I am building a fairly complicated LDAP and OG integrated site. When an LDAP users logs in the first time the system properly assigns Drupal roles and OG groups based on their LDAP groups membership. When the same users logs in a second time it revokes all their OG memberships. During subsequent authentications it alternates between assigning and revoking membership on each login.

I updated the site from 7.x-2.0-beta5 to the current dev without success. I don't see any issues in the queue reporting similar problems (although obviously I could have missed it), so I'm sure there are other issues in play since it seems like lots of people would complain if it were common. I'd be happy to provide additional information, but I'm not sure what would be useful. I believe the basic mappings are correct, since it successfully assigns the correct groups 1/2 the time.

I had to tweak the requested config information to hide the information about who owns the site, but it's very close to accurate. Like I said, it connects to the server every time, and works end-to-end 50% of the time.

Comments

After more review I figured what's causing this, and a work around for anyone else that gets this far.

The issue came up because we have multiple roles defined within OG. During the first pass, og2Grants() correctly adds the user to both the role they are assigned to and the base member group. During the second pass the system notices that the base member group isn't in the mapping, and revokes their group membership, while preserving their role that's in the mapping. During the third pass, the module again, correctly, recognizes that the user is not a member of the group and re-adds both the role and the base membership.

The work around is to place two rows into the OG Authorization map, one for the "member" role, and the second for any additional roles.

og2Grants(), og2Revoke(), or (probably better) grantsAndRevokes() should recognize what's happening here and provide a more robust solution. If it's going to automatically add a user to multiple groups, it should not flag that as an error on the next pass and remove the automatic membership.

Priority:Normal» Major

I can confirm this issue. Our site has a lot of memberships and the module seems to have problems when you have over 225 lines in the configuration for OG, so it's not really feasible for us to double every assignment to also include a member roles assignment.

I'm marking this as major seeing how it's completely broken every other time someone logs in.

This is similar to #2144637: LDAP Authorization 7.x-2.0-beta6 and OG 7.x-2.4 - roles only assigned on initial login, but that issue does not discuss the problems assigning roles. I've experienced problems similar to both issues, but role assignment has worked for me at all. (I only get member, not any custom roles.)

Issue summary:View changes

I can confirm this issue. I've tried version 7.x-2.0-beta8 but after each logon the user is a member > not a member > a member > not a member ...

I found a not so nice workaround by disabeling "Revoke OG groups previously granted by LDAP Authorization but no longer valid." resulting in an out of sync AD security group vs OG group.

Priority:Major» Critical

I am having the same problem. This problem really is a deal breaker for our company intranet. Would it be permissible to change this to critical?

I have had the same problem, the issue comes from having a mapping for users directly mapping to a role and with no member role. If this happens when ldap does a diff between drupal og group roles and the roles provided from the AD member role is set to remove it from the user and in the code there is a check to unregister user from that group if member role is present in revoke function.

if (in_array($authenticated_rid, $revoking_rids) || count($remaining_rids) == 0) {  // ungroup if only authenticated and anonymous role left
           $entity = og_ungroup($group_entity_type, $gid, 'user', $user->uid);

I think this can be removed, at least it works fine for me but needs to be tested in other configurations.

Attached patch.