Jump to:
| Project: | Lightweight Directory Access Protocol (LDAP) |
| Version: | 7.x-2.x-dev |
| Component: | Miscellaneous |
| Category: | task |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
Looking at the config for:
Part II. How are drupal role drupal roles derived from LDAP data?
Three options - and it looks like II.C. DERIVE DRUPAL ROLES FROM ENTRY is the nearest.
Thing is - that is a DN (or several) where the user's CN is in a multivalue attribute.
However - we're using groupOfUniqueNames
Here the multivalue uniqueMember attribute holds the user's DN - not CN.
I've set the DN under IIC > LDAP DNs containing roles (one per line)
cn=testrole,ou=groups,dc=domain,dc=tld
and the attribute to uniqueMember
Lower down - in the LDAP to Drupal mapping I've added
cn=testrole,ou=groups,dc=domain,dc=tld|site user
The site user role exists.
But - testing a username (mapped from UID) of a user that has it's dn in the uniqueMember list doesn't give a match.
(Note that testing authentication for that user on the previous config page worked OK).
Am I missing something obvious with the role mapping config or is a list of DN's not currently supported?
Comments
#1
Done some more digging (and found the detailed debug checkbox).
In the debug logging I see the following:
username : initial proposed authorization for drupal_role: site user.This looks promising - it found the correct drupal role for this user based on group.
But then the next line is:
username : filtered authorization for drupal_role: .So it's filtered away the group that it found.
So now I wonder why the drupal_role consumer filters off the role it has successfully found.
#2
- do you have filtering enabled?
- do the filters you have match "site user"
- does your use case match any of them listed at http://drupal.org/node/1302070? If not can you write one up in the wiki and I can help further with this. If you are hesitant to edit the page, you may also add it as a comment and I'll add it to the page text.
#3
First under:
II.C. DERIVE DRUPAL ROLES FROM ENTRYLDAP DNs containing roles (one per line)
I currently have
cn=site user,ou=groups,dc=domain,dc=tldcn=test user,ou=groups,dc=domain,dc=tld
Then under
III.A. LDAP TO DRUPAL ROLE MAPPING AND FILTERINGMapping of LDAP to drupal role
I currently have
cn=site user,ou=groups,dc=domain,dc=tld|site usercn=test user,ou=groups,dc=domain,dc=tld|test user
Filtering is checked.
Both roles exist.
For the user in test #1 the user has DN
uid=username,ou=people,dc=domain,dc=tldAnd in the groupOfUniqueNames with DN
cn=site user,ou=groups,dc=domain,dc=tldthe uniqueMember attribute has a value:uniqueMember: uid=username,ou=people,dc=domain,dc=tldNow - since the pre-filter debug log shows suggested role "site user" it looks like this part has worked.
But - in the filter - that's present:
cn=site user,ou=groups,dc=domain,dc=tld|site userSo I can't see why it's not being left in place by the filtering since it's in the mapping.
As expected - new users that are in LDAP that log in are created but without a role - so it's just getting this mapping/filtering to work and I'm set.
I'll jot down a use case once we've got it working - don't want to advise people to do it wrong :)
#4
#5
#6
Automatically closed -- issue fixed for 2 weeks with no activity.