OpenLDAP has an overlay called dynlist that can be used to create a dynamic group of users, say all users or users that meet a certain criteria, etc. It is really powerful and I wanted to use it in combination with LDAP Integrations group features but LDAP Integrations would not find the authenticating/authorizing user in the dynamic group like it does our other static groups in OpenLDAP.
The problem is that dynamic groups generate the values of the member attribute (in this case), per OpenLDAP specs, after the LDAP search operation completes. In other words, dynamic groups are meant to be accessed using a LDAP compare operation rather than a search using certain filter criteria such as is a certain DN in a certain attribute (member) of a certain group (as specified in the LDAP group interface). The problem is that the LDAP Integration code only use LDAP searches rather than LDAP compares.
I solved this for myself with the attached patch containing 5 lines of code. Basically, if the LDAP search operation fails for a group, as a last resort a LDAP compare is done. Hope this helps someone else.
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedThis seems like it should be configurable. If there is no harm in doing the ldap_compare I suppose it need not be. Looking for feedback here with an eye toward implementing it for drupal 7.
Comment #2
aanjaneyam CreditAttribution: aanjaneyam commentedHope this can be implemented in 7.x-2.x. Would the patch in #1 be applicable for drupal 7.
Comment #3
larowlanComment #4
grahlComment #5
grahlComment #7
grahlI presume this is not a regular use-case, since the issue is from 2010 with limited feedback.
Please reopen if you are using this with a recent 7.x-2.x or 8.-3.x version in production and can confirm this patch.