Index: ldapgroups.admin.inc
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/ldap_integration/ldapgroups.admin.inc,v
retrieving revision 1.11
diff -u -p -r1.11 ldapgroups.admin.inc
--- ldapgroups.admin.inc	4 May 2009 00:26:17 -0000	1.11
+++ ldapgroups.admin.inc	19 Aug 2009 20:04:28 -0000
@@ -197,7 +197,7 @@ function ldapgroups_admin_edit(&$form_st
       '#default_value' => $edit['ldapgroups_filter_php'],
       '#cols' => 25,
       '#rows' => 5,
-      '#description' => t('Enter PHP to filter LDAP groups. Careful, bad PHP code here will break your site. If left empty, no filtering will be done. The groups array <code>$groups</code> is available in the code context. It should return a filtered <code>$groups</code> array as in example below. The code is evaluated before the above mapping is applied.<br /><code>$groups = array_filter($groups, create_function(\'$a\', \'return preg_match(\\\'/Staff/\\\', $a);\'));</code><br /><code>return $groups;</code>'),
+      '#description' => t('Enter PHP to filter LDAP groups. PHP module must be enabled to use this. Do not include opening and closing <code>&lt;?php   ?&gt;</code> tags. Careful, bad PHP code here will break your site. If left empty, no filtering will be done. The groups array is available as the global variable <code>$groups</code> in the code context. The code does not need to return the $groups variable as its a global variable. The code is evaluated before the above "Mapping of LDAP groups to Drupal roles" is applied.<br /><code>$groups = array_filter($groups, create_function(\'$a\', \'return preg_match(\\\'/Staff/\\\', $a);\'));</code><br /><code>return $groups;</code>'),
     );
 
     $form['sid'] = array(
@@ -266,6 +266,23 @@ function ldapgroups_admin_edit_validate(
         if (trim($line))
           $form_state['ldapgroups_groups'][] = trim($line);
       $form_state['ldapgroups_groups'] = !empty($form_state['ldapgroups_groups']) ? serialize($form_state['ldapgroups_groups']) : '';
+ 
+ 
+      if ($values['ldapgroups_filter_php'] && (! module_exists('php') ) ) {
+        form_set_error('ldapgroups_filter_php', t('PHP execution is not enabled so ldap groups filters cannot be applied. Please remove PHP filter code or enable the php module.'));
+      }
+      
+      if ( strpos($values['ldapgroups_filter_php'],'<?php') || strpos($values['ldapgroups_filter_php'],'?>')) {
+        form_set_error('ldapgroups_filter_php', t('"PHP to filter roles by" should not have opening or closing <code>&lt;?php   ?&gt;</code> tags. ')); 
+        
+     }
+     
+    if (strpos($values['ldapgroups_filter_php'],'$groups') === FALSE ) {
+        form_set_error('ldapgroups_filter_php', t('"$groups" was not found in your entry. "PHP to filter roles by" should alter the variable $groups.')); 
+        
+     }
+     
+ 
       break;
   }
 }
Index: ldapgroups.inc
===================================================================
RCS file: ldapgroups.inc
diff -N ldapgroups.inc
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ ldapgroups.inc	19 Aug 2009 20:02:27 -0000
@@ -0,0 +1,328 @@
+<?php
+// $Id: ldapgroups.module,v 1.39 2009/07/28 14:03:05 miglius Exp $
+
+/**
+ * @file
+ * ldapgroups maps ldap groups and user attributes with drupal roles.
+ */
+
+//////////////////////////////////////////////////////////////////////////////
+// hook_user() functions
+/**
+ * Implements hook_user() login operation.
+ */
+function ldapgroups_user_login(&$account) {
+  $authmap = user_get_authmaps($account->name);
+  if (!isset($authmap['ldapauth'])) {
+    // This user is not authenticated via lapauth.
+    return;
+  }
+
+  // Setup the global $_ldapgroups_ldap object.
+  if (!_ldapgroups_ldap_init($account))
+    return;
+
+  // First, we figure out the appropriate groups.
+  $groups = _ldapgroups_detect_groups($account);
+
+  // Apply groups restrictions.
+  if (count($groups_allow = _ldapgroups_ldap_info($account, 'ldapgroups_groups')) > 0 && count(array_intersect($groups, $groups_allow)) == 0) {
+    $account = user_load(0);
+    return;
+  }
+
+  // Then, we take every mapped role from the user, later below
+  // we'll grant back those deserved.
+  $account->ldap_drupal_roles = isset($account->ldap_drupal_roles) ? $account->ldap_drupal_roles : array();
+  foreach ($account->ldap_drupal_roles as $role) {
+    _ldapgroups_deny_role($account, $role);
+  }
+
+  // Are there LDAP groups for the user?
+  if ($groups === FALSE)
+    return TRUE;
+
+  // Next, we apply site-specific rules.
+  $groups = _ldapgroups_filter($account, $groups);
+
+
+  // At this point, the roles are in the full DN format.
+  $roles = array();
+  if (!empty($groups)) {
+    $ldapgroups_mappings = _ldapgroups_ldap_info($account, 'ldapgroups_mappings');
+    foreach ($groups as $group) {
+      $role = _ldapgroups_mapping($account, $group, $ldapgroups_mappings);
+      _ldapgroups_create_role($role);
+      _ldapgroups_grant_role($account, $role);
+      $roles[] = $role;
+    }
+  }
+
+  // Store roles in the user object so we know which ones
+  // were granted here.
+  user_save($account, array('ldap_drupal_roles' => $roles));
+}
+
+//////////////////////////////////////////////////////////////////////////////
+// Auxiliary functions
+
+/**
+ * Detect user groups from the LDAP.
+ *
+ * @param $user
+ *   A user object.
+ *
+ * @return
+ *   An array of user groups.
+ */
+function _ldapgroups_detect_groups($user) {
+  global $_ldapgroups_ldap;
+
+  // Nothing to do if the user is not LDAP authentified
+  // or there are no groups configured.
+  if (!(_ldapgroups_ldap_info($user, 'ldapgroups_in_dn') || _ldapgroups_ldap_info($user, 'ldapgroups_in_attr') || _ldapgroups_ldap_info($user, 'ldapgroups_as_entries')))
+    return FALSE;
+
+  // First try to connect with the stored user's DN and password.
+  // If unsuccessful, connect with the BINDDN and BINDPW stored in the database for this config.
+  $dn = isset($_SESSION['ldap_login']['dn']) ? $_SESSION['ldap_login']['dn'] : '';
+  $pass = isset($_SESSION['ldap_login']['pass']) ? $_SESSION['ldap_login']['pass'] : '';
+
+  // If I try to connect using a blank dn and pass, I dont get an error until ldap_read,
+  // so I just check to see if they would be blank, based on ldap_forget_passwords, and
+  // make it read from the database.
+  if (LDAPAUTH_FORGET_PASSWORDS || !$_ldapgroups_ldap->connect($dn, $pass)) {
+    $row2 = db_fetch_object(db_query("SELECT binddn, bindpw FROM {ldapauth} WHERE sid = %d", $_ldapgroups_ldap->getOption('sid')));
+    $dn = $row2->binddn;
+    $pass = $row2->bindpw;
+    if (!$_ldapgroups_ldap->connect($dn, $pass)) {
+      watchdog('ldapgroups', "User login: user %name data could not be read in the LDAP directory", array('%name' => $user->name), WATCHDOG_WARNING);
+      return FALSE;
+    }
+  }
+
+  // Strategy 1: group extracted from user's DN.
+  $dn_groups = array();
+  if (_ldapgroups_ldap_info($user, 'ldapgroups_in_dn')) {
+    $pairs = explode(',', $user->ldap_dn);
+    foreach ($pairs as $p) {
+      $pair = explode('=', $p);
+      if (drupal_strtolower(trim($pair[0])) == drupal_strtolower(_ldapgroups_ldap_info($user, 'ldapgroups_dn_attribute')))
+        $dn_groups[] = trim($pair[1]);
+    }
+  }
+
+  // Strategy 2: groups in user attributes.
+  $attrib_groups = array();
+  if (_ldapgroups_ldap_info($user, 'ldapgroups_in_attr')) {
+    foreach (_ldapgroups_ldap_info($user, 'ldapgroups_attr') as $attribute)
+      $attrib_groups = array_merge($attrib_groups, $_ldapgroups_ldap->retrieveMultiAttribute($user->ldap_dn, $attribute));
+  }
+
+  // Strategy 3: groups as entries.
+  $entries_groups = array();
+  $ldapgroups_entries_attribute = _ldapgroups_ldap_info($user, 'ldapgroups_entries_attribute');
+  if (_ldapgroups_ldap_info($user, 'ldapgroups_as_entries')) {
+    foreach (_ldapgroups_ldap_info($user, 'ldapgroups_entries') as $branch) {
+      $entries = $_ldapgroups_ldap->search($branch, $ldapgroups_entries_attribute .'='. $user->ldap_dn, array($ldapgroups_entries_attribute));
+      if (empty($entries) || $entries['count'] == 0)
+        $entries = $_ldapgroups_ldap->search($branch, $ldapgroups_entries_attribute .'='. $user->name, array($ldapgroups_entries_attribute));
+      foreach ($entries as $entry) {
+        if (isset($entry['dn']))
+          $entries_groups[] = $entry['dn'];
+      }
+    }
+  }
+
+  $_ldapgroups_ldap->disconnect();
+  return array_unique(array_merge($dn_groups, $attrib_groups, $entries_groups));
+}
+
+/**
+ * Grant a user with a role.
+ *
+ * @param $user
+ *   A user object.
+ * @param $rolename
+ *   A name of the role.
+ *
+ * @return
+ */
+function _ldapgroups_grant_role($user, $rolename) {
+  $result = db_query("SELECT * FROM {role} WHERE name = '%s'", $rolename);
+  if ($row = db_fetch_object($result)) {
+    $result = db_query("SELECT * FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $row->rid);
+    if (!db_fetch_object($result)) {
+      db_query("INSERT INTO {users_roles} (uid, rid) VALUES (%d, %d)", $user->uid, $row->rid);
+    }
+  }
+}
+
+/**
+ * Deny a user with a role.
+ *
+ * @param $user
+ *   A user object.
+ * @param $rolename
+ *   A name of the role.
+ *
+ * @return
+ */
+function _ldapgroups_deny_role($user, $rolename) {
+  $result = db_query("SELECT * FROM {role} WHERE name = '%s'", $rolename);
+  if ($row = db_fetch_object($result)) {
+    $result = db_query("SELECT * FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $row->rid);
+    if (db_fetch_object($result)) {
+      db_query("DELETE FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $row->rid);
+    }
+  }
+}
+
+/**
+ * Create a new role.
+ *
+ * @param $rolename
+ *   A name of the role.
+ *
+ * @return
+ */
+function _ldapgroups_create_role($rolename) {
+  $result = db_query("SELECT * FROM {role} WHERE name = '%s'", $rolename);
+  if (!($row = db_fetch_object($result)))
+    db_query("INSERT INTO {role} (name) VALUES ('%s')", $rolename);
+}
+
+/**
+ * Filters groups only to a explicitely defined groups.
+ *
+ * @param $groups
+ *   An array of the LDAP groups.
+ *
+ * @return
+ *   An array of the filtered groups.
+ */
+function _ldapgroups_filter($account, $groups) {
+  if (_ldapgroups_ldap_info($account, 'ldapgroups_mappings_filter') && count(_ldapgroups_ldap_info($account, 'ldapgroups_mappings') > 0)) {
+    $groups_new = array();
+    foreach ($groups as $group) {
+      foreach (_ldapgroups_ldap_info($account, 'ldapgroups_mappings') as $group_approved => $role) {
+        if (strcasecmp($group_approved, $group) == 0)
+          $groups_new[] = $group;
+      }
+    }
+    $groups = $groups_new;
+  }
+
+  if ($code = _ldapgroups_ldap_info($account, 'ldapgroups_filter_php')) {
+    global $ldap_groups;
+    if (module_exists('php')) {
+      $ldap_groups = $groups;
+      $code =  '<?php  global $ldap_groups; $groups = $ldap_groups; '. $code .' $ldap_groups = $groups; ?>';
+      php_filter('process', 0, -1, $code );
+    } else {
+      // if not enabled most secure response is to give warning, but allow no groups to pass through filter.
+      drupal_set_message(t('PHP execution is not enabled so ldap groups filters cannot be applied. Please remove PHP filter code or enable the php module.'),'error');
+      $ldap_groups = array();
+    }
+    $groups = $ldap_groups;
+  }
+
+  return $groups;
+}
+
+/**
+ * Maps LDAP group name to a Drupal role.
+ *
+ * @param $user
+ *   A user object.
+ * @param $group
+ *   A LDAP group name.
+ *
+ * @return
+ *   An Drupal role.
+ */
+function _ldapgroups_mapping($user, $group, $ldapgroups_mappings) {
+  if (isset($ldapgroups_mappings[$group]))
+    return $ldapgroups_mappings[$group];
+  else if (preg_match('/^[^=]+=([^,]+),.*$/', $group, $matches))
+    return $matches[1];
+  else
+    return $group;
+}
+
+/**
+ * Initiates the LDAPInterfase class.
+ *
+ * @param $sid
+ *   A server ID or user object.
+ *
+ * @return
+ */
+function _ldapgroups_ldap_init($sid) {
+  global $_ldapgroups_ldap;
+
+  if (!($sid = is_object($sid) ? (isset($sid->ldap_config) ? $sid->ldap_config : NULL) : $sid))
+    return;
+
+  static $servers = array();
+  if (!isset($servers[$sid]))
+    $servers[$sid] = db_fetch_object(db_query("SELECT * FROM {ldapauth} WHERE status = 1 AND sid = %d", $sid));
+
+  if ($servers[$sid]) {
+    $_ldapgroups_ldap = new LDAPInterface();
+    $_ldapgroups_ldap->setOption('sid', $sid);
+    $_ldapgroups_ldap->setOption('name', $servers[$sid]->name);
+    $_ldapgroups_ldap->setOption('server', $servers[$sid]->server);
+    $_ldapgroups_ldap->setOption('port', $servers[$sid]->port);
+    $_ldapgroups_ldap->setOption('tls', $servers[$sid]->tls);
+    $_ldapgroups_ldap->setOption('encrypted', $servers[$sid]->encrypted);
+    $_ldapgroups_ldap->setOption('basedn', $servers[$sid]->basedn);
+    $_ldapgroups_ldap->setOption('user_attr', $servers[$sid]->user_attr);
+    return $_ldapgroups_ldap;
+  }
+}
+
+/**
+ * Retrieve the saved ldapgroups saved setting.
+ *
+ * @param $sid
+ *   A server ID or user object.
+ * @param $req
+ *   An attribute name.
+ *
+ * @return
+ *   The attribute value.
+ */
+function _ldapgroups_ldap_info($sid, $req) {
+  if (!($sid = is_object($sid) ? (isset($sid->ldap_config) ? $sid->ldap_config : NULL) : $sid))
+    return;
+
+  static $servers = array();
+  if (!isset($servers[$sid]))
+    $servers[$sid] = db_fetch_object(db_query("SELECT * FROM {ldapauth} WHERE sid = %d", $sid));
+
+  switch ($req) {
+    case 'ldapgroups_in_dn':
+      return $servers[$sid]->ldapgroups_in_dn;
+    case 'ldapgroups_dn_attribute':
+      return !empty($servers[$sid]->ldapgroups_dn_attribute) ? $servers[$sid]->ldapgroups_dn_attribute : LDAPGROUPS_DEFAULT_DN_ATTRIBUTE;
+    case 'ldapgroups_in_attr':
+      return $servers[$sid]->ldapgroups_in_attr;
+    case 'ldapgroups_attr':
+      return !empty($servers[$sid]->ldapgroups_attr) ? unserialize($servers[$sid]->ldapgroups_attr) : array();
+    case 'ldapgroups_as_entries':
+      return $servers[$sid]->ldapgroups_as_entries;
+    case 'ldapgroups_entries':
+      return !empty($servers[$sid]->ldapgroups_entries) ? unserialize($servers[$sid]->ldapgroups_entries) : array();
+    case 'ldapgroups_entries_attribute':
+      return !empty($servers[$sid]->ldapgroups_entries_attribute) ? $servers[$sid]->ldapgroups_entries_attribute : LDAPGROUPS_DEFAULT_ENTRIES_ATTRIBUTE;
+    case 'ldapgroups_mappings':
+      return !empty($servers[$sid]->ldapgroups_mappings) ? unserialize($servers[$sid]->ldapgroups_mappings) : array();
+    case 'ldapgroups_mappings_filter':
+      return $servers[$sid]->ldapgroups_mappings_filter;
+    case 'ldapgroups_filter_php':
+      return $servers[$sid]->ldapgroups_filter_php;
+    case 'ldapgroups_groups':
+      return !empty($servers[$sid]->ldapgroups_groups) ? unserialize($servers[$sid]->ldapgroups_groups) : array();
+  }
+}
Index: ldapgroups.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/ldap_integration/ldapgroups.module,v
retrieving revision 1.39
diff -u -p -r1.39 ldapgroups.module
--- ldapgroups.module	28 Jul 2009 14:03:05 -0000	1.39
+++ ldapgroups.module	19 Aug 2009 19:50:47 -0000
@@ -3,9 +3,8 @@
 
 /**
  * @file
- * ldapgroups integrates ldap groups with drupal roles.
+ * ldapgroups maps ldap groups and user attributes to drupal roles.
  */
-
 //////////////////////////////////////////////////////////////////////////////
 
 define('LDAPGROUPS_DEFAULT_DN_ATTRIBUTE',      'ou');
@@ -15,13 +14,6 @@ define('LDAPGROUPS_DEFAULT_ENTRIES_ATTRI
 // Core API hooks
 
 /**
- * Implements hook_init().
- */
-function ldapgroups_init() {
-  require_once(drupal_get_path('module', 'ldapgroups') .'/includes/LDAPInterface.inc');
-}
-
-/**
  * Implementation of hook_menu().
  */
 function ldapgroups_menu() {
@@ -60,319 +52,11 @@ function ldapgroups_menu() {
 function ldapgroups_user($op, &$edit, &$account, $category = NULL) {
   switch ($op) {
     case 'login':
+      require_once(drupal_get_path('module', 'ldapgroups') .'/includes/LDAPInterface.inc');
+      require_once(drupal_get_path('module', 'ldapgroups') .'/ldapgroups.inc');
       ldapgroups_user_login($account);
       break;
   }
 }
 
-//////////////////////////////////////////////////////////////////////////////
-// hook_user() functions
-
-/**
- * Implements hook_user() login operation.
- */
-function ldapgroups_user_login(&$account) {
-  $authmap = user_get_authmaps($account->name);
-  if (!isset($authmap['ldapauth'])) {
-    // This user is not authenticated via lapauth.
-    return;
-  }
-
-  // Setup the global $_ldapgroups_ldap object.
-  if (!_ldapgroups_ldap_init($account))
-    return;
-
-  // First, we figure out the appropriate groups.
-  $groups = _ldapgroups_detect_groups($account);
-
-  // Apply groups restrictions.
-  if (count($groups_allow = _ldapgroups_ldap_info($account, 'ldapgroups_groups')) > 0 && count(array_intersect($groups, $groups_allow)) == 0) {
-    $account = user_load(0);
-    return;
-  }
-
-  // Then, we take every mapped role from the user, later below
-  // we'll grant back those deserved.
-  $account->ldap_drupal_roles = isset($account->ldap_drupal_roles) ? $account->ldap_drupal_roles : array();
-  foreach ($account->ldap_drupal_roles as $role) {
-    _ldapgroups_deny_role($account, $role);
-  }
-
-  // Are there LDAP groups for the user?
-  if ($groups === FALSE)
-    return TRUE;
-
-  // Next, we apply site-specific rules.
-  $groups = _ldapgroups_filter($account, $groups);
-
-  // At this point, the roles are in the full DN format.
-  $roles = array();
-  if (!empty($groups)) {
-    $ldapgroups_mappings = _ldapgroups_ldap_info($account, 'ldapgroups_mappings');
-    foreach ($groups as $group) {
-      $role = _ldapgroups_mapping($account, $group);
-      _ldapgroups_create_role($role);
-      _ldapgroups_grant_role($account, $role);
-      $roles[] = $role;
-    }
-  }
-
-  // Store roles in the user object so we know which ones
-  // were granted here.
-  user_save($account, array('ldap_drupal_roles' => $roles));
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Auxiliary functions
-
-/**
- * Detect user groups from the LDAP.
- *
- * @param $user
- *   A user object.
- *
- * @return
- *   An array of user groups.
- */
-function _ldapgroups_detect_groups($user) {
-  global $_ldapgroups_ldap;
-
-  // Nothing to do if the user is not LDAP authentified
-  // or there are no groups configured.
-  if (!(_ldapgroups_ldap_info($user, 'ldapgroups_in_dn') || _ldapgroups_ldap_info($user, 'ldapgroups_in_attr') || _ldapgroups_ldap_info($user, 'ldapgroups_as_entries')))
-    return FALSE;
-
-  // First try to connect with the stored user's DN and password.
-  // If unsuccessful, connect with the BINDDN and BINDPW stored in the database for this config.
-  $dn = isset($_SESSION['ldap_login']['dn']) ? $_SESSION['ldap_login']['dn'] : '';
-  $pass = isset($_SESSION['ldap_login']['pass']) ? $_SESSION['ldap_login']['pass'] : '';
-
-  // If I try to connect using a blank dn and pass, I dont get an error until ldap_read,
-  // so I just check to see if they would be blank, based on ldap_forget_passwords, and
-  // make it read from the database.
-  if (LDAPAUTH_FORGET_PASSWORDS || !$_ldapgroups_ldap->connect($dn, $pass)) {
-    $row2 = db_fetch_object(db_query("SELECT binddn, bindpw FROM {ldapauth} WHERE sid = %d", $_ldapgroups_ldap->getOption('sid')));
-    $dn = $row2->binddn;
-    $pass = $row2->bindpw;
-    if (!$_ldapgroups_ldap->connect($dn, $pass)) {
-      watchdog('ldapgroups', "User login: user %name data could not be read in the LDAP directory", array('%name' => $user->name), WATCHDOG_WARNING);
-      return FALSE;
-    }
-  }
-
-  // Strategy 1: group extracted from user's DN.
-  $dn_groups = array();
-  if (_ldapgroups_ldap_info($user, 'ldapgroups_in_dn')) {
-    $pairs = explode(',', $user->ldap_dn);
-    foreach ($pairs as $p) {
-      $pair = explode('=', $p);
-      if (drupal_strtolower(trim($pair[0])) == drupal_strtolower(_ldapgroups_ldap_info($user, 'ldapgroups_dn_attribute')))
-        $dn_groups[] = trim($pair[1]);
-    }
-  }
-
-  // Strategy 2: groups in user attributes.
-  $attrib_groups = array();
-  if (_ldapgroups_ldap_info($user, 'ldapgroups_in_attr')) {
-    foreach (_ldapgroups_ldap_info($user, 'ldapgroups_attr') as $attribute)
-      $attrib_groups = array_merge($attrib_groups, $_ldapgroups_ldap->retrieveMultiAttribute($user->ldap_dn, $attribute));
-  }
-
-  // Strategy 3: groups as entries.
-  $entries_groups = array();
-  $ldapgroups_entries_attribute = _ldapgroups_ldap_info($user, 'ldapgroups_entries_attribute');
-  if (_ldapgroups_ldap_info($user, 'ldapgroups_as_entries')) {
-    foreach (_ldapgroups_ldap_info($user, 'ldapgroups_entries') as $branch) {
-      $entries = $_ldapgroups_ldap->search($branch, $ldapgroups_entries_attribute .'='. $user->ldap_dn, array($ldapgroups_entries_attribute));
-      if (empty($entries) || $entries['count'] == 0)
-        $entries = $_ldapgroups_ldap->search($branch, $ldapgroups_entries_attribute .'='. $user->name, array($ldapgroups_entries_attribute));
-      foreach ($entries as $entry) {
-        if (isset($entry['dn']))
-          $entries_groups[] = $entry['dn'];
-      }
-    }
-  }
-
-  $_ldapgroups_ldap->disconnect();
-  return array_unique(array_merge($dn_groups, $attrib_groups, $entries_groups));
-}
-
-/**
- * Grant a user with a role.
- *
- * @param $user
- *   A user object.
- * @param $rolename
- *   A name of the role.
- *
- * @return
- */
-function _ldapgroups_grant_role($user, $rolename) {
-  $result = db_query("SELECT * FROM {role} WHERE name = '%s'", $rolename);
-  if ($row = db_fetch_object($result)) {
-    $result = db_query("SELECT * FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $row->rid);
-    if (!db_fetch_object($result)) {
-      db_query("INSERT INTO {users_roles} (uid, rid) VALUES (%d, %d)", $user->uid, $row->rid);
-    }
-  }
-}
-
-/**
- * Deny a user with a role.
- *
- * @param $user
- *   A user object.
- * @param $rolename
- *   A name of the role.
- *
- * @return
- */
-function _ldapgroups_deny_role($user, $rolename) {
-  $result = db_query("SELECT * FROM {role} WHERE name = '%s'", $rolename);
-  if ($row = db_fetch_object($result)) {
-    $result = db_query("SELECT * FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $row->rid);
-    if (db_fetch_object($result)) {
-      db_query("DELETE FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $row->rid);
-    }
-  }
-}
-
-/**
- * Create a new role.
- *
- * @param $rolename
- *   A name of the role.
- *
- * @return
- */
-function _ldapgroups_create_role($rolename) {
-  $result = db_query("SELECT * FROM {role} WHERE name = '%s'", $rolename);
-  if (!($row = db_fetch_object($result)))
-    db_query("INSERT INTO {role} (name) VALUES ('%s')", $rolename);
-}
-
-/**
- * Filters groups only to a explicitely defined groups.
- *
- * @param $groups
- *   An array of the LDAP groups.
- *
- * @return
- *   An array of the filtered groups.
- */
-function _ldapgroups_filter($account, $groups) {
-  if (_ldapgroups_ldap_info($account, 'ldapgroups_mappings_filter') && count(_ldapgroups_ldap_info($account, 'ldapgroups_mappings') > 0)) {
-    $groups_new = array();
-    foreach ($groups as $group) {
-      foreach (_ldapgroups_ldap_info($account, 'ldapgroups_mappings') as $group_approved => $role) {
-        if (strcasecmp($group_approved, $group) == 0)
-          $groups_new[] = $group;
-      }
-    }
-    $groups = $groups_new;
-  }
-
-  if ($code = _ldapgroups_ldap_info($account, 'ldapgroups_filter_php'))
-    $groups = eval($code);
-
-  return $groups;
-}
-
-/**
- * Maps LDAP group name to a Drupal role.
- *
- * @param $user
- *   A user object.
- * @param $group
- *   A LDAP group name.
- *
- * @return
- *   An Drupal role.
- */
-function _ldapgroups_mapping($user, $group) {
-  $ldapgroups_mappings = _ldapgroups_ldap_info($user, 'ldapgroups_mappings');
-  if (isset($ldapgroups_mappings[$group]))
-    return $ldapgroups_mappings[$group];
-  else if (preg_match('/^[^=]+=([^,]+),.*$/', $group, $matches))
-    return $matches[1];
-  else
-    return $group;
-}
-
-/**
- * Initiates the LDAPInterfase class.
- *
- * @param $sid
- *   A server ID or user object.
- *
- * @return
- */
-function _ldapgroups_ldap_init($sid) {
-  global $_ldapgroups_ldap;
-
-  if (!($sid = is_object($sid) ? (isset($sid->ldap_config) ? $sid->ldap_config : NULL) : $sid))
-    return;
-
-  static $servers = array();
-  if (!isset($servers[$sid]))
-    $servers[$sid] = db_fetch_object(db_query("SELECT * FROM {ldapauth} WHERE status = 1 AND sid = %d", $sid));
-
-  if ($servers[$sid]) {
-    $_ldapgroups_ldap = new LDAPInterface();
-    $_ldapgroups_ldap->setOption('sid', $sid);
-    $_ldapgroups_ldap->setOption('name', $servers[$sid]->name);
-    $_ldapgroups_ldap->setOption('server', $servers[$sid]->server);
-    $_ldapgroups_ldap->setOption('port', $servers[$sid]->port);
-    $_ldapgroups_ldap->setOption('tls', $servers[$sid]->tls);
-    $_ldapgroups_ldap->setOption('encrypted', $servers[$sid]->encrypted);
-    $_ldapgroups_ldap->setOption('basedn', $servers[$sid]->basedn);
-    $_ldapgroups_ldap->setOption('user_attr', $servers[$sid]->user_attr);
-    return $_ldapgroups_ldap;
-  }
-}
-
-/**
- * Retrieve the saved ldapgroups saved setting.
- *
- * @param $sid
- *   A server ID or user object.
- * @param $req
- *   An attribute name.
- *
- * @return
- *   The attribute value.
- */
-function _ldapgroups_ldap_info($sid, $req) {
-  if (!($sid = is_object($sid) ? (isset($sid->ldap_config) ? $sid->ldap_config : NULL) : $sid))
-    return;
-
-  static $servers = array();
-  if (!isset($servers[$sid]))
-    $servers[$sid] = db_fetch_object(db_query("SELECT * FROM {ldapauth} WHERE sid = %d", $sid));
-
-  switch ($req) {
-    case 'ldapgroups_in_dn':
-      return $servers[$sid]->ldapgroups_in_dn;
-    case 'ldapgroups_dn_attribute':
-      return !empty($servers[$sid]->ldapgroups_dn_attribute) ? $servers[$sid]->ldapgroups_dn_attribute : LDAPGROUPS_DEFAULT_DN_ATTRIBUTE;
-    case 'ldapgroups_in_attr':
-      return $servers[$sid]->ldapgroups_in_attr;
-    case 'ldapgroups_attr':
-      return !empty($servers[$sid]->ldapgroups_attr) ? unserialize($servers[$sid]->ldapgroups_attr) : array();
-    case 'ldapgroups_as_entries':
-      return $servers[$sid]->ldapgroups_as_entries;
-    case 'ldapgroups_entries':
-      return !empty($servers[$sid]->ldapgroups_entries) ? unserialize($servers[$sid]->ldapgroups_entries) : array();
-    case 'ldapgroups_entries_attribute':
-      return !empty($servers[$sid]->ldapgroups_entries_attribute) ? $servers[$sid]->ldapgroups_entries_attribute : LDAPGROUPS_DEFAULT_ENTRIES_ATTRIBUTE;
-    case 'ldapgroups_mappings':
-      return !empty($servers[$sid]->ldapgroups_mappings) ? unserialize($servers[$sid]->ldapgroups_mappings) : array();
-    case 'ldapgroups_mappings_filter':
-      return $servers[$sid]->ldapgroups_mappings_filter;
-    case 'ldapgroups_filter_php':
-      return $servers[$sid]->ldapgroups_filter_php;
-    case 'ldapgroups_groups':
-      return !empty($servers[$sid]->ldapgroups_groups) ? unserialize($servers[$sid]->ldapgroups_groups) : array();
-  }
-}