Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I tried to set up ldap group to drupal role mapping using the "Convert full dn to value of first attribute before mapping", but the result was that no roles were mapped.
I ran the tests and it confirmed that the groups are there for the user that I'm testing with.
It also confirmed that the filtering was working as I expected, stripping off the CN=, and everything after the first attribute
However the final mapping results section is empty.
If I turn off the "Convert full dn to value of first attribute before mapping" and use the full DN then the mapping works fine.
Comment | File | Size | Author |
---|---|---|---|
#4 | ldap-firstattr-1842630-4.patch | 953 bytes | claar |
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedComment #2
johnbarclay CreditAttribution: johnbarclay commentedCan you try this against the current 7.x-2.x-dev code? It resolves a number of issues. See http://drupal.org/node/1115704#comment-6804496
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedComment #4
claar CreditAttribution: claar commentedI am able to reproduce this in both 7.x-2.0-beta3 and 7.x-2.x-dev; testing on admin/config/people/ldap/authorization/test/drupal_role with "Convert full dn to value of first attribute before mapping" enabled reproduces this; no mapping is performed with this feature enabled.
The attached patch fixes the problem for us; hopefully it's the right way to fix this.
Comment #5
johnbarclay CreditAttribution: johnbarclay commentedThanks for the patch. I'm not sure if this is the correct way to fix this since its an indication of a problem elsewhere. Can you test against current 7.x-2.x-dev and see if this is resolved?
Comment #6
claar CreditAttribution: claar commentedPatch in #4 still applies against current 7.x-2.x-dev, and the "Convert full dn to value of first attribute before mapping" feature is completely broken without it, works fine with it. Testable via the authorization self-test feature.
Here's exactly how the code is broken:
I see two possible solutions:
Patch in #4 implements solution #2. I've tested for other potential side-effects, such as whether capitalization is retained as-entered in the filter, and have found none.
Comment #7
johnbarclay CreditAttribution: johnbarclay commentedThanks claar for taking the time to clarify this. Make sense now...finally. I committed patch #4 to 7.x-2.x-dev. I'm running simpletests now, but I suspect this isn't covered in them yet, so we need to mark this as simpletest after it gets reviewed some more.
Comment #8
johnbarclay CreditAttribution: johnbarclay commentedThis was in the simpletests, but was broken. Its all functional now.
Comment #9
lambic CreditAttribution: lambic commentedThanks claar and johnbarclay. Any idea when you'll be pushing out a new beta?