The current ldap_integration module for 4.7.3, maps a user's existing ldap groups in drupal roles. In addition, all of the groups a user belongs to are converted into Drupal roles. Alternatively, one can edit the ldapgroups.conf.php to specify drupal role names to specific ldap groups.

However, in enterprise Active Directory installations, it is very common for a user to belong to a very large number of groups - several groups among them are used by backoffice services (VOIP/Security Services etc). It becomes desirable to specify exactly what groups to even convert into drupal roles.

The ldapgroups.module code has this section 

// Next, we apply site-specific rules
  if (function_exists('ldapgroups_roles_filter')) {
    $roles = ldapgroups_roles_filter($roles);
  }

I am assuming that the author is envisioning that site specific filters to be placed in there - althought there is no documentation to that effect.

I wrote this small function for ldapgroups_ roles_filter to achieve the above.. This function will ONLY create the roles specified in ldap_group_role_mappings, defined in ldapgroups.conf.php

function ldapgroups_roles_filter($roles) {
        global $ldap_group_role_mappings;
        $newroles = array();
        // this should take the roles array, pass it thru the filters and send a NEW set of roles back
        // the filter
        foreach ( $roles as $role ) {
                if ( array_search($role, $ldap_group_role_mappings) != FALSE ) {;
                        // this role is specified -- grant
                        $newroles[] = $role;
                }
        }
        return $newroles;;
}

Hope this helps.

kreaper

Comments

rblomme@drupal.org’s picture

rblomme@drupal.org commented

This works for my site too.
Thank you very much.

kreaper’s picture

kreaper commented
Version: 4.7.x-1.x-dev » 5.x-1.0
Assigned: Unassigned » kreaper
Status: Needs review » Closed (fixed)

code adopted in 5.x & HEAD