Hi,
I noticed that the test passed for OG authorization, but when the user actually connects, the user is not added to the group.
Digging the code in ldap_authorization.inc, I noticed line 351 that the result of $consumer->availableConsumerIDs(); is different when the consumer is role or OG.
Case of Role:
... (Array, 2 elements)
role_name (String, 18 characters ) authenticated user
administrator (String, 13 characters ) administrator
Case of OG:
... (Array, 3 elements)
0 (String, 10 characters ) node:104:7
1 (String, 10 characters ) node:104:8
2 (String, 10 characters ) node:104:9
So the generated key doesn't correspond, therefore when used in $containers_needed_lcase = array_diff($grants_lcase, $consumer_containers_existing); it returns an empty array - $grants_lcase contains data with the form node:nid:og_rid or role_name.
This bug should be in the implementation of availableConsumerIDs() - I am working on it to provide a patch (not in diff format, sorry). I will post it in here.
Comments
Comment #1
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedSo the issue lies in LdapAuthorizationConsumerOG.class.php:
Comment #2
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedBelow the patched function - can maybe be optimized, but works now. Comments updated as well to reflect the changes.
Note:
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedThanks. Some of the changes in ldap authorization drupal roles didn't make it into og. The most recent changes had to do with keeping the role names mixed case, while the role names for comparison were lower case.
Comment #4
johnbarclay CreditAttribution: johnbarclay commentedthis just reduces to:
which is the same as in ldapAuthorizationConsumerRole.class.php
I think the thing is to get the simpletest coverage for og 2 working again and document the methods and properties in LdapAuthorizationConsumerAbstract and, at the same time, make sure they are consistent across LdapAuthorizationConsumerRole.class.php and LdapAuthorizationConsumerOG.class.php
The other thing that concerns me about og is: #1777088: LDAP Authorization: dangerous iterations using og_load_multiple & og_get_all_group()
Comment #5
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedHaha, yeah... don't ask me why I made it so complex...
Well, for the other issue, this is surely a problem... I will have a look at it as well and see if I can give my 2 cents :)
Comment #6
charliekwin CreditAttribution: charliekwin commentedApologies for jumping into this thread, but I can't seem to post a new one and this seems to be at least somewhat related.
I'd like to thank both of you for the work here and on #1839144. I have the same case as crystal_alexandre_froger (Mac OSX Server's LDAP implementation) and have successfully been able to assign roles to users based on their LDAP groups.
og_group authorization has not been as successful. I've mapped the groups (I'm also using OG 2.x) and the tests show all the correct authorization IDs, however, the user is not added to the group when logging in. The small patch above didn't seem to do the trick either. Is the actual group membership assignment still forthcoming functionality? Or am I missing something more obvious?
Thanks for any help.
Comment #7
johnbarclay CreditAttribution: johnbarclay commentedI'm working on a number of ldap authorization (drupal roles and og groups) this weekend. There are some performance issues as well as need for clearer code documentation. I'll keep this thread posted.
Comment #8
charliekwin CreditAttribution: charliekwin commentedI'm sure being a module maintainer is mostly thankless work, so I just wanted to say that this module has been integral to the project I've been working on and saved me countless hours of grief. You've also done, IMHO, an exemplary job as a maintainer. Thank you!
Comment #9
johnbarclay CreditAttribution: johnbarclay commentedI wouldn't pursue this. The rewrite of ldap_authorization avoids the need for this function.
Comment #10
johnbarclay CreditAttribution: johnbarclay commentedCan you try this against the current 7.x-2.x-dev code? See http://drupal.org/node/1115704#comment-6804496
Comment #11
charliekwin CreditAttribution: charliekwin commentedI just updated to the new dev version and am not having any luck with OG authorization. Looks like the same circumstances as before -- when tested, the correct authorization IDs are returned but no memberships are granted on login. FWIW, I needed to use the hack/patch on #1839144 in order to get a list of the user's LDAP groups (though I don't think that impacts authorization). The Watchdog entry that I assume is most relevant is pasted below.
Comment #12
johnbarclay CreditAttribution: johnbarclay commentedSo its getting the mapping correct: node:693:2, node:680:2 but is failing to find these groups. This is also a flaw with the simpletests, which only user the form entity-type:node-title:role id (eg. node:students:2).
This should be easy for me to debug. Thanks.
Comment #13
johnbarclay CreditAttribution: johnbarclay commentedI couldn't reproduce this. I did add some code to 7.x-2.0-dev which shows the "normalized" mappings in parentheses. Can you:
- update to the current dev
- put one of the mappings in the form node:node title:2 such as node:students:2
- save the authorization forms
And give it a try.
Comment #14
charliekwin CreditAttribution: charliekwin commentedSuccess! New dev works as expected and grants group membership on login. A few things I found:
- Tested with the title and entity ID in the mapping. BOTH worked. However, if the title has parentheses (and possibly some other special characters -- I don't have others to test), I get a WSOD both on login and when saving the OG Authorization page.
- The Examples section didn't show the examples, just "Array." Not sure if this is happening to others or not.
- When I upgraded to the December 3rd dev version, my previous mappings for both roles and groups were still present. I expected them to have been deleted based on the notes in the issue queue. When upgrading to the Dec. 4th dev, they were empty and needed to be re-created. May have something to do with why you were unable to reproduce.
Comment #15
johnbarclay CreditAttribution: johnbarclay commentedI fixed the examples section and changed the delimiter to be "(raw: " instead of "(". So titles with other characters will be fine. Again this will require resaving mappings.
See http://drupalcode.org/project/ldap.git/commitdiff/d3ca2a3ec833f3f44bff25...
The upgrade process will have to wait for now. the mappings need to be altered manually for now.
Comment #16
johnbarclay CreditAttribution: johnbarclay commentedComment #17
johnbarclay CreditAttribution: johnbarclay commentedThis needs to be added to the update hook.
Comment #18
johnbarclay CreditAttribution: johnbarclay commentedComment #19
johnbarclay CreditAttribution: johnbarclay commentedI'm adding the update hook as a separate issue for clarity.