I have a posixGroup that has a list of authorized users. (Currently just one for testing.)

DN: cn=authenticateduser,ou=drupal,ou=groups,dc=blah,dc=edu
objectClass: groupOfNames
objectClass: posixGroup
objectClass: Top
cn: authenticateduser
gidNumber: 0
ACL: 2#entry#[Root]#member
memberUid: L00467966

Where do I tell the module to look at that group?

Or, to word it a bit differently, how do I configure the module to only allow users who are listed in groups like the above to log in?

I would have a group per drupal role.

Comments

I just built a small test drupal install with the latest LDAP dev release. Still can't get it to work.

So, let me rephrase my question. Is it possible to create a group per role (posixgroup or groupofnames), store each authorized user's cn in a memberuid attribute on that group, and then tell the LDAP module to check that group for a users role?

I can just add the authenticated user group to the user entry as a groupMembership. That does make the authorization work with the "A user LDAP attribute such as memberOf exists that contains a list of their groups. Active Directory and openLdap with memberOf overlay fit this model." checkbox option. But it makes more sense to me to have a group entry per role that lists all the users in that role.

I know doing it that way is possible. We have a third party CakePHP app doing so. And the "LDAP GROUP ENTRY ATTRIBUTE HOLDING USER'S DN, CN, ETC." field on the ldap server configuration screen makes me think this LDAP module is supposed to be able to do so as well. When I was first searching the issue queue before posting this issue, I didn't see anything indicating that the feature was broken or not implemented yet. I don't see any errors in either Drupal's logs or my system logs.

I suppose the next thing to do is browse the source code. Maybe something will give me a clue there.

Any other suggestions? More information I could provide that would help?

Version:7.x-2.x-dev» 7.x-2.0-beta6
Issue summary:View changes

Still have the same problem on 7.x-2.0-beta6.

I lost the test install I was using a year ago. Now my role/group entries look more like:

DN: cn=authenticateduser,ou=drupal,ou=groups,dc=blah,dc=edu
objectClass: groupOfNames
objectClass: Top
cn: authenticateduser
ACL: 2#entry#[Root]#member
member: cn=testuser,ou=people,dc=college,dc=edu

On admin/config/people/ldap/servers/edit/ldap_server_01 I set:

  • Name of Group Object Class: groupofnames
  • LDAP Group Entry Attribute Holding User's DN, CN, etc.: member
  • User attribute held in "LDAP Group Entry Attribute Holding...": dn

On admin/config/people/ldap/authorization/edit/drupal_role I set:
Mapping of LDAP to drupal role (one per line):
cn=authenticateduser,ou=drupal,ou=groups,dc=blah,dc=edu|authenticated user

When I run the authorization test on testuser, no drupal roles are assigned.

If I switch the settings around to look for a groupMembership on the testuser ldap entry, the correct roles are assigned. That is how my prod site is set up, and it works. But I shouldn't have to edit every single users entry to add a groupMembership.

If I'm reading the options on the server settings page correctly, I should be able to tell it to look at a single group entry, and then check to see if the user is in that group entry before assigning a role. Is that right? Thoughts on why it doesn't work?