I see that there is the ability to choose which groups would be recognized as roles. On this same concept, instead of having to enter in all of the groups, i'd like to use a regular expression (or something like it at least). For instance, I only want groups that begin with CMS for the group name. The way we create groups, I may have multiple groups assigned to me, but just because i'm in the IT group, doesn't mean I should be able to edit the content for the IT website. If i'm in the CMS_IT group, then I should be able to edit the website.

On the same topic of groups, what takes preference? If someone has two groups and one gives them access to X and the other does not give them access to X, do they have access or don't they? I am hoping that if you are allowed access by one group, then you are allowed access.

Thank you,
Shane

Comments

scafmac’s picture

scafmac commented
Status: Active » Postponed (maintainer needs more info)

Hi Shane,

It's a little unclear to me if you are talking about group filtering hard coded in the php, which is optional, or using regular expressions on the ldap_groups administration screen.

I presume you're not, but if you're using the third group configuration option, "Groups exist as LDAP entries where a multivalued attribute contains the members' CNs", then it's recursive. So if you provide a parent node that contains all of the group nodes that map to a Drupal role, it will parse all of them. So that could save some keystrokes if the Drupal groups are organized in this way...

Allowing wild cards or regular expressions might be a little risky from the admin screen. It would need to be considered carefully. It wouldn't be so hard to add to the group filter function if you are want to hard code your role filtering in the php files - I'm not a fan of that method though.

With regard to group precedence, it really depends on the enforcing mechanism you are referring to. The ldap_groups module only provides the integration with Drupal - it does not provide any Drupal enforcement mechanisms. So let's consider two methods - full blown Taxonomy Access Control (TAC) & views limit-by-role functionality. In something like views where you restrict it to one role, it is a whitelist. If you are in one of the allowed roles, you have access, period.

With TAC on the other hand, it isn't so straightforward. I'm pretty sure, though not positive, that you can configure TAC to act like a whitelist (TAC allow/ignore) or a blacklist (TAC deny) and the latter is evaluated last. So if one role is actually denied access by a TAC rule, then regardless of the other roles, the content is inaccessible...

So the answer to your question is it depends on the access control system you are using and how it is configured.

Cheers

shanefjordan’s picture

shanefjordan commented

Thank you for the quick response. I think I have the access control question figured out for what I needed, thank you for the information. As far as the groups, I am using the second option with "memberOf" to pull the groups. I would be willing to hard code in the group filter function into the php files, do you know where this would need to be, or will I have to trace through the code to find it?

- Shane

scafmac’s picture

scafmac commented

From the ldap_groups admin page (/admin/settings/ldapgroups/):

PLEASE NOTE: advanced configuration for this module can be set by editing the module's config file, located at modules/ldap_integration/ldap_integration/ldapgroups.conf.php in your Drupal install.

The comments in the file should clearly show what you need to do. However, the function that is in there doesn't currently allow regular expressions out of the box... and it looks like it might take a little redesigning to allow it.

shanefjordan’s picture

shanefjordan commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

Thank you for the help, I will give that a try. I'll close the issue since all of my questions have been answered.