This version change leads to big changes in the LDAP interface, which is better thought out and simpler in the end. Hence the rewritten tutorials.
Use LDAP+CAS to retrieve information about my site's central users
This tutorial offers you two features:
- when authenticating a new user via CAS, retrieve their surname, first name, email address, promotion and automatically add this information to their user profile
- when authenticating a user via CAS, automatically create a drupal role for their promotion if this role doesn't already exist, and otherwise add the user directly to the drupal role for their promotion (this will therefore be used to define access rights per promotion ...)
Warning: this tutorial is duplicated:
- the first version concerns the version of ldap currently installed (7.x-1.0-beta12).
- The second version is for the currently recommended version of ldap that will be installed soon (7.x-2.0-beta6).
7.x-1.0-beta12
Recovering information from a CAS user
Normally you already have the CAS module active. In addition, activate the modules: "LDAP Servers", "CAS Attribute Tokens" and "CAS LDAP Tokens"
Go to Administration menu: Configuration > People > LDAP Configuration. In the Servers tab, then add a new server with the following parameters:
- Machine name for this server configuration : annuaire_ECM
- Name : annuaire_ECM
- Check box Enabled
- LDAP Server Type : Default LDAP
- LDAP server : ldaps://ldapr.egim-mrs.fr
- LDAP port : 389
- Do not check Use Start-TLS
- Binding Method for Searches: choose the first option (Service Account Bind. Use credentials in following section to bind to ldap. This option is ....)
- DN for non-anonymous search : cn=drupalassos,ou=ldapusers,dc=egim-mrs,dc=en
- Password for non-anonymous search : send an email to assos [AT] centrale-marseille [POINT] fr, or to the CRI to get this password
- Check: Clear existing password from database. Check this when switching away from service account binding
- Base DNs for LDAP user entries : ou=People,dc=egim-mrs,dc=en
- AuthName attribute : uid
- Email attribute : mailLocalAddress
Save configuration
Go to Administration menu : Configuration > People > Account settings > Manage fields
Add 3 fields: Last name, First name and Promotion
Go to admin/config/people/cas/attributes. Complete as follows:
- Fetch CAS Attributes : only when a CAS account is created
- Server: directory_ECM
- Username : [cas:ldap:uid]
- Email address: [cas:ldap:maillocaladdress]
- Last name: [cas:ldap:sn]
- First name : [cas:ldap:givenname]
- Promotion : [cas:ldap:supannaffectation]
Save configuration
If a user logs in via CAS we will then have all these fields in their profile filled in automatically.
Create a role by promotion
Activate the modules:"LDAP Authorization" and "LDAP Authorization - Drupal Roles".
Go to Administration menu: Configuration > People > LDAP Configuration Authorization tab. Click on add.
- LDAP Server used in drupal role configuration: choose directory_ECM
.
- Check the 'Enable this configuration'
box.
- Do not tick the box 'Only apply the following LDAP to drupal role configuration to users authenticated via LDAP....'
- In the field group named II.B. DERIVE DRUPAL ROLES BY ATTRIBUTE, check the Drupal roles are specified by LDAP attributes
box.
- Attribute names (one per line) : supannAffectation
- Mapping of LDAP to drupal role : fill line by line :
- promo2011|Promotion 2011
- promo2012|Promotion 2012
- promo2013|Promotion 2013
- promo2014|Promotion 2014
- promo2015|Promotion 2015
- Add some on this template so the functionality works for other old/future promotions
- Check the box: Use LDAP group to drupal roles filtering
- In the group IV.B. When should drupal roles be granted/revoked from user? : check the When a user logs on
box.
- In the group IV.C. What actions would you like performed when drupal roles are granted/revoked from user?, check the 3 boxes
Save configuration
If a user now logs in via CAS and is part of the class of 2014 then, if the drupal role 'Class of 2014' did not exist; it will be created and this role will be added to the user's role list' ; and if this role already existed, the user will have this role added.
Of course the best practice is to first create these roles by hand in admin/people/permissions/roles and configure their rights then implement this functionality.
7.x-2.0-beta6
Recovering information from a CAS user
Normally you already have the CAS module active. In addition, activate the modules: "LDAP Servers", "CAS Attribute Tokens" and "CAS LDAP Tokens"
Go to Administration menu: Configuration > People > LDAP Configuration. In the Servers tab, then add a new server with the following parameters:
- Connection settings :
- Machine name for this server configuration : annuaire_ECM
- Name : annuaire_ECM
- Check box Enabled
- LDAP Server Type : Default LDAP
- LDAP server : ldaps://ldapr.egim-mrs.fr
- LDAP port : 389
- Do not check Use Start-TLS
- Binding Method
- Binding Method for Searches (such as finding user object or their group memberships): Choose the first choice: Service Account Bind: Use credentials in the Service Account field to bind to LDAP. This option is usually a best practice.
- DN for non-anonymous search : cn=drupalassos,ou=ldapusers,dc=egim-mrs,dc=en
- Password for non-anonymous search : send an email to assos [AT] centrale-marseille [POINT] fr, or to the CRI to get this password
- Check: Clear existing password from database. Check this when switching away from service account binding
- LDAP User to Drupal User Relationship.
- Base DNs for LDAP users, groups, and other entries : or=People,dc=egim-mrs,dc=en
- AuthName attribute : uid
- Email attribute : mailLocalAddress
Save configuration
Go to Administration menu : Configuration > People > Account settings > Manage fields
Add 3 fields: Last name, First name and Promotion
Go to admin/config/people/cas/attributes. Complete as follows:
- Fetch CAS Attributes : only when a CAS account is created
- Server: directory_ECM
- Username : [cas:ldap:uid]
- Email address: [cas:ldap:maillocaladdress]
- Last name: [cas:ldap:sn]
- First name : [cas:ldap:givenname]
- Promotion : [cas:ldap:supannaffectation]
Save configuration
If a user logs in via CAS we will then have all these fields in their profile filled in automatically.
Create a role by promotion
Activate the modules:"LDAP Authorization" and "LDAP Authorization - Drupal Roles".
Go to Administration menu: Configuration > People > LDAP Configuration Authorization tab. Click on add.
I. Basics :
- LDAP Server used in drupal role configuration: choose directory_ECM
- Check the 'Enable this configuration'
box.
- Do not tick the box 'Only apply the following LDAP to drupal role configuration to users authenticated via LDAP....'
- II. LDAP to drupal role mapping and filtering :
- check box 'Convert full dn to value of first attribute before mapping. e.g. cn=students,ou=groups,dc=hogwarts,dc=edu would be converted to students'.
- Mapping of LDAP to drupal role (one per line) : promo2013|Promotion 2013
- Add some on this template so the functionality works for other old/future promotions
- check the box 'Only grant drupal roles that match a filter above.'
- Part III. Even More Settings:
- Leave all boxes ticked.
Save configuration
Go to Administration menu: Configuration > People > LDAP Configuration. In the Servers tab, edit the server from the first part of this tutorial:
- LDAP Group Configuration :
- Name of Group Object Class: supannperson
- Check box 'A user LDAP attribute such as
memberOfexists that contains a list of their groups. Active Directory and openLdap with memberOf overlay fit this model.' - Attribute in User Entry Containing Groups : supannaffectation
- User attribute held in "LDAP Group Entry Attribute Holding..." : supannaffectation
Save configuration.
If a user now logs in via CAS and is part of the class of 2014 then, if the drupal role 'Class of 2014' did not exist; it will be created and this role will be added to the user's role list' ; and if this role already existed, the user will have this role added.
Of course the best practice is to first create these roles by hand in admin/people/permissions/roles and configure their rights then implement this functionality.
Import users from LDAP
Please note: this tutorial is duplicated:
- the first version concerns the version of ldap currently installed (7.x-1.0-beta12).
- The second version is for the currently recommended version of ldap that will be installed soon (7.x-2.0-beta6).
7.x-1.0-beta12
- Activate the necessary modules
In Administration menu: Configuration > LDAP Configuration > Queries, add a new query (click Add new Query) :
- Machine name for this query configuration: promo2013 (cannot be changed later)
- Name: promo2013
- Choose LDAP directory
- Check "enabled"
- Base DNs to search in query: ou=People,dc=egim-mrs,dc=en
- Filter : (&(objectClass=supannPerson)(eduPersonAffiliation=student)(|(supannAffectation=promo2013)(supannAffectation=promo2014)))
- Explanations: this is Polish notation, operators are in primes, & for AND and | for OR, literally the previous filter means "objectClass=supannPerson AND eduPersonAffiliation=student AND (supannAffectation=promo2013 OR supannAffectation=promo2014)
- Attributes to return : uid,mailLocalAddress,givenName,sn,supannAffectation
- Size Limit of returned data : 664
- Register
- In Administration menu : Structure > feeds, create a new import :
- Name: import 2013 (for example)
- In basic settings :
- periodic import: Disabled
- Extractor: LDAP Query Fetcher
- LDAP Query Fetcher: promo2013 (the name at the beginning of the tutorial)
- Syntax Analyzer : LDAP Entry Parser for Feeds
- Processor : User processor
- User processor: choose whether you want to add a role to the users you're going to import
- Mapping (in sources, do not capitalize):
| Source | Target |
| uid | User name (unique) |
| maillocaladdress | Email address (unique) |
| sn | name |
| givenname | firstname |
| supannaffectation | promotion |
To avoid problems, in Administration menu : Configuration > LDAP configuration > Authorisation > modify, uncheck the box at the very bottom Create drupal roles if they do not exist.
This will prevent lots of unset roles being created.
In Navigation > import, choose import, then import.
Normally the users have been created.
Enjoy! :)
7.x-2.0-beta6
- Activate the necessary modules
- In Administration menu: Configuration > LDAP Configuration > Queries, add a new query (click Add new Query) :
- Basic LDAP Query Settings :
- Machine name for this query configuration: promo2013 (cannot be changed later)
- Name: promo2013
- Choose LDAP directory
- Check "Enabled"
- Query:
- Base DNs to search in query : ou=People,dc=egim-mrs,dc=en
- Filter : (&(objectClass=supannPerson)(eduPersonAffiliation=student)(|(supannAffectation=promo2013)(supannAffectation=promo2014))))
- Explanations: this is Polish notation, the operators are in primes, & for AND and | for OR, literally the previous filter means "objectClass=supannPerson AND eduPersonAffiliation=student AND (supannAffectation=promo2013 OR supannAffectation=promo2014)
- Attributes to return : uid,mailLocalAddress,givenName,sn,supannAffectation
- Advanced Query Settings:
- Basic LDAP Query Settings :
- Size Limit of returned data : 664
- Scope of search : ONELEVEL
- Register
- In Administration menu : Structure > feeds, create a new import :
- Name: import 2013 (for example)
- In basic settings :
- periodic import: Disabled
- Extractor: LDAP Query Fetcher
- LDAP Query Fetcher: promo2013 (the name at the beginning of the tutorial)
- Syntax Analyzer : LDAP Entry Parser for Feeds
- Processor : User processor
- User processor: choose whether you want to add a role to the users you're going to import
- Mapping (in sources, do not capitalize):
| Source | Target |
| uid | User name (unique) |
| mailLocalAddress | Email address (unique) |
| sn | name |
| givenname | firstname |
| supannaffectation | promotion |
To avoid problems, in Administration menu: Configuration > People > LDAP configuration > Authorization > modify, uncheck the box at the very bottom Create drupal roles if they do not exist.
This will prevent lots of unset roles being created.
In Navigation > import, choose import, then import.
Normally the users have been created.
Enjoy! :)