Hello!

First, thank you for this module. it becomes one of the reasons not to use Joomla :).
I have managed to configure LDAPauth to work against AD Win 2003 domain. Users can login and receive their roles based on AD groups. What should happen when I remove the user from AD group mapped to Drupal role with full permissions? Should the user be removed from role or not? The same with adding of the user into new AD group. Should it be added to corresponding role? I was not able to obtain such synchronization (when user is already have logged on/off previously). Is it possible at all?

Thanks in advance!
Ivan Baturin

Comments

astoltz’s picture

astoltz commented

This happens at login. It will first remove the user from groups added to them through LDAP auth, and then will reapply them as the current groups show. This means if you manually put somebody in a group, the LDAP module won't touch it. The sync does happen though.

baturin’s picture

baturin commented

Ок, I will try to test it more thoroughly. On my first attempt I couldn't to make sync happen.

scafmac’s picture

scafmac commented

baturin,

Please let us know how your tests go. I believe that andyl56 is not completely correct. If you add a group in AD, it should be synched on the next login, but I thought it didn't remove groups that are removed in AD. I ran into this recently and was going to submit a bug, though I can't find it. Of course, andyl56 might be right and I had messed with the roles within Drupal, but I don't believe that was the case. I'll also test it.

Cheers.

baturin’s picture

baturin commented

scafmac,

My test procedure is fairly simple:
1. Create user in AD and add it to 2 different groups under CN=Users
2. Login/logout in Drupla with its credentials at least 2 times
3. Check the roles of the user by admin login (from another browser). User groups are propagated to Drupal roles with the same names.
4. Delete one user from one group
5. Login/logout at least 2 times
6. Check the roles of the user by admin login. The result is invariable: both groups are here - nothing was removed.

Adding another group is propagating from AD to Drupal. Removing is not propagating.

Does anybody else see such behavior?
Regards, Ivan Baturin

kreaper’s picture

kreaper commented
Assigned: Unassigned » kreaper

The AD-Drupal groups-roles mappings occur at login time and FOR that user.
Check function ldapgroups_user_login and _ldapgroups_detect_groups for reference.

When a user logs in,

first we remove all roles for that user that have been previously established,
detect the current groups the user belongs to,
perform transformations,
give then friendly names if provided in the config file,
apply any site specific rules (via the ldapgroups_roles_filter() in the config file) and then assign those roles.

HTH

baturin’s picture

baturin commented

OK, I have found that functions. I will try to see why roles are not deleted in my case.
Thank you!

kreaper’s picture

kreaper commented
Status: Active » Closed (fixed)
nschelly’s picture

nschelly commented

I was having this same problem. It's been fixed now that I've updated to a patch recommended in another bug report: http://drupal.org/node/171092

I suspect that the roles that were assigned to a user were being assigned not through the LDAP module, but more manually instead usually, and so they weren't being rescinded in Drupal when LDAP rescinded them. I detailed it in my own contribution to that conversation.