LDAP Authorization: Consumer ids generation for OG consumer

Thanks. Some of the changes in ldap authorization drupal roles didn't make it into og. The most recent changes had to do with keeping the role names mixed case, while the role names for comparison were lower case.

this just reduces to:

  /**
   * return array with lowercase consumer ids as keys
   * and mixed case consumer ids as values
   */

  public function availableConsumerIDs($reset = FALSE) {
    if ($reset || ! is_array($this->_availableConsumerIDs)) {
      $this->refreshConsumerIDs();
    }
    return $this->_availableConsumerIDs;
  }
  

which is the same as in ldapAuthorizationConsumerRole.class.php

I think the thing is to get the simpletest coverage for og 2 working again and document the methods and properties in LdapAuthorizationConsumerAbstract and, at the same time, make sure they are consistent across LdapAuthorizationConsumerRole.class.php and LdapAuthorizationConsumerOG.class.php

The other thing that concerns me about og is: #1777088: LDAP Authorization: dangerous iterations using og_load_multiple & og_get_all_group()

Apologies for jumping into this thread, but I can't seem to post a new one and this seems to be at least somewhat related.

I'd like to thank both of you for the work here and on #1839144. I have the same case as crystal_alexandre_froger (Mac OSX Server's LDAP implementation) and have successfully been able to assign roles to users based on their LDAP groups.

og_group authorization has not been as successful. I've mapped the groups (I'm also using OG 2.x) and the tests show all the correct authorization IDs, however, the user is not added to the group when logging in. The small patch above didn't seem to do the trick either. Is the actual group membership assignment still forthcoming functionality? Or am I missing something more obvious?

Thanks for any help.

I'm working on a number of ldap authorization (drupal roles and og groups) this weekend. There are some performance issues as well as need for clearer code documentation. I'll keep this thread posted.

I'm sure being a module maintainer is mostly thankless work, so I just wanted to say that this module has been integral to the project I've been working on and saved me countless hours of grief. You've also done, IMHO, an exemplary job as a maintainer. Thank you!

I wouldn't pursue this. The rewrite of ldap_authorization avoids the need for this function.

Can you try this against the current 7.x-2.x-dev code? See http://drupal.org/node/1115704#comment-6804496

I just updated to the new dev version and am not having any luck with OG authorization. Looks like the same circumstances as before -- when tested, the correct authorization IDs are returned but no memberships are granted on login. FWIW, I needed to use the hack/patch on #1839144 in order to get a list of the user's LDAP groups (though I don't think that impacts authorization). The Watchdog entry that I assume is most relevant is pasted below.

testuser : user_authorizations_set results for og_group:
1. Initial existing authorizations:
1. Filtered Authorizations: node:693:2, node:680:2
2. After filtering off previously granted authorizations: node:693:2, node:680:2
3. All available existing authorization ids: none
4. authorization ids that need to be created: node:693:2, node:680:2
5. consumer containers existing after create call (or non-call if og):
6a. consumer_containers_existing: none
6b. grants_pre_intersect: none
6c. grants_post_intersect: none
7. revokes passed to authorizationRevoke(): none
8. user auth data after save for og_group: Array ( )
9. user->data[ldap_authorizations] after save:
Array
(
    [ldap_user] => Array
        (
            [init] => Array
                (
                    [sid] => my_company_name
                    [dn] => uid=testuser,cn=users,dc=server,dc=mydomain,dc=net
                    [mail] => testuser@domain.com
                )

        )

    [ldap_authorizations] => Array
        (
            [og_group] => Array
                (
                )

        )

)

So its getting the mapping correct: node:693:2, node:680:2 but is failing to find these groups. This is also a flaw with the simpletests, which only user the form entity-type:node-title:role id (eg. node:students:2).

This should be easy for me to debug. Thanks.

I couldn't reproduce this. I did add some code to 7.x-2.0-dev which shows the "normalized" mappings in parentheses. Can you:
- update to the current dev
- put one of the mappings in the form node:node title:2 such as node:students:2
- save the authorization forms

And give it a try.

Success! New dev works as expected and grants group membership on login. A few things I found:

- Tested with the title and entity ID in the mapping. BOTH worked. However, if the title has parentheses (and possibly some other special characters -- I don't have others to test), I get a WSOD both on login and when saving the OG Authorization page.

- The Examples section didn't show the examples, just "Array." Not sure if this is happening to others or not.

- When I upgraded to the December 3rd dev version, my previous mappings for both roles and groups were still present. I expected them to have been deleted based on the notes in the issue queue. When upgrading to the Dec. 4th dev, they were empty and needed to be re-created. May have something to do with why you were unable to reproduce.

I fixed the examples section and changed the delimiter to be "(raw: " instead of "(". So titles with other characters will be fine. Again this will require resaving mappings.

See http://drupalcode.org/project/ldap.git/commitdiff/d3ca2a3ec833f3f44bff25...

The upgrade process will have to wait for now. the mappings need to be altered manually for now.

This needs to be added to the update hook.

I'm adding the update hook as a separate issue for clarity.