Download & Extend
LDAP integration » Issues

Drupal Roles -> LDAP Groups

Posted by benlangfeld on June 19, 2009 at 6:23pm
Project:LDAP integration
Version:6.x-1.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:benlangfeld
Status:needs work
Issue tags:drupal roles to ldap groups, extended_ldapgroups, ldapgroups

Issue Summary

Is it possible to sync in the opposite direction, between drupal roles and LDAP groups? I want to use Drupal to manage users, and I need the ability to add/remove roles within drupal and for these changes to be reflected in the group membership of the LDAP user.

Login or register to post comments

Comments

#1

Posted by miglius on June 19, 2009 at 6:33pm

No, this is not supported.

#2

Posted by benlangfeld on June 19, 2009 at 6:39pm

Will this be supported any time soon? This functionality is absolutely 100% essential to my implementation. If there are no plans to support this functionality (which, to be honest, seems like something that is essential), then what do you recommend as an alternative approach?

#3

Posted by benlangfeld on June 19, 2009 at 11:17pm
Component:Documentation» Code
Category:support request» feature request

#4

Posted by benlangfeld on June 30, 2009 at 2:49pm

Is there anyone who is prepared to tackle this? I would give it a go myself, but I really don't think I'd be able to manage it.

#5

Posted by benlangfeld on September 11, 2009 at 9:59pm
Version:6.x-1.0-alpha2» 6.x-1.x-dev
Assigned to:Anonymous» benlangfeld

I'm going to give this a go myself soon. If there is anyone interested in helping out, it'd be great to hear from you. Otherwise, hopefully i'll be able to submit something for review here soon.

#6

Posted by benlangfeld on September 15, 2009 at 11:14am
Status:active» needs work

Attached is a patch that implements some skeleton functionality. There are many issues currently with this code, but it is working in our case so for now I must move on. Comments and suggestions greatly appreciated.

AttachmentSize
ldapgroups-reverse-496662-6.patch 6.84 KB

#7

Posted by ebeyrent on March 9, 2010 at 7:01pm

I also have the need to create new roles in the Drupal side, and have the groups be created in LDAP. I'm thinking that the best way to do this is to implement hook_form_alter on the user_admin_role form and add new validation and submit handlers. The validation handler would make a call into LDAP to see if the group already exists. The submit handler would create the group.

I've attached a workflow that illustrates my idea.

This method would also be extended so that when roles are updated in the Drupal side, they could also be updated in LDAP.

What do you think?

AttachmentSize
create_role.pdf 146.29 KB

#8

Posted by ebeyrent on March 12, 2010 at 2:21pm

So - I hacked up the ldapgroups module and have Role integration working with LDAP groups (mostly - it works when configured with groups as entries). Through the standard admin role forms, I can create new roles in both Drupal and LDAP, edit/update roles in both, and delete roles in both. I also added a function to import all existing groups from LDAP as Drupal roles.

Unfortunately, the architecture of this module is less than ideal, and there's a lot of cross-functionality between ldap_integration and ldap_provisioning.

I'll post some code shortly...

#9

Posted by ebeyrent on March 17, 2010 at 7:47pm
Issue tags:+drupal roles to ldap groups, +extended_ldapgroups

I refactored my code so that it is all completely contained within a separate module called "extended_ldapgroups". While this isn't really ideal in the long run, it's a good starting point for people who need this functionality right away without having to hack up a contributed module. What I'd really like to see is that this code, or a better version of this code, get merged into the ldapgroups module.

Here's what my module supports:

- Role creation, via the core Drupal roles admin form, synchronized as groups in LDAP
- Added group creation LDIF template to the LDAP provisioning form
- Role updates, via the core Drupal roles admin form, synchronized as groups in LDAP
- Role deletes, via the core Drupal roles admin form, synchronized as groups in LDAP
- Mass LDAP group imports as Drupal roles
- Group membership updates when roles for a user are granted and/or revoked in Drupal via the core Drupal user form

CAVEAT: This module only supports configurations where groups are entries. I just haven't gotten to the other possible configuration options yet.

AttachmentSize
extended_ldapgroups-6.x-1.0-dev.tar_.gz 4.83 KB

#10

Posted by webkenny on March 17, 2010 at 9:29pm

+1 on this code going into ldapgroups although I see no reason why, even in short run, this couldn't be included as LDAP Groups Bonus or the like. Bottom line is the functionality this creates is a constant request. This is a huge step forward. Go Erich!

#11

Posted by ebeyrent on March 24, 2010 at 3:42pm

I have added more features to the module. Instead of posting another tarball here, I've created a new project for this. I did contact the maintainer, but haven't gotten a response yet.

This module can now be found at http://drupal.org/project/extended_ldapgroups.

#12

Posted by benlangfeld on March 25, 2010 at 10:48pm

So did any of my code get used? I tried contacting miglius on a few occasions and never got any response.

#13

Posted by ebeyrent on March 26, 2010 at 12:26pm

I never got a response either. I also didn't use any of your code. First, it was written as a patch, and second, you said there were problems with the code. :)

#14

Posted by johnbarclay on May 24, 2010 at 6:09am

Drupal 7 has a hook_user_role_insert function that will make this a little easier to manage.

#15

Posted by johnbarclay on November 11, 2010 at 7:01am

I added this to the ldap project d7 (http://drupal.org/project/ldap) issue queue also #968594: LDAP Authorization: provision drupal roles to ldap "groups" as a feature request.

The way the API is setup there, this should be easy to implement provided the reverse mapping is doable.

nobody click here