I have 2 lines of code I am trying to integrate with that are throwing errors, and I was able to fix them to work with my module, and hope you can update your code with these 2 lines. I have updated the following:

ldap_authorization.inc line 67
$watchdog_tokens = array('%username' => (is_object($user) ? $user->name : $user['name']));

and line 74
if (is_object($user) and property_exists($user, 'uid') && $user->uid == 1) {

Hopefullly that makes sense. Please let me know if you have questions, but basically the ldap functions seem to work off of the user array instead of the object, but you are checking the object a couple times here. Maybe I'm missing something. We're trying to use the cas module's hook_presave to pull ldap group info and sync it, so we are sending the $edit array from the cas module. Please ask any questions to clarify!

Brett

Comments

johnbarclay’s picture

Title: Couple lines tweaked for CAS integration support » Authorization: Couple lines tweaked for CAS integration support
Assigned: Unassigned » johnbarclay
Category: support » bug
Priority: Normal » Major

Thanks. This is a bug. I understand the issue and code and will commit this before beta3. This issue will affect anyone doing ldap authorization without ldap authentication.

johnbarclay’s picture

Actually this doesn't make sense. It should be the user object, not the array. Can you copy and cast it with (object)$user before passing it in.

I'm not clear about the use case, but shouldn't CAS and ldap_authorization work together out of the box.

brettev’s picture

They don't do the group sync in the 7.x version. Basically, I have one module that does this:

function cas_ldap_groupsync_cas_user_presave(&$edit, $account){
ldap_authorizations_user_authorizations($edit, 'set', NULL, 'logon');
}

Just so on the user presave call from cas, it hooks into the ldap authorizations, which syncs the groups. Does that make sense? Only, I believe I have to send it the $edit, because the user_authorizations call should be adding group info into the user object, right? When we tried it with the $account object being sent to the authorizations call, it crapped out with a white screen.

johnbarclay’s picture

LDAP Authorization should grant the user's roles and save the user object, regardless of what CAS does. Does CAS need the drupal roles assigned before it finishes authentication for some reason.

It sounds like a bug in ldap authorization if its not granting the roles. There should be no need for the code you have. Perhaps its a bug in the CAS module. If code is needed for every permutation of authentication and authorization module we have a problem.

When you test authorization, does it work:
admin/config/people/ldap/authorization/test/drupal_role

When you try ldap authentication and authorization, does it work?

bobthebuilder’s picture

Yes, when you use the Drupal login system with ldap authentication and authorization configured correctly, the users groups/roles get synchronized perfectly. However, if you use the CAS login system then the groups/roles do not get synchronized. I contacted the developers of CAS and they confirmed this is the case, but they did say at one point in time (about a year or so ago) that the CAS module did trigger the group/role synchronization but there were incompatibilities with it it so they removed that functionality. This is why we are developing a module to invoke the group/role synchronization on CAS login.

johnbarclay’s picture

Status: Patch (to be ported) » Closed (won't fix)

LDAP Authorization does group/role synchronization on CAS login. That is all I'm trying to say. I'm just arguing that you don't need such a module.

As far as the patch, its not going to fly. The user object is the way to go, not the array. You should do the object - array conversion before you call the function.

bfroehle’s picture

Status: Closed (won't fix) » Patch (to be ported)

Hi, one of the CAS developers here. The errors are getting triggered because the module being developed is passing an $edit-type array object instead of an $account-type user object (like in user_save().

At first glance, I don't think there is an error in the LDAP code, but I haven't examined this thoroughly.

johnbarclay’s picture

Title: Authorization: Couple lines tweaked for CAS integration support » Authorization: CAS integration testing
Category: bug » task
Priority: Major » Normal
Status: Patch (to be ported) » Needs work

We need someone to test ldap authorization with cas authentication. Ideally including a simpletest. I can write the ldap authorization part of the simpletest, but am not familiar with the CAS module.

This integration will likely inform ldap authorization working with other external authentication modules.

bobthebuilder’s picture

Status: Needs work » Closed (won't fix)

We ended up fixing this in our code.

vinmassaro’s picture

Status: Closed (won't fix) » Active

Reopening since johnbarclay asked in #8 for CAS testing. I've opened #2047731 since group syncing does not work with CAS currently.

vinmassaro’s picture

I have group sync partially working with the help of bobthebuilder and this snippet of code in a custom module. I have LDAP Authorization configured to re-grant roles each time a user logs in, but that doesn't seem to be happening. The first time a user logs in, they get a role of student, staff, or faculty. If I remove the role from that user and have them log in again, they are not re-assigned that role. Any help would be greatly appreciated!

/**
 * A CAS user has authenticated and the login is about to be finalized.
 *
 * This allows modules to react to a CAS user logging in and alter their
 * account properties. For example, modules may want to synchronize Drupal
 * user roles or profile information with LDAP properties.
 *
 * If you would like to synchronize information only for new accounts, you may
 * examine the value of $account->login which will be 0 if the user has never
 * logged in before.
 *
 * The 'cas_user' key in $edit contains all information returned from
 * hook_cas_user_alter().
 *
 * The CAS module promises to call user_save() and user_login_finalize() with
 * this $edit data.
 *
 * @param $edit
 *   An array of values corresponding to the Drupal user to be created.
 * @param $account
 *   A Drupal user object.
 */
function mymodule_cas_user_presave(&$edit, $account) {
  // Load the user object.
  $user = user_load($account->uid);

  // Get the roles from LDAP Authorization.
  ldap_authorizations_user_authorizations($user, 'set', 'drupal_role', 'logon');

  // Per @param $edit, set roles that have been assigned in the $user object.
  // CAS calls user_save() with the $edit data.
  $edit['roles'] = $user->roles;
}
vinmassaro’s picture

@johnbarclay: Would love to get your thoughts on this. We have implemented the code in #11 in the hopes of a fix in LDAP for this eventually. This also seems to strip the CAS module's default to assign the 'authenticated user' role when a new user logs in.

johnbarclay’s picture

Title: Authorization: CAS integration testing » LDAP Authorization: CAS integration testing

Some related issues have been fixed in 7.x-2.0-dev and I'm not working on 7.x-1.0 at all anymore unless patches are submitted and tested. Can you check this against 7.x-2.0-dev?

vinmassaro’s picture

Version: 7.x-1.0-beta2 » 7.x-2.x-dev

I've been testing with 7.x-2.x-dev, so I'm changing the version of this issue. I disabled the custom module I mentioned in #11, updated to the latest 7.x-2.x-dev, and logged into CAS with a new user. The user was not assigned a role as configured with LDAP Authorization. If I create a Drupal core account with the same username, I am correctly assigned the 'staff' role as defined by LDAP Authorization. Thanks.

grahl’s picture

Issue summary: View changes
Status: Active » Closed (outdated)