Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Sometimes LDAP have large database, and we need to sync with Drupal only part of LDAP users. For other projects we use for this LDAP global filter, in which we can filter database by specific filter.
For example, exclude disabled Active Directory users via filter (userAccountControl=512) or include users only from one group via (memberOf='CN=mygroup,DC=example,DC=com).
At now I can't find the way to do this in current LDAP 7.x module version.
Please add ability to add global LDAP filter for LDAP queries.
Comments
Comment #2
grahlHi
Please elaborate on what you mean with your sync requirements. Do you need this filter to just be active in any search call or do you have a more narrow use-case?
In terms of group inclusion, you should be able to force a requirement to a group with ldap_authorization and thus not get more results. Segmenting on the basis of the basedn is not an option for you? Also note that ldap_query allows you to execute with arbitrary structure as outlined by you, so triggering a batch operation with ldap_query could be part of the solution.
Please note that new features in the 7.x branch will likely only be added if a working, well-formed patch is provided.
Comment #3
MurzI use large user database in Active Directory compatible LDAP server via Zentyal server, and use this database for authorize on many services. I configure Drupal LDAP module to work with this LDAP server and sync users, but it syncs all users, even disabled users.
Most of other applications (SSSD, ejabberd, Zabbix server, etc) have ability to setup global LDAP search filter, that acts on all LDAP queries, so I can in one place exclude items that I don't needed.
Here is my LDAP filter on Jabber server that include only one group (CN=Department1,CN=Groups,DC=example) and exclude disabled users (userAccountControl=512) and include only that enable jabber account (objectClass=userJabberAccount):
ldap_ufilter: "(&(objectClass=userJabberAccount)(sAMAccountName=%u)(userAccountControl=512)(memberOf=CN=Department1,CN=Groups,DC=example,DC=org))"Another example for SSSD service:
ldap_user_search_filter = (&(userAccountControl=512)(memberOf=CN=Department1,CN=Groups,DC=example,DC=org))But on Drupal LDAP module I can't find the way to filter users like this. Adding specific user that have access to only specific LDAP records is too hard on server side.
So will be good to have ability for setup one global LDAP filter for LDAP server to solve this tasks. If not on 7.x, on 8.x this feature also needed.
Comment #4
grahlHi munz
I understand your argument for general inclusion of a global filter, it's just not a priority at the moment and not a trivial change. Again, however, how are you syncing users? Are you using ldap_feeds? You have filters there...
Comment #5
MurzThanks for suggestion, I look at
ldap_feedsmodule. But now I use ldap_user module for sync Active Directory users with Drupal users, and solve my filter problem via hardcode - in fileldap_user/ldap_user.cron.incI change in function_ldap_user_orphans($ldap_user_conf)line 128 from:to:
for remove disabled Active Directory users from Drupal user list.
Comment #6
hawat_vsu CreditAttribution: hawat_vsu commentedHi
I need to be able to filter the disabled user. Can we hope that the global filter function will be implemented?
Comment #7
grahlSince there is no realistic chance that any new features will get into 7.x I'm marking this closed now and referring to #2887546: How can we add filters for 8.x.
That being said, the feature is not a priority in general, so it won't get in quickly there either, feel free to patch your installation as you see fit.