I am using the latest dev version and I am experiencing the following problem, when I remove a role from a user in active directory the role doesn't get removed from Drupal when the user logs in.

The only way I have managed to resolve this is to delete the user and let them login again.

I can't really delete every user to resolve this.

Thanks Dan

Comments

johnbarclay’s picture

Status: Active » Closed (duplicate)
danharper’s picture

Is this a duplicate I couldn't find it in the issue que.

Thanks Dan

johnbarclay’s picture

Title: Roles not being revoked. » LDAP Authorization: Authorization Tracking, Saving, and Revoking
Status: Closed (duplicate) » Active

Sorry. I must have closed too many of them. I'll make this the main issue for this. Here is the work that needs to be done on this:

  • make sure ldap authorization simpletests cover tracking of ldap authorization grants in user fields and/or user->data array.
  • make sure ldap authorization simpletests cover saving on logon of grants and revokes
  • make sure ldap configuration flags for revoking authorizations are implemented correctly

If you can summarize your settings at admin/config/people/ldap/authorization/edit/drupal_role that will help.

johnbarclay’s picture

I found one bug so far and its fixed. See http://drupalcode.org/project/ldap.git/commitdiff/e312db36dc68fd1774e663...

Authorizations that were manually removed were being re added when regrantLdapProvisioned was set to 0 instead of FALSE. This is fixed and committed.

danharper’s picture

Summary of settings,

x Only apply the following LDAP to drupal role configuration to users authenticated via LDAP....
x Convert full dn to value of first attribute before mapping

nothing in Mapping of LDAP to drupal role (one per line)

x When a user logs on.

x Revoke drupal roles previously granted by LDAP Authorization but no longer valid.
x Re grant drupal roles previously granted by LDAP Authorization but removed manually.
x Create drupal roles if they do not exist.

Thanks Dan

danharper’s picture

I have applied the patch but it hasn't solved my particular issue.

All my users we created before they logged in using migrate because I had to preserve the ID as I also imported lots of content. I think this may be part of the problem

As each user logged in the pulled through the correct active directory groups and I have successfully tested it previously to make sure groups are being removed.

Cheers Dan

danharper’s picture

This is still an issue for me, is there anything in the database I can check?

What's the basic logic that should be applied?

Cheers Dan

johnbarclay’s picture

I added a patch to allow ignoring of past ldap authorization data stored in individual users (user->date[ldap_authorizations]). It can be enabled by enabling ldap_help and selecting both checkboxes at admin/config/people/ldap. As users login, have accounts updated, or other actions that trigger ldap authorization the old data will be ignored.

The goal of this is to avoid bad data from past -dev versions affecting current -dev versions.

danharper’s picture

Status: Active » Fixed

Thanks very much for this update

Dan

danharper’s picture

I can't seem to find the two checkboxes on this page admin/config/people/ldap

I have the help module enabled.

Cheers Dan

johnbarclay’s picture

Status: Fixed » Active

It should have the following text and be at the bottom of the screen. Perhaps you don't have the current dev?

DEVELOPMENT
[]Enabled Detailed LDAP Watchdog logging. This is generally for debugging and reporting issues with the ldap modules and should not be left on.
[]Discard and ignore user authorization data stored by ldap module in user records data before 2013-03-28 11:20:38. This is useful for implementers of development versions of the module that may have corrupt user data from the past.
[]Reset the clear date to the current date 2013-03-28 11:20:38

danharper’s picture

Apologies I had the wrong version

What does this option mean
[]Reset the clear date to the current date 2013-03-28 11:20:38

Cheeres Dan

johnbarclay’s picture

this means set the time from which past user data is ignored to now.

johnbarclay’s picture

Assigned: Unassigned » johnbarclay
Issue summary: View changes
Status: Active » Closed (fixed)