Ability to limit which LDAP Groups can Log On

yes. This funcationality is in the d7 version. ldap_authorization is the equivelent of ldap groups and ldap_authentication has white listing and black listing functionality.

I'm changing this to a documentation issue so it gets in the common use cases in the documentation.

I can think of 3 ways of doing this:

1. Have 2 ldap server instances. An ldap server instance in the ldap project is just a different configuration; they can both point to the same server. Each would have one of the base dns, but only one would have the restriction list.

2. Have 1 ldap server. Use both OU=Users,OU=Technology,dc=domain,dc=local and OU=Users,OU=Marketing,dc=domain,dc=local in the basdns. You can have as many as you like in that field separated by line returns. Then use white list or restrictions to further filter. Not sure if this will work for your case.

3. Let everyone logon, but use ldap authorization to put technology and marketing into roles. ldap authorization is much better developed for this sort of stuff. those who don't belong in any roles will be authenticated users and you can give that group no rights. this is an easier to maintain model as the site evolves and more roles come about.

Such as patch would be fine as it:
- avoids multiple server configurations
- provides a good upgrade path for ldap_integration d6.

If you can't provide the patch, can you write text of the UI?

What about simply requiring ldap_authorization module and having a checkbox in ldap authentication such as: " [x] only allow users who have role mappings in ldap authorization to authenticate via ldap " This would accomplish your needs and keep the authorization and authentication interfaces from blurring.

great. thanks. should be easy to write and get into 7.1

There are 4 ways you can help, depending on your skillset and interests:

- write the patch
- write the unit test
- add the use case to the documentation
- manually test when done.

Also I noticed this was tagged 6.x. There is no 6.x version of this project.

Thanks.

here is some psuedo code that will be useful

if ldap authorization module enabled and your checkbox checked {

list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations(username, 'query');  

loop through $new authorizations and see if user was granted any

if not, return false.

} 

it should go in the function allowUser() in LdapAuthenticationConf.Class.php.

To add the property to the UI etc., just search on ldapUserHelpLinkText in ldap_authentication. You will need to have the property in all the same locations. I would suggest naming it "excludeIfNoAuthorizations"

I started to write a patch for this. I got the UI and the variable in the classes, and ran across some chicken and egg issues. The ldap authorization wants a user object passed into _ldap_authorizations_user_authorizations() for it to work. Since ldap_authentication doesn't have a real user object yet it can't pass one in.

It looks like we can pass a fake $user std class object into _ldap_authorizations_user_authorizations() and add a new $op such as 'authentication_query' so the onlyApplyToLdapAuthenticated flag is ignored within the _ldap_authorizations_user_authorizations() function.

Attached is the patch. Hope this gets you started. If this doesn't make sense to you, let me know and I can continue on with this. I didn't commit the attached patch yet.

Yeah. We are not on the same page. I was thinking you wanted to filter who can authenticate based on drupal groups, not ldap groups. The white lists/black list thing can easily get out of hand. That is why there is room for code there and a hook.

I think denying based on drupal groups pushes alot of the complexity of whitelists and black lists into ldap authorization, where the group mapping functionality is already fairly feature rich.

Not without a fair amount of code. Looks like only username and ldap entry are available in that function. I suspose it depends on how your ldap stores group membership.

If add the code below, around line 118 of ldapauthenticationconf.class.php
print('

name'); print($name);print('ldap_user'); print_r($ldap_user); die;

you will see what is available in the code.  If you are using active directory, the code might look something like the following.  The syntax is likely off, but the idea is:

$groups = explode(',', $ldap_user['attr']['memberOf'][0]);
$ingroup =  in_array('mygroup', groups, );
return $ingroup;




I would suggest the easiest way is to have me finish the patch I suggested above and then add mappings to certain groups in ldap authorization.

Yes. Ldap authorization is used to map a users ldap properties to drupal roles, organic groups, etc. I'm not sure how ldap groups are stored in your ldap, but ldap authorization should be able to derive them. Here's where the mapping take place:

ldap_servers: mapping between drupal username and user's ldap entry
ldap_authorization: mapping between user's ldap entry and drupal roles.

In the ldap_authorization/test directory are the simpletests for ldap authorization and the fake ldap data for it. This may help illustrate things.

I think the only chicken and egg issue is in #13 above:

It looks like we can pass a fake $user std class object into _ldap_authorizations_user_authorizations() and add a new $op such as 'authentication_query' so the onlyApplyToLdapAuthenticated flag is ignored within the _ldap_authorizations_user_authorizations() function.

The complexity this adds to that function will be outweighed by the load it takes off of ldap_authentication white and black list functionality. So I think its a good thing to do.

This is in head now. I haven't got the simpletest to work, but I tested by hand. Please test it out and confirm that it works.

Where can you exclude on groups with the memberOf variable.

I should only have to allow a certain group and that is not in the user's dn string so I can't use the whitelist

use the mapping filter to allow specific groups.

Thank you for your reply

Am I correct that all the other users that try to log in should be set to a drupal user profile that can not see the site and the users that belong to that group are set to a drupal group with the correct setting so that they can see everything?

please start a support issue for this; don't add on to a "feature request"