I had an earlier LDAP beta (7?) running on this Drupal 7.12 host using SSO and role mapping (using strategy II.C) and filtering worked great once I worked around the tiny bug John spotted in this issue:
LDAP Authorization: Duplicate entry in db after updating configuration
http://drupal.org/node/1468990
Just today I configured most recent beta 10 on an updated test version of the same. I disabled LDAP modules, dropped the ldap_servers and ldap_authorization tables before replacing earlier beta with beta 10 (See: "Did I miss something?" below*), and now I experience failures that mirror both the previously noted issue and this other issue:
LDAP Authorization: Roles not being granted
http://drupal.org/node/1280798
The situation: LDAP server config and test looks great. LDAP authentication with SSO also seems fine. New SSO-authed visitors have accounts automatically created with no problems. However, no roles are added to users_roles when those new users sign on, nor are any new role assignments added for existing users.
I observe the following:
If I run authorization test with single user then the column for AUTHORIZATION IDS is empty, but no warnings are displayed and watchdog shows:
LdapAuthorizationConsumerAbstract grantsAndRevokes() method log. action=grant:
%consumer_ids_log
If I run test with "10 random users", AUTHORIZATION IDS column is empty save for
note about admin account ("not applicable") and I see 2 identical warnings:
Notice: Undefined index: drupal_role in ldap_authorization_test_form_submit() (line 143 of /var/www/html/sites/all/modules/ldap/ldap_authorization/ldap_authorization.admin.test.inc).
and I see no message logged in watchdog for ldap_authorization.
Configuration options for cn/dn have expanded in this recent version and I tried different values with same result. Attached is my HTML config file and I have edited it in a couple of places to show that I tried different values. Note: I don't see a value in help/html output for "Attribute holding the previous list of values. e.g. cn, dn" (derive_from_entry_entries_attr) but I tried cn and dn.
I get the sense that I may be missing something with respect to new, more explicit configuration options. In the course of looking at the actual content of ldap_authorization table, though, I decided to file this as a bug report as the behavior has re-emerged where duplicate entries are made in that table (I checked and see no regression from the fix John made in that first, related issue.
I had built an active filter whitelist in the simple form of groupname|groupname and that was working in previous beta. I disabled filter to see if behavior would change, buty it did not -- groups were not updated.
Apologies for verbosity, but wanted to be complete.
Jim
*Did I miss something? My first attempt to configure beta 10 failed with an error I neglected to note. So I simply dropped those 2 tables and replaced the LDAP module/s. Is there any configuration anywhere else that could be borken?
Comment | File | Size | Author |
---|---|---|---|
LDAP_20120517.html_.txt | 21.27 KB | geste |
Comments
Comment #1
rolandu CreditAttribution: rolandu commentedsame problem here. subscribing.
Comment #2
geste CreditAttribution: geste commentedrolandu,
Exactly the same mix of problem behaviors? At least that's helpful reproducability-wise!
Jim
Comment #3
rolandu CreditAttribution: rolandu commentedYes, I saw nearly the same as you did. What I experienced was:
- update from beta9 to beta10
- My admin user immediately lost his rights after the update, so I had to switch to another one that did not rely on LDAP permissions - at least this showed me that something went wrong.
- In the LDAP authorization strategy "C" two new fields were added where you have to enter "cn" or "dn"; since I wasn't fully sure I tried all four combinations and nothing worked.
- I checked the database and found out that every save of the configuration resulted in a new line in the table, which seemed odd.
- I tried reinstalling beta10, saving just one configuration and making changed in the database-table, which did not help either. It seems to me that the module doesn't really check its configuration.
- I also noticed that in the old version the filtering was case-sensitive but now it was converted to all lowercase, which also seemed odd to me.
Since no configuration I entered worked, I de-installed and rolled back to beta9.
If this is something that affects everyone using strategy C, I consider it very critical.
Comment #4
johnbarclay CreditAttribution: johnbarclay commentedComment #5
johnbarclay CreditAttribution: johnbarclay commentedI fixed the authorization tests so they dealt with case sensitivity correctly and applied a number of ldap authorization patches. I'm closing this issue because its a mix of issues.
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedsee also #1601270: LDAP Authorization: exportables functionality broken