Hi. I'd like to request feedback on creating a sub-module that implements a login block per LDAP server. A small use-case description and list of issues this hopes to solves follows.
I wrote https://esci.id.ucsb.edu/ this is a drupal frontend for end-of-quarter campus course feedback. Currently its in limited Beta/Pilot stage and accruing a larger feature-set.
We have different user roles:
- students: take surveys
- faculty: view survey stats, submit survey questions
- departmental administrators: view per College or by grants many survey results
- ESCI admins: administer departmental ESCI data and drupal webapp
Currently we hit 2 LDAP servers with custom built code (attempting to move to LDAP 1x/2x). Our departmental Apple based LDAP, and separately a campus based LDAP for non "esci admin" users.
A majority of the time a user is devined 1 single role. For instance they are a student, or a faculty member, or perhaps an ESCI admin user.
But, there are a few cases where a staff/faculty member is also enrolled as a active student in course materials persuing a Masters degree (for instance). Such a user may be bombarded with options if the webapp grants all roles possible found from a given LDAP point since only 1 login form is used in LDAP.
Would anyone (other than myself) entertain creating discrete ldap login blocks per endpoint? This could help fix problems where:
- More than 1 LDAP endpoint is enabled and UIDs are not unique for a user.
- You want to give a specific user a limited set of role(s), based on where they authenticated from. Eg, setup a /student/login form with ou=university,affiliation=student vs. /faculty/login with ou=university,affiliation=faculty. In this case all registered students have a foo@umail.ucsb.edu account, a faculty email would not have 'umail' in the domain. So drupal could see 2 users from 1 LDAP point.
- In general you'd be able to say, "drupal login is at /user", and LDAP login as is "/SOME_ENDPOINT_TOKEN/login" as needed. Making it more clear that 1 form is drupal login and another form is some ldap server login authpoint.
I have an idea how to approach the code because I've done this myself a few times. I would like OPs and other user feedback on this idea and whether or not I'm crazy.
Comments
Comment #1
tenken CreditAttribution: tenken commentedAs a followup. Right now in 1x/2x if you have more than 1 LDAP server defined you can only override the username field once. With more than 1 LDAP server the username may be different, eg: campusUsername, NISTusername, ExtensionUsername (summer courses not in normal academic registry).
Comment #2
johnbarclay CreditAttribution: johnbarclay commentedOne way to implement this would be:
- leverage the ldap server module for the N servers.
- Submit a patch to ldap authentication to allow users or admins to specify which servers are used on which logon forms; as opposed to the round robin approach currently in use
- Clone and rename the ldap_authorization_drupal_role module and modify as appropriate. This way you can leverage ldap authorization module and still have the behavior you like.
One gotcha with any of this is that ldap_authentication is altering the submit/validate functions of specific logon forms. So adding additional logon forms may take some additional hook form alters. This is because of a bug in core with the validate functions of the user module.
Comment #3
tenken CreditAttribution: tenken commentedOk. Should I attempt this on 2.x or 1.x?
The only gotcha I have trying to implement on 2x this is I have no live LDAP server on 2x-dev that can actually bind and assign roles outside of the test scripts ...
Comment #4
larowlanno update for > 12 months, no patches - closing