Not sure if this is overkill or not, but in the D7 version I made a hook for ldap modules to say what they did with an ldap server. Then in the server admin page, I added checkboxes for allowing other modules to use the ldap server configuration.

Its unclear to me if this just confuses things and if people are likely to store multiple ldap server configurations and limit which ones are used by which modules.

But from a site admin point of view it would be nice to be able to make this distinction.

Comments

retsamedoc’s picture

retsamedoc commented

How would you store this extra data? Remember we can (and should) only use standard Drupal DB access and Schema API.

johnbarclay’s picture

johnbarclay commented

The simplest way is a column in the ldap server table that holds an array of module names which are allowed to use the server.

retsamedoc’s picture

retsamedoc commented

Fair enough, but we should really try to reduce the use of serialized arrays in the database. Injecting PHP in the DB like that is not good.

netw3rker’s picture

netw3rker commented

At first read I though this was similar to apps from google market (for android phones) in which they have to publicly declare what they want to interface with (eg: this app needs access to your contacts). Where in this case the module would say "this module wants to query ldap connections".

On second read though I see what you are saying about "this module should be allowed to query these connections, but not these". I'm not sure if this is a role I see the API providing rather than any modules providing. One of the big challenges with this will be having the API determine who the accessing module is. it would effectively require that every module provide a "who I am" hook response (for configuration), and during each ldap api call pass in some kind of "who am I" parameter.

the next concern about this is, how does the configuration happen? lets say that on site-x there are 30 connections (heaven help the people who try that) and the maintainers decide that now there should be a new ldap accessing module that will work with all of them. do they then go into each of the 30 connections and check each module (or un check depending on whether we opt for opt-out)? Or do they go to a configuration screen for that module (maybe a submenu of ldap now) and select which connections it is(or isn't) allowed to use? Now that you've answered that in your head... what happens when you add one more connection? :)

It sounds really cool to have, but I dunno if it has a huge amount of value, so I'm a bit ambivalent on it. If we do provide it I would say we should have a slightly bigger conversation about how ldap modules will expose their configuration screens in general which will in turn dictate where these settings are. At a minimum, if this goes forward we should absolutely have an opt-in/opt-out control that is set by module or connection (depending on the direction this goes) so that the behavior for new modules or connections is what the maintainer expects.

-Chris

johnbarclay’s picture

johnbarclay commented
Status: Active » Closed (fixed)

Lets not add features that aren't compelling, especially to the api. I'm changing the status to "closed".

It really doesn't seem useful unless someone doesn't trust the modules they have enabled.