Despite the other errors I filed, one role did get created from a user's groups.

The problem is the role's name is the role's DN. That is too long and arcane. The CN attribute should be used instead.

CommentFileSizeAuthor
#16 ldap_integration-417900.patch899 byteschinko

Comments

miglius’s picture

miglius commented
Status: Active » Postponed (maintainer needs more info)
Issue tags: +ldapgroups

Strange, the roles name should not be a full DN unless the mapping for that DN is explicitly configured under the "Mapping of LDAP groups to Drupal roles:" If this field is left empty, or the corresponding DN is not defined, then the regexp 

298   else if (preg_match('/^[^=]+=([^,]+),.*$/', $group, $matches))

is performed to extract the group's name.

aren cambre’s picture

aren cambre commented

I think you should be using the group's CN. That would eliminate possibility of improper matching.

I have never had anything in the "Mapping of LDAP groups to Drupal roles" field.

miglius’s picture

miglius commented

A group might be defined not only by CN but also as a OU=group,... The regex would match all those possibilities.

aren cambre’s picture

aren cambre commented
Status: Postponed (maintainer needs more info) » Needs review

What information may I provide to help this module boil down the DN to a user friendly group name?

miglius’s picture

miglius commented

What is your full group DN?

aren cambre’s picture

aren cambre commented

I'd rather not post here, so I'll send you one privately through your contact form.

aren cambre’s picture

aren cambre commented
Status: Needs review » Active

I cleared out my DB and reinstalled Drupal. I kept the files, which are the latest version of Drupal and the Mar. 30 dev version of this module.

I still get the same problem. These two errors show up in the logs:

  • Illegal offset type in isset or empty in /var/www/drupal/sites/default/modules/ldap_integration/ldapgroups.module on line 296.
  • preg_match() expects parameter 2 to be string, array given in /var/www/drupal/sites/default/modules/ldap_integration/ldapgroups.module on line 298.

I emailed you the memberOf attributes of the account I am signing in with. Only the first group makes it into a Drupal role. Also, that Drupal role's name is the first 64 characters of the group's DN. (I.e., CN=groupname,OU=division,.... up to 64 characters)

In case it matters, I am using Active Directory.

aren cambre’s picture

aren cambre commented
Title: Role names are extremely long DNs » Role names are truncated DNs instead of CNs

More precise issue title.

aren cambre’s picture

aren cambre commented

Instead of using that regexp, why not just use the CN attribute of the group?

miglius’s picture

miglius commented

As I mentioned in #3 reply, for a group entry CN should not necessary be in a DN. Regex is dealing with the broader case. The problem here is that an array is used where a function expects a string. This is a AD related issue as I cannot replicate it using OpenLDAP and I don't have AD in my possession.

I think this issue is related to a #417896: "Group by attribute" causes error and probably with a #417892: ldapgroups "Group by entry" breaks when CN has commas. In all those issues AD is used ant it's query result is kind of different I'm getting from the OpenLDAP.

aren cambre’s picture

aren cambre commented

Searching through Google, I found other examples of attributes with multiple values, so it looks like this is not just an Active Directory peculiarity.

I wonder whether the regexp in #3 is "overengineered"? Regardless of how you locate the group, be it through the DN, a user attribute, or an OU containing groups, I think you should still pull the group's directory entry and use that entry's CN attribute for the Drupal role name. Otherwise you are risking inconsistencies.

miglius’s picture

miglius commented
Status: Active » Postponed (maintainer needs more info)

What is your ldapgroups configuration? Are you using "Groups are specified by LDAP attributes"?

aren cambre’s picture

aren cambre commented
Status: Postponed (maintainer needs more info) » Active

Under admin/settings/ldap/ldapgroups/edit/1, only Groups are specified by LDAP attributes is checked (under Group by attribute). In the Attribute names (one per line) field is memberOf.

I have nothing else selected.

chinko’s picture

chinko commented

I got the same problem with roles being created with truncated DN of LDAP group names.
I also got the same PHP syntax error messages as in comment #7.
Looking into ldapgroups.module, there is a trivial 'typo' in the function _ldapgroups_detect_groups():
178 $attrib_groups[] = array_merge($attrib_groups, $_ldapgroups_ldap->retrieveMultiAttribute($user->ldap_dn, $attribute));

The code merges all the LDAP group names gathered using the 3 strategies into a single array. The code re-assigns the merged array back to the original variable $attrib_groups but it included '[]' and therefore causing $attrib_groups variable to become a two-dimensional array. This caused the syntax error messages and hence the group-to-name mapping did not work.

The line should have been:
178 $attrib_groups = array_merge($attrib_groups, $_ldapgroups_ldap->retrieveMultiAttribute($user->ldap_dn, $attribute));

I removed the '[]' and the group-to-role mapping works perfectly.

Andrew Kaufmann’s picture

Andrew Kaufmann commented

I applied that change and group-to-role is working for us, too.

Thanks!

chinko’s picture

chinko commented
Status: Active » Needs review
StatusFileSize
new ldap_integration-417900.patch899 bytes

Here is patch of the change I described in comment #14 on ldapgroups.module

miglius’s picture

miglius commented
Assigned: Unassigned » miglius
Status: Needs review » Fixed

This code changed was already committed to cvs when fixing the #429186: unable to map AD Group to Role with Filtering, looking for support help. issue.

Status: Fixed » Closed (fixed)
Issue tags: -ldapgroups

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +ldapgroups

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.