Does LDAP Integration sync a user's groups upon each login
bbeyer - June 18, 2008 - 17:08
| Project: | LDAP integration |
| Version: | HEAD |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
| Issue tags: | ldapgroups |
Description
I have been testing LDAP integration and got it to work fine so far. A user logs in and it pulls down the groups they belong from LDAP into Drupal. Now if a user is removed from a group in LDAP will they be removed from that role in Drupal. Our testing shows that is not the case. Is that how it is supposed to work? Is there a way to make it sync each time they login. Just want to make sure I know the expected behaviour
#1
I am going through this same scenario. It did remove the group from my account in Drupal when I removed the group from my account in LDAP. The issue i'm having, is even though it removed that group from Drupal and LDAP for the user, the user still has the same permissions. It seems to me as though something may not be getting rebuilt with permissions or something not being deleted from a table.
Thanks,
Shane
#2
This is the case for me with 5.x-1.3. The attached patch fixed it.
Config:
ldapgroups module:
Groups exist as LDAP entries where a multivalued attribute contains the members' CNs
Ldapauth module:
LDAP directory only
#3
Note that the module keeps track of which groups were granted via ldap (it stores them in users.data field or $user->ldap_drupal_roles) and only removes those roles.
This is a good behavior. But it can be confusing if you have an existing role with some users associated with it then later map it to an LDAP group. Those who had the role granted by hand will not have the role revoked when they are removed from the LDAP group. The admin just needs to be aware of this.
#4
I have a similar issue with Drupal 6.9 and the 2008-10-14 dev module version on IIS and using Active Directory. Although adding a user to a AD group will update the user's assigned Drupal roles on the next login, it does not remove the role if the user has been removed from the AD group (even after logging out and logging back in again). Same behavior with 6.x-1.0-alpha2. Any guidance would be greatly appreciated.
#5
What do the example authmap and user record looks like in the database. They should be something like this:
aid uid authname module
3 39 jdoe ldapauth
uid name pass mail mode sort threshold theme signature created access login status timezone language picture init data timezone_name
39 jdoe bf2731sdfsdfsdfdb821363 jdoe@uiuc.edu 0 0 0 1227073345 1227073345 1227073345 1 -21600 jdoe@uiuc.edu a:4:{s:17:"ldap_authentified";b:1;s:7:"ldap_dn";s:50:"CN=jdoe,OU=Campus Accounts,DC=ad,DC=uiuc,DC=edu";s:11:"ldap_config";s:1:"1";s:17:"ldap_drupal_roles";a:2:{i:0;s:15:"campus accounts";i:1;s:5:"author";}} America/Chicago
#6
#7
I am seeing the same problem with current CVS and 6.x-1.0-alpha2. It updates upon 1st login but doesn't update the roles when the ldap tree changes. However I see the same thing with the current stable release so it might be a caching issue I need to do some testing.
Thanks
Robert
#8
Additional information. I deleted the user and it recreates with the correct roles but the roles aren't updating unless I do something like wipe the account out. I confirmed that it is happening in both the 5.x and 6.x cvs. And 6.x-1.x-alpha2.
Thanks
Robert
#9
I think it needs to compare a user at login and check the old permissions to the new permissions. If the permissions are different, then it needs to rebuild the permissions for that user. This isn't bad when you're giving new permissions to someone, but when you take permissions away from someone this could be disastrous!
#10
shane_jordan,
Why would it be disastrous?
Thanks
Robert
#11
Well, think of it this way. LDAP groups are used to maintain who has access to various parts of the website. As I add a person to a group, they receive additional access and everything works great. Now, I remove someone from a group, it does not remove their access from the website and they can still access what they no longer have permission to. Based on what they have permissions to, this could be a major issue. For instance, did I just remove their permission to publish content? If I did, they don't have that permission any longer in LDAP, but they do in Drupal because the groups did not sync properly and remove the permission.
Thanks,
Shane
#12
shane_jordan,
I think I miss read what you were saying in 9. I agree not updating the roles is a major issue both adding and removing. In my site once a user logs in there roles don't seem to update. It is just as bad if both adding and removing. I though you were saying that updating the roles could have disastrous results. Not the process of updating the roles can have disastrous results.
Thanks
Robert
#13
My site seems to work fine with adding new roles. I believe it even removes the roles, however, it does not rebuild the permissions!
#14
shane_jordan,
I my case if I add a group to a user in AD that new role doesn't always pass though to the Drupal user resulting in issue with improper access. If I create a new group in AD it will migrate to drupal fine once a user in that group gets added or it wins the lottery and updates the user info.
Thanks
Robert
#15
I too have an issue with this. I am using version 6.x-1.0-alpha2 and the groups dont seem to synch.
If I add a user to a new group in Active Directory, Drupal picks this up no problem when I login. However, if I remove a user from a group in Active Directory, Drupal does not recognize this change and the user still remains in that group within Drupal.
Is there something obvious I am missing to get this working?
#16
tdobbs,
If you missed it so did I. I wish we could figure out a fix for this.
Thanks
Robert
#17
I've been testing this some trying to figure out what is happening. Through adding some additional watchdog statements, I have seen that the groups are being removed from the user at login. I believe the issue is with the node_access table and that permissions are not being removed from there. I will keep researching and post anything I find.
- Shane
#18
shane_jordan,
Why does the user editor not show the changes if the user account info still shows the role?
Thanks
Robert
#19
My user account info is not showing the role after. I am having a user created that I can test with. Soon as I get something, i'll let you know.
#20
#21
#22
Can you explain in more details which permissions are not removed?
To test I have removed a LDAP user from the LDAP group x. On the login to drupal the user was removed from the drupal role x. Being in role x a user used to have permissions to edit content of type y, but now he has not has that right any more. So I think that node_access permissions are preserved.
I have tested on the latest dev version.
#23
I'm closing this issue as it works correctly on my setup. Drupal roles corresponding to the ldap groups are checked on each login and user is added or removed from the drupal roles based on his LDAP groups.
#24
Automatically closed -- issue fixed for 2 weeks with no activity.