On a client project we needed the ability to prevent administrators from manually setting the bind password for non-anonymous searches in the Binding Method section of the LDAP Server Configuration tab. Instead, the preference was for this to be configurable through Drush instead, making it easily configurable during the build process without actually storing any password-related information in the code repository for the site via an LDAP configuration feature.
To control this, I added a checkbox that is used to remove the "Password for non-anonymous search" and "Clear existing password from the database" fields from the UI where they appear on the main LDAP Settings tab. I also added a "drush lssd" (drush ldap-servers-set-password) command for setting the password through Drush.
The attached patch contains these new features.
Comment | File | Size | Author |
---|---|---|---|
#16 | ldap_servers-drush-password-2400177-15.patch | 3.76 KB | grahl |
Comments
Comment #1
rklawson CreditAttribution: rklawson commentedComment #2
rklawson CreditAttribution: rklawson commentedReformatted the title of the patch file.
Comment #3
rklawson CreditAttribution: rklawson commentedFixed some help text and an issue with the way that the 'bindpw' and 'clear_bindpw' were being unset in terms of the bind process.
Comment #4
rklawson CreditAttribution: rklawson commentedRe-rolled the patch due to failures in Drush make when downloading from here at Drupal.org as a result of line endings.
Comment #5
rklawson CreditAttribution: rklawson commentedRe-rolled the patch, replacing the database queries to save the password in the Drush command with the save method of the LdapServerAdmin class.
Not only is this much better from a technical perspective, it was necessary because the defaults that set up the CTools export for the server config are not initially saved to the database without a save via the UI. This prevented the previous version of the Drush command from working during a build, since it was unable to find any configurations in the ldap_servers table.
Comment #6
rklawson CreditAttribution: rklawson commentedRe-rolled the patch to remove a call to ldap_servers_encrypt() in the drush command, since this is already handled by the class. The password was being encrypted and then that hash was being encrypted within the class.
Comment #7
rklawson CreditAttribution: rklawson commentedComment #8
larowlanComment #9
NWOM CreditAttribution: NWOM commentedThis patch worked perfectly and applied cleanly to the newest dev. Thank you very much! I however found one small typo:
Line 122:
+ the service account through the user interface, so use the "drush lssd" command to set the password instead.'),
Should instead be:
+ the service account through the user interface, so use the "drush lssp" command to set the password instead.'),
However, I noticed that it wasn't clear from the description how the drush command should be formatted, so I changed it further to this:
+ the service account through the user interface, so use the "drush lssp SERVERID --password="PASSWORD"" command to set the password instead.'),
Please review the attached patch. Thanks!
Comment #10
NWOM CreditAttribution: NWOM commentedPlease disregard the last patch. Here it is again.
Comment #11
NWOM CreditAttribution: NWOM commentedComment #13
NWOM CreditAttribution: NWOM commentedThis sadly no longer works on the newest dev (it applied cleanly however). It now always shows "Failed to Bind" when attempting to login, even though the Status Report shows that it is binded correctly.
Comment #14
NWOM CreditAttribution: NWOM commentedNevermind, #10 applies cleanly and works on the newest dev. Please review.
Comment #16
grahlHi
Thanks for following up with this NWOM.
I've added the drush command since it works fine, has no side-effects I can see and serves a genuine need to automate setting the service account in 7 outside of a feature module.
The remainder I've put into a separate patch since I don't see disabling the UI for setting the password as essential. If there is significant need for this, please speak up or I at least will leave this issue as postponed indefinitely.
I won't add this to 8 since configuration overrides can achieve the same thing there and are documented in the installation instructions.
Comment #17
grahlSince configuration overrides have been added to 7.x, I'm closing this issue. Users are free to use this approach but I won't be committing it.