I tried to set up ldap group to drupal role mapping using the "Convert full dn to value of first attribute before mapping", but the result was that no roles were mapped.

I ran the tests and it confirmed that the groups are there for the user that I'm testing with.
It also confirmed that the filtering was working as I expected, stripping off the CN=, and everything after the first attribute

However the final mapping results section is empty.

If I turn off the "Convert full dn to value of first attribute before mapping" and use the full DN then the mapping works fine.

CommentFileSizeAuthor
#4 ldap-firstattr-1842630-4.patch953 bytesclaar
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

johnbarclay’s picture

Version: 7.x-2.0-beta1 » 7.x-2.x-dev
johnbarclay’s picture

Can you try this against the current 7.x-2.x-dev code? It resolves a number of issues. See http://drupal.org/node/1115704#comment-6804496

johnbarclay’s picture

Status: Active » Closed (cannot reproduce)
claar’s picture

Status: Closed (cannot reproduce) » Needs review
FileSize
953 bytes

I am able to reproduce this in both 7.x-2.0-beta3 and 7.x-2.x-dev; testing on admin/config/people/ldap/authorization/test/drupal_role with "Convert full dn to value of first attribute before mapping" enabled reproduces this; no mapping is performed with this feature enabled.

The attached patch fixes the problem for us; hopefully it's the right way to fix this.

johnbarclay’s picture

Status: Needs review » Postponed (maintainer needs more info)

Thanks for the patch. I'm not sure if this is the correct way to fix this since its an indication of a problem elsewhere. Can you test against current 7.x-2.x-dev and see if this is resolved?

claar’s picture

Status: Postponed (maintainer needs more info) » Needs review

Patch in #4 still applies against current 7.x-2.x-dev, and the "Convert full dn to value of first attribute before mapping" feature is completely broken without it, works fine with it. Testable via the authorization self-test feature.

Here's exactly how the code is broken:

// This is ldap_authorization.inc in current 7.x-2.x-dev 
// NOTE: both $key and $authorization_id contain the full DN of the LDAP object
//
183     /** make sure keys of array are lower case and values are mixed case
184       and strip to first attribute is configured
185     */
186     foreach ($proposed_ldap_authorizations as $key => $authorization_id) {
187       if ($consumer->consumerConf->useFirstAttrAsGroupId) {
188         $attr_parts = ldap_explode_dn($authorization_id, 0);
189         if (count($attr_parts) > 0) {
190           $first_part = explode('=', $attr_parts[0]);
191           if (count($first_part) > 1) {
192             $authorization_id = ldap_pear_unescape_dn_value(trim($first_part[1]));
193           } // claar: $authorization_id now contains the first attr
194         }
195       }
196       $proposed_ldap_authorizations[drupal_strtolower($key)] = $authorization_id;
//
// Now the $proposed_ldap_authorizations array is indexed by full DN, value is first-attr
//
// Later in the same file, only the array keys (full DN) are used to filter,
// regardless of useFirstAttrAsGroupId setting
//
233         if (isset($proposed_ldap_authorizations[drupal_strtolower($map_from)])) {
// ...
247           $map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations));

I see two possible solutions:

  1. Make the filtering aware of the useFirstAttrAsGroupId option, searching the values of $proposed_ldap_authorizations instead of its keys
  2. Change $proposed_ldap_authorizations to be indexed by first-attr instead of full DN when useFirstAttrAsGroupId is set.

Patch in #4 implements solution #2. I've tested for other potential side-effects, such as whether capitalization is retained as-entered in the filter, and have found none.

johnbarclay’s picture

Thanks claar for taking the time to clarify this. Make sense now...finally. I committed patch #4 to 7.x-2.x-dev. I'm running simpletests now, but I suspect this isn't covered in them yet, so we need to mark this as simpletest after it gets reviewed some more.

johnbarclay’s picture

Title: Convert full dn to value of first attribute before mapping not working » LDAP Authorization: Convert full dn to value of first attribute before mapping not working
Status: Needs review » Fixed

This was in the simpletests, but was broken. Its all functional now.

lambic’s picture

Thanks claar and johnbarclay. Any idea when you'll be pushing out a new beta?

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.