Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.First, sorry for my bad english...
When an user was suppress from a group in the LDAP, he doesn't lose the role in Drupal.
After a little search in the code i found the function _ldapgroups_deny_role.
This function take an user and a role
foreach ($user->ldap_drupal_roles as $role) {
_ldapgroups_deny_role($user, $role);
}
If the role exist (and if the user got the role) this function must do the trick.
But this will never happen.
function _ldapgroups_deny_role($user, $rolename) {
$result = db_query("SELECT * FROM {role} WHERE name = '$rolename'");
$role_exists = db_num_rows($result);
At this time $rolename is in full DN format. And we don't got a role named "cn=mygroup,ou=groups,dc=localhost,dc=local" but we got "mygroup".
So i'll do this little modification, create an array like $roles but with short version of the group name and we keep it in the user info instead of $roles.
// Same as $role but with short group name
$short_roles = array();
// Finally, we grant the roles
//need to check for empty roles
if ($roles) {
foreach ($roles as $role) {
if ($friendly_role = $ldap_group_role_mappings[$role]) {
// Just that
}
else if (preg_match('/^[^=]*=([^,]*),.*$/', $role, $matches)) {
$friendly_role = $matches[1];
}
else {
$friendly_role = $role;
}
_ldapgroups_create_role($friendly_role);
_ldapgroups_grant_role($user, $friendly_role);
$short_roles[] = $friendly_role;
}
}
// Store roles in the user object so we know which ones
// were granted here
//user_save($user, array('ldap_drupal_roles' => $roles));
user_save($user, array('ldap_drupal_roles' => $short_roles));
This time it's work.
I'm not sure there isn't bad effect of this modification so it need test.
Comments
Comment #1
johnbarclay commentedClosing 5.x issues to clean out issue queue.