A frequent request I get is the need to create users and set their roles before they actually login. This allows a site admin to avoid a 2 step process: tell user to login, then assign roles.


retsamedoc’s picture

Perhaps a good use for hook_cron?

johnbarclay’s picture

Yes. Cron would be useful for a mass prepopulation. The use case I had in mind is more like this:

Admin Bob needs to give someone in their workgroup the admin role on a new drupal install. There is no ldap group to automatically map this user to the admin role. So Admin Bob needs to create the user and set the role. Then he has the new user logon with LDAP authentication.

In ldapauth version 5 you could do this. In 6 it was removed and this created some problems for some admins on my campus.

I'm really asking for the ability to not destroy an existing user when they authenticate with ldap.

retsamedoc’s picture

Oh, okay. That makes much more sense. You would like to "remap" existing users to LDAP users.

Seems more like a case for how authz should handle syncing roles to groups/attributes/whatever.

johnbarclay’s picture

Yeah. This is more of a use case to keep in mind than a feature. I just don't want to lose track of the use cases; especially the ones that don't apply to me.

netw3rker’s picture

Re: mass import.
There are a bunch of issues with this that aren't apparent.
1) ldap servers often limit the number of results that can come back from a single query. thus guaranteeing an incomplete set of data.
1a) there is no paging option in the ldap protocol.
2) data concurrency becomes a huge issue. a background process will have to constantly be re-syncing account data.

I see 2 easier use cases for this:
1) an additional tertiary menu item on the user->add screen that lets you add someone from ldap
2) the ability to directly map OU's to roles, so that users who simply log in and have that OU will get the role specified (this would be just like the siteminder_roles module that i'm maintaining as part of the siteminder module@ http://drupal.org/project/siteminder )

that will probably be a lot more manageable than giving them the ability to import a ton of users.

incidentally though, cron might not be the best way. I'd think the batch api would be a better way because they'd want to see the users show up quickly rather than slowly over the course of a few days (depending on the numbers)


johnbarclay’s picture

The OUs to roles functionality is more of an authorization thing and I use this feature in ldapgroups. Its the top option in the group configuration.

What I need is the use case where I need to set user roles, ownership of some nodes, or other tasks before the user logs in. Usually for a single person or a unique group. The add user form should work, we would just need to hook into it.

emdalton’s picture

I need this too. Otherwise I have to have users log in, then go in and edit their roles to grant permissions. It's confusing to my users.

bbenone’s picture

This is also a need of ours...

We've implemented this using a lot of custom code to allow, for example, an OG owner to add people to their group that are in the LDAP. More generally, what we've done is overridden the standard drupal user typeahead field to query the LDAP for the type-ahead suggestions. Then you select who you need and it creates the local account, pulls profile data, etc, all behind the scenes.

This allows you to create accounts for people and get them all setup in the groups they should be in, with the roles they need, without them ever logging in. They log-in, using their university credentials, and everything is all set. This tpye of capability is sorta necessary for things like group collaboration tools, LMS, etc.

P.S., I think that autocreating local accounts for all users in the directory w/ cron is a bad idea... I'd guess that some of the directories we deal with have hundreds of thousands (maybe even millions?) of entries (students, alumni, parents, employees, past employees, sponsered accts, vendors, on and on...). Granted you could trim that down a bit with some good filters to only pull the people you need, but still I don't see the justification in synchronizing and duplicating all that data. That's what the directory is for; it should be integrated with, not copied. Besides, as netw3rker pointed out above (#5) it may be impossible given the query return limitations that most institutions place on their LDAP schemas and the lack of a pager to pull, say, 100 records at a time. Also, I'm pretty sure IT would strongly frown on it...

Fidelix’s picture

Is this somehow currently possible in D6?

I'm searching for this for a long time...

johnbarclay’s picture

Assigned: Unassigned » johnbarclay

it works in d5, but not d6. You can configure d5 to resolve ldap drupal conflict and create the accounts ahead of time. But I'm not sure what the end result is. Ldap authentication in d7 takes care of this, but I'd like to hook into the user creation/admin form and allow the site maintainer to create a user and check if they must be ldap authenticated.

johnbarclay’s picture

There are 2 tasks here:

1. Add the configuration and steps to prepopulate an ldap user. It can be done with current functionality as outlined at http://drupal.org/node/1053748

2. Allow ldap accounts to created by admins when not using mixed mode and conflict resolution. This would be simply hooking into the create account form with an ldap checkbox and adding a validate function that found the user in the ldap and set the user authmaps etc for them.

johnbarclay’s picture

Title: Prepopulate Users in LDAP Authentication » Prepopulate Individual Users in LDAP Authentication
Component: Code » Documentation
Assigned: johnbarclay » Unassigned
Category: feature » task

This is doable in current version for individual users. Some documentation would help users do this. The mass import or synching of users should be a 7.x-2.x feature request.

johnbarclay’s picture

Title: Prepopulate Individual Users in LDAP Authentication » LDAP User: Prepopulate Individual Users in LDAP Authentication
Version: 7.x-1.x-dev » 7.x-2.x-dev
Category: task » feature
Issue tags: +7.x-2.0 release blocker
carlovdb’s picture

Will this be possible?

kind regards

wbenney’s picture

I have updated to ldap-7.x-2.0-beta3, which includes the "users" module and still cannot find a way to pre-populate drupal users from AD. Based on what I can see, this functionality is still not built into the new module, correct? If so, is there any target date?

johnbarclay’s picture

Yes. This is very doable in the 2.0 branch. When a 2.0 release candidate is ready, I expect to get back to documentation work and cover this. Currently no one is working on documentation.

I'm not sure how to tag this issue as both implemented and needs documentation so I have it tagged as "Documentation", "Feature Request" and "active".

froboy’s picture

Re: #16, do you mean that this is implemented and just needs to be documented or that it's possible but not quite there yet? I'm looking for this too and would be willing to poke around and then write some documentation.

johnbarclay’s picture

its ready.

Method 1:
- set ldap authentication to mixed mode
- create drupal user with username matching ldap derived username
- when user logs on, they will become ldap associated.

Method 2:
- use ldap feeds to bring in users

Method 3:
- in ldap user, select: "Associate manually created Drupal accounts with related LDAP Account if one exists"

larowlan’s picture

Issue summary: View changes
Status: Active » Needs work

We need someone to write some docs here - any takers?

grahl’s picture

Status: Needs work » Active
grahl’s picture

Status: Active » Closed (outdated)