extended ldap groups enabled removes ability to create roles [#894562]

When I have extended ldap groups enabled I lose the ability to create roles (and therefore ldap groups).
I have two development sites, one wired to open ldap and the other to AD.
I have configured the ldap so that each group exists as ldap entries with multivalued attributes containing member CNs (ie. the group has a list of uniquemembers and uniquemembers is a required attribute)
In the provisioning setup, i have the Basic LDAP group attributes:
cn: !group_name
description: !group_name
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: !members
With the AD site, if I create a role in Drupal then a group is created in the AD, and the cn of the first uniquemember written to the ldap is literally "!members" (I can add members to the group by changing user roles in drupal after this is set up, no problem).
However, on the openldap side, I can't create a role and I am thinking that's because I there is no uniquemember populated. It doesn't create the role, but it doesn't give any error message either. I can create the group manually in the ldap so there is no problem with the account manager.

On what might be a related note, each time a user registers at the site, they should automatically be assigned to a "registered users" role in the ldap based on their status as a drupal authenticated user, but this isn't happening. I have set up the mapping of ldap groups to drupal roles as:
cn=registeredUsers,ou=groups,ou=system|authenticated user
Even when I use the Account Manger to create a user and assign that user to an existing group/role as I am creating the account, they are not written to the list of members in the group, although I can reassign a role and they are added to the group after their account has been created.
I need all drupal authenticated users to be automatically added as members of an existing ldap group so that I can use CAS to authenticate them to another application. I am beginning to wonder if I need to write a trigger or rule (http://drupal.org/node/788100) assigning them to a new role when they log but I thought this would be redundant and I wasn't sure if using a rule to assign a role would get the user cn pushed to the ldap group membership.

Any thoughts?

Comments

Comment #1

kapayne commented 26 August 2010 at 21:12

Follow-up: I used the Rules module to create a rule to automatically assign every user to a role when the account is created or when they log in. The user is successfully assigned to a role in Drupal, but provisioning does not add them to the corresponding group in ldap. How can I trigger this automatically?

Comment #2

ebeyrent commented 27 August 2010 at 12:36

Assigned:

Unassigned

» ebeyrent

Comment #3

kapayne commented 27 August 2010 at 21:28

We were in a bit of a desperate deadline situation so we came up with a solution that isn't nearly as elegant as your module but for what it's worth here it is.
We used the Rules module to assign all authenticated users to a new role when they create an account. The role and associated ldap group already exist.
We added a new case statement to Extended Groups: when a user logs in it sends an array of their current role memberships to the ldap - the original Extended Groups actually does a comparison when the user is updated in Drupal and it writes or removes users from groups based on that difference, our hack just sends the roles every time the user logs in (like I said, not pretty...). We didn't write anything that would automatically remove a user from a group for any trigger.

the new case statement, inserted the hook_user section after it manages the roles changes and blocking, after line 76:

// Added by MP on 8/27/2010
case 'login':
// At login send roles to extended_ladpgroups_add_group_membership since some roles are being added directly in the db
if (array_key_exists('roles', $edit)) {
$roles_added = array_keys($account->roles);
if(!empty($roles_added)){
extended_ladpgroups_add_group_membership($account, $roles_added);
}
}
break;

We just got this working and did preliminary testing - I'll be doing more thorough testing next week and let you know if I learn anything. If I didn't say it before, thanks for the module, it' really vital to our project. Although I'm still stumped on why I can't create roles when Extended Groups is on but that's workable...

Comment #4

ebeyrent commented 28 August 2010 at 12:52

I'm am sorry that the module isn't behaving as expected. I'll do some debugging and see what's going on. Unfortunately, one of the limitations of this module is that it doesn't support all of the possible LDAP schemas. It's been on my todo list for a while now, but I haven't gotten to it yet.

If would help me out tremendously if you could DM me your LDAP schema so that I can figure out why it's not working for your configuration.

Thanks for your kind words!

Comment #5

kapayne commented 1 September 2010 at 15:23

Sorry I haven't send the schema yet - my ldap interface is far to simplistic - just wanted to let you know I'm working on it - thanks.

Comment #6

barickx commented 22 September 2010 at 16:41

fyi,

I also had the same issue when using the following ldif template

cn: !group_name
description: !group_name
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: !members

when looking at the log of openldap I saw the following error:
Sep 22 14:43:30 delphi slapd[1862]: conn=197 op=1 RESULT tag=105 err=21 text=uniqueMember: value #0 invalid per syntax

probably, when creating a group of unique name you have to supply at least one uniquemember, if not the group will not be created on ldap and thus not on drupal. I just created a dummy user in my ldap and added this as default uniquemember to my template:

objectClass: groupOfUniqueNames
objectClass: top
cn: !group_name
description: !description
uniqueMember: uid=dummy,ou=people,dc=example,dc=com

hope this helps

Comment #7

diaxpro commented 30 September 2010 at 10:09

subscribed...

Comment #8

kapayne commented 30 September 2010 at 21:00

I love this idea - hand hitting forehead "of course!"
Worked like a charm thanks.
Word to the wise - i couldn't have both the dummy
uniquemember: cn=dummy,ou=people,dc=example,dc=com
and the generic
uniquemember: !members
in the same ldif - I had to remove the !members - which makes sense
thank you!!

Comment #9

ebeyrent commented 1 October 2010 at 14:07

Looks like I might need some better documentation...

Comment #10

terminus commented 29 April 2011 at 11:31

Sorry, but I'm lost. I'm using "Group by attribute", so the group is just made up dynamically of whoever carries the right attribute. I presume, then, that my LDAP group doesn't need to be specified in the provisioning setup... is that right? In my case the group will be everyone who has "employeeType = Voter".

As per this bug, I couldn't add a new role called "Voter". Since the workaround in comment #6 doesn't seem to be relevant to "Group by attribute", I tried a different workaround. I disabled the module, added the role, then enabled the module again. Then I tried to add a user to the new role... no dice. They are added to the role in Drupal, but the change is not reflected in LDAP.

What do I need to do so that I can add an LDAP attribute to my users by adding them to a Drupal role?

extended ldap groups enabled removes ability to create roles

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

News items

Our community

Documentation

Drupal code base

Governance of community