Hi all,
I am working with Drupal 7.16 and the latest LDAP 7.x-2.x-dev.
My LDAP environment is composed of a virtual machine with Mountain Lion and LDAP, fresh install, 1 user (uid=crystaltest,cn=users,dc=vmserver,dc=private) and 2 groups (cn=testgroup,cn=groups,dc=vmserver,dc=private and cn=workgroup,cn=groups,dc=vmserver,dc=private). The user belongs to both groups.
What I need to do: set a role (student) to the user (crystaltest) if this user is part of a specific group (testgroup). Below is my problem in details, please forgive me if it is useless/too much.
What I could achieve:
- Server binding and associated tests
- Authentication and associated tests
- Group configuration and associated tests
What I am struggling with:
- Authorization: map Drupal roles with LDAP group
Mapping in Authorization settings:
cn=testgroup,cd=vmserver,cd=private|student
Group configuration in Server settings:
User attribute held in "LDAP Group Entry Attribute Holding..."
uid
If this is set to a different attribute name, the groups are not found.
When performing drupal role authorization test watchdog shows me this message:
Notice: Undefined variable: filtered_ldap_authorizations in _ldap_authorizations_user_authorizations() (line 272 of /sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc).
Warning: array_keys() expects parameter 1 to be array, null given in _ldap_authorizations_user_authorizations() (line 272 of /Applications/MAMP/htdocs/druedu/trunk/sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc).
Warning: join() [function.join]: Invalid arguments passed in _ldap_authorizations_user_authorizations() (line 272 of /Applications/MAMP/htdocs/druedu/trunk/sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc).
Notice: Undefined variable: filtered_ldap_authorizations in _ldap_authorizations_user_authorizations() (line 283 of /Applications/MAMP/htdocs/druedu/trunk/sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc).
Notice: Undefined variable: filtered_ldap_authorizations in _ldap_authorizations_user_authorizations() (line 297 of /Applications/MAMP/htdocs/druedu/trunk/sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc).
I am not sure if it can be useful, but digging the code, after dpm some variables, I notice that $group_entries is empty in groupUserMembershipsFromEntry after groupMembershipsFromEntryResursive is called (in LdapServer.class.php, line 1593). Before the call of this function, groups are found by the module.
Going deeper in function calls, I noticed that when ldap_servers_get_first_rdn_value_from_dn is called in the function groupMembershipsFromEntryResursive, the $member_id returned is FALSE.
In ldap_servers_get_first_rdn_value_from_dn (line 829 of ldap_servers.module), the values of $dn and $rdn are respectively:
cn=workgroup,cn=groups,dc=vmserver,dc=private
uid
cn=testgroup,cn=groups,dc=vmserver,dc=private
uid
uid corresponds to the setting: User attribute held in "LDAP Group Entry Attribute Holding...". According to the output, I should set this configuration to cn - however in this case $group_entries in LdapServer.class.php line 1590 is empty after the search function is called:
$group_entries = $this->search($base_dn, $group_query, array());
So depending on the settings of "LDAP Group Entry Attribute Holding...", either the group entries are not found by the LDAP query (when using cn), or are removed later on by ldap_servers_get_first_rdn_value_from_dn (when using uid).
Could you please help me?
Attached is my LDAP configuration according to the directions given in the Help module.
Comment | File | Size | Author |
---|---|---|---|
#3 | screenshot.png | 110.78 KB | crystal_alexandre_froger |
ldap_config.html_.zip | 1.75 KB | crystal_alexandre_froger |
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedThanks for all the details. They are helpful and appreciated. I see a typo:
cn=testgroup,cd=vmserver,cd=private|student
should be:
cn=workgroup,cn=groups,dc=vmserver,dc=private|student if your group's dn is: cn=testgroup,cd=vmserver,cd=private
For initial testing, since you have a small ldap, I would just turn off the mappings and let it create roles like: cn=testgroup,cn=groups,dc=vmserver,dc=private
cn=workgroup,cn=groups,dc=vmserver,dc=private
and see if that works. The do the mapping/filtering.
The errors and empty results should all be better handled, so I'm marking this as a bug.
Comment #2
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedWow, thank you for this quick reply!
Trying this out right now, feedback in a minute.
Comment #3
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedSo the group dns are:
cn=testgroup,cn=groups,dc=vmserver,dc=private
cn=workgroup,cn=groups,dc=vmserver,dc=private
No more luck by disabling mapping of fixing the typo in the configuration - the roles are not created (this config is turn on).
Attached a screenshot of the test result page.
Comment #4
johnbarclay CreditAttribution: johnbarclay commentedI committed a fix for "Notice: Undefined variable: filtered_ldap_authorizations". That is not your problem though. I suspect this is a bug.
Have you tried the test form: admin/config/people/ldap/authorization/test/drupal_role ?
Comment #5
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedYes - the result was in the screenshot attached - AUTHORIZATION IDS is empty.
My settings for authorization:
I. BASICS
LDAP Server used in drupal role configuration. *
Selected - vmserver.private
Ticked - Enable this configuration
Unticked - Only apply the following LDAP to drupal role configuration to users authenticated via LDAP. On uncommon reason for disabling this is when you are using Drupal authentication, but want to leverage LDAP for authorization; for this to work the Drupal username still has to map to an LDAP entry.
II. LDAP TO DRUPAL ROLE MAPPING AND FILTERING
All empty/unticked, as recommended
PART III. EVEN MORE SETTINGS.
All ticked
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedTry checking "Only apply the following LDAP to drupal role configuration to users authenticated via LDAP" and do the test again. Thats the only thing that sticks out and that might be where the bug is.
Comment #7
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedWell, still the same result - nothing in AUTHORIZATION IDS column...
Comment #8
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedI found where I am losing the groups to test: in groupMembershipsFromEntryResursive, the member_id can not be found, therefore AUTHORIZATION IDS becomes empty.
There are some things I don't understand with this function. I have put some comments in the code below, to follow my understanding:
Does it help to see where could be the issue?
Comment #9
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedBy the way, I found a small thing in this function: * @return FALSE for error or misconfiguration, otherwise TRUE. results are passed by reference.
It never returns TRUE in the code...
Comment #10
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedI am not sure about the side effects... But if change this:
to this:
Then the role attribution works.
Comment #11
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedThe side effect id that the array $all_group_dns would contain duplicates.
I do that instead:
Comment #12
crystal_alexandre_froger CreditAttribution: crystal_alexandre_froger commentedI prefer to close this issue since I found other problems, which are also related (OG, nested groups, etc...), and maybe a beginning of solution. See http://drupal.org/node/1839144