttribution: danharper commentedSummary of settings,
x Only apply the following LDAP to drupal role configuration to users authenticated via LDAP....
x Convert full dn to value of first attribute before mapping
nothing in Mapping of LDAP to drupal role (one per line)
x When a user logs on.
x Revoke drupal roles previously granted by LDAP Authorization but no longer valid.
x Re grant drupal roles previously granted by LDAP Authorization but removed manually.
x Create drupal roles if they do not exist.
Thanks Dan
Comment #6
danharper CreditAttribution: danharper commentedI have applied the patch but it hasn't solved my particular issue.
All my users we created before they logged in using migrate because I had to preserve the ID as I also imported lots of content. I think this may be part of the problem
As each user logged in the pulled through the correct active directory groups and I have successfully tested it previously to make sure groups are being removed.
Cheers Dan
Comment #7
danharper CreditAttribution: danharper commentedThis is still an issue for me, is there anything in the database I can check?
What's the basic logic that should be applied?
Cheers Dan
Comment #8
johnbarclay CreditAttribution: johnbarclay commentedI added a patch to allow ignoring of past ldap authorization data stored in individual users (user->date[ldap_authorizations]). It can be enabled by enabling ldap_help and selecting both checkboxes at admin/config/people/ldap. As users login, have accounts updated, or other actions that trigger ldap authorization the old data will be ignored.
The goal of this is to avoid bad data from past -dev versions affecting current -dev versions.
Comment #9
danharper CreditAttribution: danharper commentedThanks very much for this update
Dan
Comment #10
danharper CreditAttribution: danharper commentedI can't seem to find the two checkboxes on this page admin/config/people/ldap
I have the help module enabled.
Cheers Dan
Comment #11
johnbarclay CreditAttribution: johnbarclay commentedIt should have the following text and be at the bottom of the screen. Perhaps you don't have the current dev?
DEVELOPMENT
[]Enabled Detailed LDAP Watchdog logging. This is generally for debugging and reporting issues with the ldap modules and should not be left on.
[]Discard and ignore user authorization data stored by ldap module in user records data before 2013-03-28 11:20:38. This is useful for implementers of development versions of the module that may have corrupt user data from the past.
[]Reset the clear date to the current date 2013-03-28 11:20:38
Comment #12
danharper CreditAttribution: danharper commentedApologies I had the wrong version
What does this option mean
[]Reset the clear date to the current date 2013-03-28 11:20:38
Cheeres Dan
Comment #13
johnbarclay CreditAttribution: johnbarclay commentedthis means set the time from which past user data is ignored to now.
Comment #14
johnbarclay CreditAttribution: johnbarclay commented