Assigning roles based on attribute instead of group
Andrew Kaufmann - July 12, 2009 - 15:34
| Project: | LDAP integration |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
| Issue tags: | ldapgroups |
Jump to:
Description
Hey there --
This feature would be very helpful to our organization -- perhaps others would find it so as well? Here's our situation:
Our Active Directory has several user attributes that we would like to be able to assign specific permissions to. We're a university, so, for example: we have an AD attribute "Classifcation." It can have the values "Undergraduate", "Graduate", "Faculty", "Staff". We would like users with the attribute "Undergraduate" to be assigned to one security role, "Graduate" to a separate security role, etc.
Is this possible? If there is maintainer/user interest in making such a feature, if it's not already easily done , we would be open to discussing sponsoring such a feature.
Thanks!
#1
Current implementation does not support drupal roles mapping to the ldap attributes.
#2
We'd be interested in sponsoring such a feature... is there interest in that?
#3
subscribe
#4
Reading again the issue, you might try configuring the "Group by attribute" setting, maybe it will fit your needs?
#5
Look at section 2 of http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduper.... That is what we are probably going after. There would be multiple attributes from which we would like to create roles, and some of the attributes will be multivalued.
#6
@Andrew
You can do this currently using the LDAP group module and setting the 'Group by attribute' checkbox on the page 'admin/settings/ldapgroups/edit/1' (You may need to change '1')
set 'Attribute names (one per line): ' to the attribute you want to use to assign roles. I'm using "memberOf". You'd want to use 'Classifcation'
@Aren
The same should apply for you as well put 'eduPersonPrimaryAffiliation' (or whatever attribute you want to use) into the box after 'Attribute names (one per line):'
#7
The current implementation is limited to one attribute.
#8
So is the label text incorrect?
'Attribute names (one per line):'
Should it be changed to
'Attribute name (at most one):'
#9
I don't know how much 6.x differs from 5.x, but I have submitted a patch to 5.x-1.5, that introduces a hook, so anyone can easily write their own weird group detection scheme in their own module without bloating the ldap_integration code.
I wrote it because we had to get groups from users with the same cn but a different dn. Useful for us but not something everybody is waiting for. Hence the hook_detect_ldapgroups.
Perhaps someone can port it upstream.