support auto group

Could you describe more in detail what you are about to or would like to implement? Are you using regexps to match something from a certain shib field and then add user to some specific group? I guess this would be useful with other modules.

What I need is to identify somehow if the user is a member of the staff or a student of university. Members of staff would get more rights.

[Adding missing specification]

[Edited according to implementation]

The idea is to implement a list of rules by which an administrator can assign Drupal roles to users automatically by use of Shibboleth attribute values.

An assignment rule is made of three fields:

1. Attribute name: Name of the Shibboleth-derived attribute
2. Value regexp: Regexp applied to (all) the value(s) of the Shibboleth-derived attribute
3. Role: Drupal role which the user will get if the above regexp is evaluated true (to any value)

All these rules are evaluated at module initiation time. That would cause that revoking a Shibboleth attribute would end in removing the Drupal role immediately.

It operates only on $user, not on the user database. This causes minimal performance degradation.

Additional roles can be assigned statically to the user (as an individual) by the administrator as normally.

I've extended the code with the given feature, please test it, and notify me if something is wrong.

Where is the patch?

Released 6.x-3.0. Please test it - it works well at our site.

I need 5.x version, are there many differences?

Quite a few.

See http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/shib_auth/?...

It's very unlikely that we will have time to port this feature to Drupal 5.x in the next couple of days (to be honest: this task is not yet scheduled). If you are able to do it, I'd be more than happy to merge your changes to the 5.x branch, if you send me the patch.

Tested it and repeatedly got error warning about table shib_auth not existing - claimed it was trying to query the database shib_auth in 59 of shib_auth.module, which is a comment not a database query...

I reverted back to 2.2 and am having no problems with it.

Same problem as Terry. The shib_auth table was not being created upon module install, so I had to manually build the table to get rid of the warning message.

I assume with regards to the role assignment functionality (Which is just what we've been looking for) - if I create a new rule, check a role in the list... if the rule validates and the user is shib authenticated, they will be assigned with that role? (And reverted back to default registered user?)

Terry.Monnett, fgasking: module update is not implemented currently, so in order to update DB table, you should uninstall/install the module.

If the table is not created on a fresh install, please file a bug report on that!

Update functionality is now being prepared, along with the documentation... :o

"I assume with regards to the role assignment functionality (Which is just what we've been looking for) - if I create a new rule, check a role in the list... if the rule validates and the user is shib authenticated, they will be assigned with that role? (And reverted back to default registered user?)"

I'm not sure if I understand it correctly. Yes, if a regexp matches on the value of the (user's) attribute, then the user is assigned with the role(s) you have given in the rule definition. It's a role extension, so if the user is assigned to other roles (with normal user rights management), then those roles are untouched by the module.

Regarding the install/uninstall issue - I had previously had it installed to take a look, but then uninstalled it by disabling in the module list and then removing the directory. Before reinstalling the new version, I had updated to the most recent version of Drupal . Not sure if this is anything to do with it.

With regards to the role assignment - What we are hoping is that anyone who is shibboleth authenticated will have their default registered user role changed to a new defined role (with different permission attributes) which we have set up. By the sounds of things, the module is now offering just that - which is great! :)

However, if a user no longer had shibboleth authentication ... would their role get set back to the default as they log in? (Maybe this is a feature request?)

For upgrading the module, you should now properly uninstall it (run the uninstall part of the module). I suspect that was missing.

Role assignment: yes, it works as you described. If the user is logged in by some other way, she is not given any roles by the shibboleth module, though she may have other roles. You can easily write a rule that assigns a role to every user logged in with Shibboleth. (Depending on your Shibboleth configuration, it might be a regexp that asserts that the header 'Shib-Application-Id' is not empty. This is a Shib 2.x example.)

Closing issue