LDAP group-->role mapping without LDAP Auth?

And a little follow-up question. Can anybody tell me what I would expect to see on the LDAP Groups config page if this was working. Right now I just see the LDAP profile and edit options. No listing of groups as implied by "Configure the Drupal Roles mapping with the LDAP Groups below. " No groups below :(

Can anyone tell me what they see when group<-->role mapping is working properly? Where do you see LDAP groups listed?

Sorry for the bump, but I am trying to decide whether I need to dive in and mess with this module to fool it into thinking that my users have auth'd via LDAP (so that it will map groups) or whether there is a more supportable way to do this. If anyone has a simple answer to the initial question (whether users must auth via LDAP) in order for this group-role mapping to work) that would be great.

I guess, also, that this could be a feature request -- to add a third option/setting in ldapauth_admin_options() along the lines of "permit Web server Auth" .
Thanks,

Jim

Talking to myself a bit, but I can't figure out a better venue....

To try to figure out how to proceed, I created a 3rd Drupal installation that does *not* use the Webserver_Auth/Pubcookie authentication mode used on our production intranet. I got TLS-based auth/auth to work. I have a few observations:

I had already created a "jim" account before turning on LDAP auth. So it complained that an account already existed. I had to delete the original account in Drupal before I could sign on with "LDAP jim". I wonder if this has implications for my production setup where accounts were auto-created with Webserver_auth?

Aha! I was finally able to see LDAP groups listed under "Administration/Roles" once I got this working. However, it only added and shows the roles to which my "jim" account belongs. I created a separate bind account and password, but that did not seem to affect the discovery of groups. When I look at LDAP logs, it seems pretty clear that it is only searching for LDAP groups to which I (jim) belong. For admin purposes, I would like to get all of the groups/roles imported so that I can start working on access rules.

Does Drupal cache the sign-on password of LDAP users and then use that for subsequent LDAP operations? I am thinking that is the reason my (PubCookie and no-LDAP-password needed) setup will not perform subsequent LDAP lookups. I was thinking that providing a dedicated bind user/password would bypass that, but not yet. I think that perhaps I need to work on the ACLs for that bind user. It looks like the bind user password is stored plain in MySQL; that makes me want to be careful with ACLs, so I see that as read-only account.

I may try adding LDAP groups to the MySQL roles table manually. If I add a role manually through the "Administration/User Management/Roles" menu, it looks like the result is the same as when I succeeded in making LDAP lookup/add work on my test setup.

So, my end goals are the same:

- Use REMOTE_USER-based PubCookie credentials (using Webserver_Auth) so that LDAP password is not required
- Use LDAP_integration modules to look up and maintain group membership for Drupal roles and access control.

We do have both unixPassword and Samba password stored in LDAP and these are used for a number of non-Web/Pubcookie applications, so one other utility I would like to implement in Drupal is a password-changing page that would allow changing of both of these password in one stroke based on successful PubCookie sign-on. I am a little skeptical of doing that, though, since it would seem to depend on having LDAP authentication already done.