Use GTED to Automatically Add Users to Roles or Organic Groups [Drupal 7]

Requirements

Drupal 7
A departmental GTED account
Installing the following modules (in dependency order). Note: All of the "LDAP *" modules are part of the LDAP module package.
- CTools (ctools)
- Entity API (entity)
- Number - Drupal Core Module
- LDAP Servers (ldap_servers)
- LDAP User Module (ldap_user)
- LDAP Query (ldap_query)
- LDAP Authorization (ldap_authorization)
- LDAP Authorization - Drupal Roles (ldap_authorization_drupal_role)
Organic Groups - optional, but we will include setup instructions; adding Organic Groups requires the following modules:
- List - Drupal Core Module
- Text - Drupal Core Module
- Entity API (entity)
- Entity reference (entityreference) - required for Organic Groups https://drupal.org/project/Entityreference
- Organic groups UI - Sub-module of Organic Groups
- Organic groups access control - Sub-module of Organic Groups
- LDAP Authorization - OG (organic Groups) (ldap_authorization_og)

Setup

Create your Roles

Go to /admin/people/permissions/roles or People -> Permissions -> Roles and create the roles you are going to populate. For this demo, we will create three: Employees, Faculty and Staff.

Create your Organic Groups (Optional)

Organic Groups requires a content type and a bit of setup. We will assume that this has been done already. For this demo, we will create three: OGEmployees, OGFaculty and OGStaff.

Set Up LDAP

Head to /admin/config/people/ldap or Configuration -> People -> LDAP Configuration

Settings

You can leave everything the same here, though you may want to check "Enabled Detailed Watchdog Logging" for testing.

Servers

Select the Add LDAP Server Configuration button.

Connection Settings

Machine name and name can be whatever you want.
Check Enabled
Server Type is default
LDAP server is ldaps://r.gted.gatech.edu The ldaps:// in front is important!
LDAP Port is 636. This is the secure LDAP port.

Binding Method

Binding Method for Searches should be Service Account Bind
DN for non-anonymous search is: uid=XXXXXX,ou=Local Accounts,dc=gted,dc=gatech,dc=edu with XXXXXX replaced by your departmental GTED login account

LDAP User to Drupal User Relationship

The Base DNs for LDAP users, groups, and other entries will be ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu
AuthName attribute is uid. In GTED, your uid is your gt account.
Not including for now - Email Attribute is gtprimaryemailaddress

LDAP Group Configuration

This is where things get funky.

The quick version:

Check A user LDAP attribute such as memberOf exists that contains a list of their groups.
Enter edupersonscopedaffiliation for Attribute in User Entry Containing Groups

Save!

Testing

You should now have a GTED server set up. If it is not enabled, do that now.

Now let's ake sure you can connect and read a record. Click test. Under "Testing Drupal Username" enter a GT account that is an active user in Drupal (preferrably your own) and click the "Test"

You may see a bunch of error messages, but you should also see a lot of info about yourself.

More Details

LDAP supports groups, but GTED doesn't use them. What we do use is a field in the eduPerson schema named eduPersonScopedAffiliation. This can have multiple entries. Here's mine as an example:

member@gtaccounts
employee@gt
member@gt
credit-alum@gt
former-credit-student@gt
employee@psdept 490:arch-admin:college of arch adm & schools
member@psdept 490:arch-admin:college of arch adm & schools
employee@coa
member@coa
faculty@gt
faculty@coa
faculty@psdept 490:arch-admin:college of arch adm & schools

Any of these can be used to sort people into a group. There are a lot more. Here's some examples from a grad student who is part of the HCI program, so they are a member of the College of Computing, College of Architecture, and Psychology departments.

credit-student@gt
student@gt
graduate-student@gt
masters-student@gt
student-employee@coa
student-employee@gt
member@coa
student@coc
member@coc
student@psych
student@coa
member@psych

There's plenty of things that we can do with all this. My goal was to set up automatic grouping for our Intranet, so we could have things only visible to faculty, or staff, or students.

User

Leave this alone for now. We could use LDAP to behave like CAS and handle authentication and have users auto-created when verified by LDAP. CAS works fine, so let's not mess with it.

Authorization - Roles

Add a Drupal Role Configuration.

Make sure the GTED server is selected

Check "Enable this Configuration"

Uncheck "Only apply the following LDAP to drupal role configuration to users authenticated via LDAP." The basic GT Drupal install is using CAS for authentication.

Enter your LDAP to Drupal in the "Mapping of LDAP to drupal role" box. The basic form for GTED will be the edupersonscopedaffiliation value, then the drupal group.

So for our three Roles, the entries should be:

employee@gt|Employees
faculty@gt|Faculty
staff@gt|Staff

Click Add

Back on the Authorization screen. First, make sure your config is enabled. Frequently it won't be if it was just created. If you need to, just edit and Enable it. Click test on the entry you just created.

Enter your own GT Account, and a few others then test. If everything works, you should see entries in the "Authorization IDs" column for anyone who was filtered into a group.

Authorization - Organic Groups

This is very similar to the way that Roles are configured, except that the mappings correspond to the Organic Group name and role. For this demo we use:

employee@gt|node:OGEmployees:2
faculty@gt|node:OGFaculty:2
staff@gt|node:OGStaff:2

Note: As of 4/16/2014 there is a bug in LDAP Authorization of Organic Groups. If a user has the "Administer Organic groups permissions" which GT Super Administrators do, then they will not be added to the Organic Groups on login. It seems to work fine for users without OG Admin rights. https://drupal.org/node/2064319