If you don't select "Use LDAP group to drupal roles filtering" the generated roles are the fully qualified LDAP name.

Mapping of LDAP to Drupal Role: "CN=IS,CN=Users,DC=somewhere,DC=org|admin"
Disable "Use LDAP group to drupal roles filtering"
Test/login with user that has 10 attributes.

IIRC, LDAP Integration picked the top CN? so a LDAP memberOf attribute of "CN=IS,CN=Users,DC=atlanticgeneral,DC=org" would generate a non-filtered role of "IS". Only messed around with it briefly while researching different CMS' and haven't gotten it working again yet.

CommentFileSizeAuthor
mappings.jpg99.09 KBwernercd

Comments

johnbarclay’s picture

johnbarclay commented
Component: Unit test » Code
Category: bug » feature
Status: Active » Postponed (maintainer needs more info)

This is by design. The mapping is pretty much a requirement; if there was an implied mapping it might collide with other roles.

Do you have an approach that will not accidently collide with existing drupal roles.

wernercd’s picture

wernercd commented

I only briefly toyed with LDAP on Drupal 6 with ldap_integration... but from what I remember, it would make Drupal roles from the 'top CN' in the list. (Like I said... fuzzy memory and I'll have to rebuild that setup to see if that's actually how it worked.)

For example, say I had (random memberOf from a user o mine):

CN=WIS,CN=Recipients,CN=Users,DC=somewhere,DC=org
CN=IS Printing,CN=Users,DC=somewhere,DC=org
CN=Information Services,CN=Recipients,CN=Users,DC=somewhere,DC=org
CN=Exchange Users,CN=Recipients,CN=Users,DC=somewhere,DC=org
CN=MisysUser,OU=Misys,DC=somewhere,DC=org
CN=Remote Desktop Users,CN=Builtin,DC=somewhere,DC=org
CN=IS,CN=Users,DC=somewhere,DC=org

Drupal groups would be created for "WIS, IS Printing, Information Services, Exchange Users, MisysUser, Remote Desktop User and IS", and the above user would be added to those groups.

Not sure I understand your "collide" problem. I assume you mean, tat say I had users setup as IS before LDAP, and then the Auto-mapping goes adding the above user to IS without my knowledge? That's the whole point of the auto-mapping I thought, or maybe I"m reading the question wrong.

I guess what confuses me is the "required option". Is it my use of memberOf that makes things muddy? Or just the option that's assumed being used? If it's required, remove the checkbox or reverse it (instead of "Use LDAP group to drupal roles filtering", have the checkbox be something like "Check to disable roles filtering", since that would be the less used option. With explanation of why this is a bad idea to disable filtering)

In my situation, I have no issues with LDAP leading the way when it comes to role creation (creating all the roles above for example). I also have no issue with creating the role via Drupal and hand-mapping LDAP to those roles.

Hope I make sense :) I think you're great job.

johnbarclay’s picture

johnbarclay commented
Version: 7.x-1.0-unstable4 » 7.x-1.x-dev
Assigned: Unassigned » johnbarclay
Status: Postponed (maintainer needs more info) » Active

I think its best not to have a default mapping. At drupalcon chicago I talked to some users who were having trouble with this and I think the best solution is:
- by default turn mapping filtering on. this will require deliberate mappings to be made.
- support regular expressions in the mappings
- when an admin turns filtering off, give them a good warning about the potential for many groups being created when some users logon.

johnbarclay’s picture

johnbarclay commented
Version: 7.x-1.x-dev » 7.x-2.x-dev
Component: Code » Documentation
Assigned: johnbarclay » Unassigned
Priority: Major » Normal
johnbarclay’s picture

johnbarclay commented
Status: Active » Fixed

This was resolved by another issue. Filtering and mapping can be enabled independently in 7.x-2.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.