Closed (fixed)
Project:
Lightweight Directory Access Protocol
Version:
7.x-1.x-dev
Component:
Code
Priority:
Major
Category:
Bug report
Assigned:
Issue tags:
Reporter:
Created:
4 Feb 2011 at 12:10 UTC
Updated:
20 Jun 2018 at 14:58 UTC
Jump to comment: Most recent
Comments
Comment #1
dennisz commentedI've solve the problem:
In ldap_authorization.inc i use my own code!
Old (line 209):
foreach ($user_ldap_entry['attr'][strtolower($attribute)] as $i => $value) {
if ($i != 'count') {
$derive_from_attr_authorizations[$i] = $value;
}
}
New:
for($i = 0; $i < $user_ldap_entry['attr'][strtolower($attribute)]['count']; $i++) {
$derive_from_attr_authorizations[$user_ldap_entry['attr'][strtolower($attribute)][$i]] = $user_ldap_entry['attr'][strtolower($attribute)][$i];
}
Comment #2
johnbarclay commentedthanks. good catch. I changed the array from associative to deal with http://drupal.org/node/968584
Comment #3
johnbarclay commentedThis is in unstable5. Thanks.
Comment #4
johnbarclay commentedthis is fixed in unstable 5. please test. I didn't give ldap_authorization too much work in unstable 5. It will be my focus in unstable 6.
Comment #5
dennisz commentedYes it works fine ;-) thx
Comment #6
dennisz commentednow i have a new problem. If I have two or more autorization rules, only the last one, with the highest numeric_mapping_id is working.
For example, rule one is set the admin drupal role and the second rule is set the user roles, then the admin drupal role is revoke on logon. If I changed the ids, ldap grants the admin role on logon and revoke the user role.
Comment #7
johnbarclay commentedsorry about this bug. I've focused on ldap_authentication lately and am moving onto ldap_authorization next. I'll make this fix the first thing I do and put it in 7.x-1.0-dev. Can you write up a test list for the mappings. Something like:
ldap_authorization.mapping,from[1]=blah.to[1]=role2,from[2]=blah.to[2]=role2
desired result = both mappings applied for some users, one or no roles applied for others.
with all the useful testing permutations.
That way I can make sure I'm not fixing one thing and breaking another.
Comment #8
johnbarclay commentedComment #9
dennisz commentedI hope this is to your liking:
ldap_authorization.mapping,from[1]=CN=IT,OU=Groups,DC=example,DC=com.to[1]=IT,from[2]=CN=Betrieb,OU=Groups,DC=example,DC=com.to[2]=Betrieb,from[3]=CN=Rota,OU=Groups,DC=example,DC=com.to[3]=Rotation,from[4]=CN=Versa,OU=Groups,DC=example,DC=com.to[4]=Versand
ldap_authorization.mapping,from[1]=CN=Admins,OU=Groups,DC=example,DC=com.to[1]=Administratoren,from[2]=CN=Abteilungsleiter,OU=Groups,DC=example,DC=com.to[2]=Administratoren
Desired result = on logon user adm.test assigns the drupal roles Administratoren and IT, the user noadm.test assigns only Rotation.
Comment #10
johnbarclay commentedThanks. Guess it was silly to ask you to put it in that funky notation as it turned out to be too convoluted to be readable, but thanks. I'm just going to note it like the following in the test wiki. I've also added another case where 2 froms are identitical.
Desired result = on logon user adm.test assigns the drupal roles Administratoren and IT, the user noadm.test assigns only Rotation and RotationB.
Comment #11
johnbarclay commentedComment #12
rconstantine commentedsubscribe
Comment #13
richardbporter commentedsubscribe
Comment #14
johnbarclay commentedI see the problem. I didn't initially realize you meant more than one ldap mapping configuration; I thought you were referring to the filters text area.
I need some feedback on dealing with this.
The function _ldap_authorizations_user_authorizations() in ldap_authorization.inc and the design of ldap_authorization in general is designed for one authorization mapping per consumer type (e.g. drupal roles, og groups, etc.). The user interface supports creating more than one, but the code doesn't deal with it correctly.
My preference would be to simply limit the number of ldap authorization instances to 1 per consumer type and make changes to meet common use cases with that limitation. There is a ldap_authorization_maps_alter hook for edge cases.
Though I think we can get it to support multiple mappings per consumer type, the code will get more complex and the meaning of "ldap to drupal role mapping and filtering" becomes confusing. Also, a given authorization mapping instance would need to take ownership of the roles they granted for "IV.C." options on the authorization page to make sense. But then if someone deleted an authorization mapping and created an identical one the behaviour would get confusing. Currently all authorization grants are associated with a give consumer type rather than the mapping instance.
Can someone explain some use cases where multiple mappings are needed for a single consumer type? This would help me. The only obvious one to me is to use multiple ldap servers, but I think we can just use checkboxes instead of radios and alter the testing to accomodate this.
The sooner the better also as expect to attack ldap authorization this weekend.
Comment #15
johnbarclay commentedI ended up limiting the number of authorization configurations to 1 per consumer type. I'm not opposed to opening this back up, but would consider this a 7.2 feature at this point.
Comment #16
johnbarclay commentedComment #17
sandip27 commentedHi John,
Are you still planning on incorporating "support multiple mapping configurations" or its just thrown out of scope altogether ?
Thanks