I am trying to authenticate and then authorize against my campus LDAP.

I want to use a user attribute to perform simple authorization. Our ldap has an attirbute:

campusAffiliation
Definition: Relationship with the University
Data Source: presence or absence in identity provisioning data
LDAP Presence: all
Syntax: multi-valued
Example Data: student, registered, umail
LDAP objectClass: campusPerson

I may be bastardizing something here in Server Setup 2.x-dev settings page. If I tell it to about group information using this field ... a valid test user returns the example attached.

test account membership results

It looks like LDAP sees membership as Student and Umail, Great!

.... can I somehow transform this into a Drupal "Student" role I create. I can't figure out how to do this. So far as I can tell its not a value of the users DN returned upon a search (search DN is just o=campus).

Comments

Status:Active» Closed (works as designed)

Have you read through http://drupal.org/node/1302070 and http://drupal.org/node/1487018? They should give you exactly what you need to configure this. I've done similarly using that documentation. If you're still having trouble, feel free to reopen this ticket with more data.

Status:Closed (works as designed)» Active

I have read those 2 docs pages before posting here.

Since all the terminology on that page references 1.x setting names it makes it painful to try to understand how to apply the recipe to LDAP 2.x.

I believed asked about a multivalue attribute in my question I think the docs I should be referencing may be:
http://drupal.org/node/1499172

Now that I re-read that I'm not sure. I literally have a field such ascampusAffiliation and it stores like:
student,umail,teacher-assistant per user. I'm not sure if I need to put some search strings in the BASE DN, or what exactly their format should be I tried:

o=campus,ou=people,campusaffiliation=student as an additional base dn (to find the "student" group). The Base DN example doesnt show like cn=o=campus,ou=people,campusaffiliation=student .... so I'm uncertain how the documenation linked maps to the settings ui help text below the textarea for DNs on the Servers page.

I'm not seeing how this maps directly to any scenario in the docs. I do know its an OpenLDAP server.

This is actually public identity data for my campus. The LDAP data structure is (primary, not legacy):
http://www.identity.ucsb.edu/technologists/repositories/

And the campus affiliation value I mention is found on page 2 of the current data dictionary (ucsbAffiliation):
http://www.identity.ucsb.edu/technologists/data_dictionary/

I can bind and do a non-anonymous search. I'm having trouble taming these settings forms and getting authorization done right. I appreciate any feedback.

StatusFileSize
new113.05 KB
new81.11 KB

It sounds like you're in a pretty similar situation to our directory. I wasn't able to test yours as it's locked down to local addresses on your campus, but here's my config:

In Server Settings under the Group Config I've ignored all of the dn stuff and only filled out the "Attribute in user entry containing groups" field and checkbox as you can see here: http://drupal.org/files/LDAPGroupConfig.jpg

Next, I edit the Authorization config at admin/config/people/ldap/authorization. I set the basics and then added my roles from the attribute set in the server config in the "Mapping of LDAP to Drupal role" field. It looks like you are able to get drupal to parse out each separate entry from your member attribute, so all you should have to do it tell it what roles to map here. My config: http://drupal.org/files/LDAPAuthorizationConfig.jpg

Hope that helps... if it doesn't then I'm out of ideas. :)

StatusFileSize
new50.45 KB

Ok ... without Ctools installed even the ldap test pages do not work. I saw a thread on here saying ctools had to be installed to work. Cant get any search results without ctools right now on -dev (for me).

I can get the Test authorization pages to work for me. See this upload screenshot:
http://drupal.org/files/ldap_authorization_test.png

If I logout as Admin and try any of the 2 test accounts I know of I get the following lovely error:

Notice: Trying to get property of non-object in _ldap_authentication_user_login_authenticate_validate() (line 569 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_authentication/ldap_authentication.inc).
Warning: array_flip(): Can only flip STRING and INTEGER values! in DrupalDefaultEntityController->load() (line 178 of /var/www/2012/ttt/drupal-7.18/includes/entity.inc).
Warning: array_flip(): Can only flip STRING and INTEGER values! in DrupalDefaultEntityController->cacheGet() (line 355 of /var/www/2012/ttt/drupal-7.18/includes/entity.inc).
Notice: Trying to get property of non-object in user_login_submit() (line 2252 of /var/www/2012/ttt/drupal-7.18/modules/user/user.module).
Notice: Trying to get property of non-object in user_login_finalize() (line 2227 of /var/www/2012/ttt/drupal-7.18/modules/user/user.module).
Notice: Undefined property: stdClass::$uid in user_login_finalize() (line 2233 of /var/www/2012/ttt/drupal-7.18/modules/user/user.module).
Notice: Undefined property: stdClass::$uid in drupal_get_user_timezone() (line 2211 of /var/www/2012/ttt/drupal-7.18/includes/bootstrap.inc).
Notice: Undefined property: stdClass::$uid in ldap_user_user_login() (line 772 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_user/ldap_user.module).
Notice: Undefined property: stdClass::$name in ldap_user_user_login() (line 815 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_user/ldap_user.module).
PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '' for key 'name': INSERT INTO {users} (uid, created, login) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2); Array ( [:db_insert_placeholder_0] => 3 [:db_insert_placeholder_1] => 1357844238 [:db_insert_placeholder_2] => 1357844238 ) in drupal_write_record() (line 7106 of /var/www/2012/ttt/drupal-7.18/includes/common.inc).
Notice: Undefined property: stdClass::$roles in user_access() (line 811 of /var/www/2012/ttt/drupal-7.18/modules/user/user.module).

Also, if I run the test page from the Servers tab, I get some notices:

Warning: array_shift() expects parameter 1 to be array, boolean given in ldap_servers_get_first_rdn_value_from_dn() (line 934 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: Invalid argument supplied for foreach() in ldap_servers_get_first_rdn_value_from_dn() (line 937 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: array_shift() expects parameter 1 to be array, boolean given in ldap_servers_get_first_rdn_value_from_dn() (line 934 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: Invalid argument supplied for foreach() in ldap_servers_get_first_rdn_value_from_dn() (line 937 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: array_shift() expects parameter 1 to be array, boolean given in ldap_servers_get_first_rdn_value_from_dn() (line 934 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: Invalid argument supplied for foreach() in ldap_servers_get_first_rdn_value_from_dn() (line 937 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: array_shift() expects parameter 1 to be array, boolean given in ldap_servers_get_first_rdn_value_from_dn() (line 934 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: Invalid argument supplied for foreach() in ldap_servers_get_first_rdn_value_from_dn() (line 937 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: array_shift() expects parameter 1 to be array, boolean given in ldap_servers_get_first_rdn_value_from_dn() (line 934 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: Invalid argument supplied for foreach() in ldap_servers_get_first_rdn_value_from_dn() (line 937 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: array_shift() expects parameter 1 to be array, boolean given in ldap_servers_get_first_rdn_value_from_dn() (line 934 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).
Warning: Invalid argument supplied for foreach() in ldap_servers_get_first_rdn_value_from_dn() (line 937 of /var/www/2012/ttt/drupal-7.18/sites/all/modules/ldap/ldap_servers/ldap_servers.module).

The ldap_servers_get_first_rdn_value_from_dn() expects $pairs to be an array from a $dn lookup. My $dn is "student" or "employee" and $pairs is NULL. I can remove these errors with:

function ldap_servers_get_first_rdn_value_from_dn($dn, $rdn) {
  $pairs = ldap_explode_dn($dn, 0); // escapes attribute values, need to be unescaped later
  if (!is_array($pairs)) return $dn;
  // ... rest of function ...

Why don't you install CTools? It looks like you're getting closer...

I did install ctools, so I have these test queries working.

What is this value in your screenshot, how did you derive it?
uc:org:college-it:admins

it looks like a "DN" to a role attribute, but why does its format look different than the examples of the page such as:
cn=students,ou=groups,dc=hogwarts,dc=edu

For a Bind with a Service Account do you have to specify a User DN in server setup? The help on that line says its only for binding with username/password (not service account).

As above, I'm not using DN mappings, but "Attribute in user entry containing groups" to map my groups. "uc:org:college-it:admins" is the value I'm looking for in my memberOf value in order to map my users. I've checked "Convert full dn to value of first attribute before mapping. e.g. cn=students,ou=groups,dc=hogwarts,dc=edu would be converted to students" so that I can just use the value instead of the full DN string. If you're having trouble with the mappings, try unchecking the "Only grant drupal roles that match a filter above." button and see if you get anything.

I have used a service account for binding before and have not specified the user DN expression. If you are using a service account, you just have to provide the BindDN and password in "DN for non-anonymous search" under Binding Method.

I haven't given up but I've been busy.

In your configuration screenshot:
http://drupal.org/files/LDAPGroupConfig.jpg

You have checked "a field such as memberOf exists ..." and supplied the attribute name.

Does that mean in textarea for:
Base DNs for LDAP users, groups, and other entries.

You have more then 1 ldap string? I only have a basedn for searching which is o=ucsb. Do you have other strings, of which 1 of the strings is a query using memberOf to return whether or not a user is member certain group(s) that are then mapped in the Authorization tab?

Nope, I only have one Base DN for the totally general case "ou=people,dc=uchicago,dc=edu". An unqualified query should return everything possible so there's no need (at least in my server situation) to supply other queries.

ok. I installed 1.x-dev and the exact same settings work and I can login and authorize and get a derived role. The same settings cause the errors I've discussed here in 2.x and I never get a role on login (login crashes).

I'm struggling getting anything to separately talk to an Active Directory instance.

If there are any errors, or log messages I can provide to help with 2x development please let me know. Will there be an upgrade path from 1.x to 2.x if I stick with 1.x for now ?

I've been having the same problems as tenken, and I would be happy to help update the documentation for 7.x-2 branch when/if I figure out how to translate the settings.

We eventually just rolled back to the first branch to get the roles to map correctly, and—IMHO—the UI for role mapping in the first branch is much more intuitive than that of the second branch.

I ran into some of the same errors as above and it seemed to be related to remnants of the D6 config in my databases. I had to DROP TABLE `ldapauth` and TRUNCATE TABLE `authmap`. Hope that helps someone.