I have two different mappings for drupal roles. If I test the mappings with ldap users, the first "memberOf" entry was ignored. When I add any group to the ldap user, the mapping is work.
The Ldap browser shows that the memberOf group for the mapping is the second entry. The first entry is futhermore ignored.

Comments

dennisz’s picture

I've solve the problem:

In ldap_authorization.inc i use my own code!

Old (line 209):

foreach ($user_ldap_entry['attr'][strtolower($attribute)] as $i => $value) {
if ($i != 'count') {
$derive_from_attr_authorizations[$i] = $value;
}
}

New:

for($i = 0; $i < $user_ldap_entry['attr'][strtolower($attribute)]['count']; $i++) {
$derive_from_attr_authorizations[$user_ldap_entry['attr'][strtolower($attribute)][$i]] = $user_ldap_entry['attr'][strtolower($attribute)][$i];
}

johnbarclay’s picture

thanks. good catch. I changed the array from associative to deal with http://drupal.org/node/968584

johnbarclay’s picture

Status: Active » Patch (to be ported)

This is in unstable5. Thanks.

johnbarclay’s picture

Version: 7.x-1.0-unstable4 » 7.x-1.0-unstable5
Status: Patch (to be ported) » Needs review

this is fixed in unstable 5. please test. I didn't give ldap_authorization too much work in unstable 5. It will be my focus in unstable 6.

dennisz’s picture

Yes it works fine ;-) thx

dennisz’s picture

now i have a new problem. If I have two or more autorization rules, only the last one, with the highest numeric_mapping_id is working.
For example, rule one is set the admin drupal role and the second rule is set the user roles, then the admin drupal role is revoke on logon. If I changed the ids, ldap grants the admin role on logon and revoke the user role.

johnbarclay’s picture

sorry about this bug. I've focused on ldap_authentication lately and am moving onto ldap_authorization next. I'll make this fix the first thing I do and put it in 7.x-1.0-dev. Can you write up a test list for the mappings. Something like:

ldap_authorization.mapping,from[1]=blah.to[1]=role2,from[2]=blah.to[2]=role2
desired result = both mappings applied for some users, one or no roles applied for others.

with all the useful testing permutations.

That way I can make sure I'm not fixing one thing and breaking another.

johnbarclay’s picture

Assigned: Unassigned » johnbarclay
Status: Needs review » Active
dennisz’s picture

I hope this is to your liking:

ldap_authorization.mapping,from[1]=CN=IT,OU=Groups,DC=example,DC=com.to[1]=IT,from[2]=CN=Betrieb,OU=Groups,DC=example,DC=com.to[2]=Betrieb,from[3]=CN=Rota,OU=Groups,DC=example,DC=com.to[3]=Rotation,from[4]=CN=Versa,OU=Groups,DC=example,DC=com.to[4]=Versand
ldap_authorization.mapping,from[1]=CN=Admins,OU=Groups,DC=example,DC=com.to[1]=Administratoren,from[2]=CN=Abteilungsleiter,OU=Groups,DC=example,DC=com.to[2]=Administratoren
Desired result = on logon user adm.test assigns the drupal roles Administratoren and IT, the user noadm.test assigns only Rotation.

johnbarclay’s picture

Thanks. Guess it was silly to ask you to put it in that funky notation as it turned out to be too convoluted to be readable, but thanks. I'm just going to note it like the following in the test wiki. I've also added another case where 2 froms are identitical.

CN=IT,OU=Groups,DC=example,DC=com|IT
CN=Betrieb,OU=Groups,DC=example,DC=com|Betrieb
CN=Rota,OU=Groups,DC=example,DC=com|Rotation
CN=Rota,OU=Groups,DC=example,DC=com|RotationB
CN=Versa,OU=Groups,DC=example,DC=com|Vers
CN=Admins,OU=Groups,DC=example,DC=com|Administratoren
CN=Abteilungsleiter,OU=Groups,DC=example,DC=com|Administratoren

Desired result = on logon user adm.test assigns the drupal roles Administratoren and IT, the user noadm.test assigns only Rotation and RotationB.

johnbarclay’s picture

Priority: Normal » Major
rconstantine’s picture

subscribe

richardbporter’s picture

subscribe

johnbarclay’s picture

Title: First ldapgroup ignored by roles » LDAP Authorization doesn't support multiple mapping configurations for a given consumer type
Status: Active » Needs review

I see the problem. I didn't initially realize you meant more than one ldap mapping configuration; I thought you were referring to the filters text area.

I need some feedback on dealing with this.

The function _ldap_authorizations_user_authorizations() in ldap_authorization.inc and the design of ldap_authorization in general is designed for one authorization mapping per consumer type (e.g. drupal roles, og groups, etc.). The user interface supports creating more than one, but the code doesn't deal with it correctly.

My preference would be to simply limit the number of ldap authorization instances to 1 per consumer type and make changes to meet common use cases with that limitation. There is a ldap_authorization_maps_alter hook for edge cases.

Though I think we can get it to support multiple mappings per consumer type, the code will get more complex and the meaning of "ldap to drupal role mapping and filtering" becomes confusing. Also, a given authorization mapping instance would need to take ownership of the roles they granted for "IV.C." options on the authorization page to make sense. But then if someone deleted an authorization mapping and created an identical one the behaviour would get confusing. Currently all authorization grants are associated with a give consumer type rather than the mapping instance.

Can someone explain some use cases where multiple mappings are needed for a single consumer type? This would help me. The only obvious one to me is to use multiple ldap servers, but I think we can just use checkboxes instead of radios and alter the testing to accomodate this.

The sooner the better also as expect to attack ldap authorization this weekend.

johnbarclay’s picture

Version: 7.x-1.0-unstable5 » 7.x-1.x-dev

I ended up limiting the number of authorization configurations to 1 per consumer type. I'm not opposed to opening this back up, but would consider this a 7.2 feature at this point.

johnbarclay’s picture

Status: Needs review » Closed (fixed)
sandip27’s picture

Component: Miscellaneous » Code
Issue summary: View changes

Hi John,

Are you still planning on incorporating "support multiple mapping configurations" or its just thrown out of scope altogether ?

Thanks