I have 2 lines of code I am trying to integrate with that are throwing errors, and I was able to fix them to work with my module, and hope you can update your code with these 2 lines. I have updated the following:
ldap_authorization.inc line 67
$watchdog_tokens = array('%username' => (is_object($user) ? $user->name : $user['name']));
and line 74
if (is_object($user) and property_exists($user, 'uid') && $user->uid == 1) {
Hopefullly that makes sense. Please let me know if you have questions, but basically the ldap functions seem to work off of the user array instead of the object, but you are checking the object a couple times here. Maybe I'm missing something. We're trying to use the cas module's hook_presave to pull ldap group info and sync it, so we are sending the $edit array from the cas module. Please ask any questions to clarify!
Brett
Comments
Comment #1
johnbarclay commentedThanks. This is a bug. I understand the issue and code and will commit this before beta3. This issue will affect anyone doing ldap authorization without ldap authentication.
Comment #2
johnbarclay commentedActually this doesn't make sense. It should be the user object, not the array. Can you copy and cast it with (object)$user before passing it in.
I'm not clear about the use case, but shouldn't CAS and ldap_authorization work together out of the box.
Comment #3
brettev commentedThey don't do the group sync in the 7.x version. Basically, I have one module that does this:
function cas_ldap_groupsync_cas_user_presave(&$edit, $account){
ldap_authorizations_user_authorizations($edit, 'set', NULL, 'logon');
}
Just so on the user presave call from cas, it hooks into the ldap authorizations, which syncs the groups. Does that make sense? Only, I believe I have to send it the $edit, because the user_authorizations call should be adding group info into the user object, right? When we tried it with the $account object being sent to the authorizations call, it crapped out with a white screen.
Comment #4
johnbarclay commentedLDAP Authorization should grant the user's roles and save the user object, regardless of what CAS does. Does CAS need the drupal roles assigned before it finishes authentication for some reason.
It sounds like a bug in ldap authorization if its not granting the roles. There should be no need for the code you have. Perhaps its a bug in the CAS module. If code is needed for every permutation of authentication and authorization module we have a problem.
When you test authorization, does it work:
admin/config/people/ldap/authorization/test/drupal_role
When you try ldap authentication and authorization, does it work?
Comment #5
bobthebuilder commentedYes, when you use the Drupal login system with ldap authentication and authorization configured correctly, the users groups/roles get synchronized perfectly. However, if you use the CAS login system then the groups/roles do not get synchronized. I contacted the developers of CAS and they confirmed this is the case, but they did say at one point in time (about a year or so ago) that the CAS module did trigger the group/role synchronization but there were incompatibilities with it it so they removed that functionality. This is why we are developing a module to invoke the group/role synchronization on CAS login.
Comment #6
johnbarclay commentedLDAP Authorization does group/role synchronization on CAS login. That is all I'm trying to say. I'm just arguing that you don't need such a module.
As far as the patch, its not going to fly. The user object is the way to go, not the array. You should do the object - array conversion before you call the function.
Comment #7
bfroehle commentedHi, one of the CAS developers here. The errors are getting triggered because the module being developed is passing an $edit-type array object instead of an $account-type user object (like in user_save().
At first glance, I don't think there is an error in the LDAP code, but I haven't examined this thoroughly.
Comment #8
johnbarclay commentedWe need someone to test ldap authorization with cas authentication. Ideally including a simpletest. I can write the ldap authorization part of the simpletest, but am not familiar with the CAS module.
This integration will likely inform ldap authorization working with other external authentication modules.
Comment #9
bobthebuilder commentedWe ended up fixing this in our code.
Comment #10
vinmassaro commentedReopening since johnbarclay asked in #8 for CAS testing. I've opened #2047731 since group syncing does not work with CAS currently.
Comment #11
vinmassaro commentedI have group sync partially working with the help of bobthebuilder and this snippet of code in a custom module. I have LDAP Authorization configured to re-grant roles each time a user logs in, but that doesn't seem to be happening. The first time a user logs in, they get a role of student, staff, or faculty. If I remove the role from that user and have them log in again, they are not re-assigned that role. Any help would be greatly appreciated!
Comment #12
vinmassaro commented@johnbarclay: Would love to get your thoughts on this. We have implemented the code in #11 in the hopes of a fix in LDAP for this eventually. This also seems to strip the CAS module's default to assign the 'authenticated user' role when a new user logs in.
Comment #13
johnbarclay commentedSome related issues have been fixed in 7.x-2.0-dev and I'm not working on 7.x-1.0 at all anymore unless patches are submitted and tested. Can you check this against 7.x-2.0-dev?
Comment #14
vinmassaro commentedI've been testing with 7.x-2.x-dev, so I'm changing the version of this issue. I disabled the custom module I mentioned in #11, updated to the latest 7.x-2.x-dev, and logged into CAS with a new user. The user was not assigned a role as configured with LDAP Authorization. If I create a Drupal core account with the same username, I am correctly assigned the 'staff' role as defined by LDAP Authorization. Thanks.
Comment #15
grahl