Use GTED to Automatically Add Users to Roles or Organic Groups

Drupal Version
Tags

On campus we have GTED, the Georgia Tech Enterprise Directory, an LDAP server that stores lots of information about people.  Some is public, but a lot of it is private. With a departmental account, you can get a lot of information and feed it into Drupal to automatically set up groups of users.

Requirements

  • Drupal 7
  • A departmental GTED account
  • Installing the following modules (in dependency order).   Note: All of the "LDAP *" modules are part of the LDAP module package.
    • CTools (ctools)
    • Entity API (entity)
    • Number - Drupal Core Module
    • LDAP Servers (ldap_servers)
    • LDAP User Module (ldap_user)
    • LDAP Query (ldap_query)
    • LDAP Authorization (ldap_authorization)
    • LDAP Authorization - Drupal Roles (ldap_authorization_drupal_role)
  • Organic Groups - optional, but we will include setup instructions; adding Organic Groups requires the following modules:
    • List - Drupal Core Module
    • Text - Drupal Core Module
    • Entity API (entity)
    • Entity reference (entityreference) - required for Organic Groups https://drupal.org/project/Entityreference
    • Organic groups UI - Sub-module of Organic Groups
    • Organic groups access control - Sub-module of Organic Groups
    • LDAP Authorization - OG (organic Groups) (ldap_authorization_og)

Setup

Create your Roles

Go to /admin/people/permissions/roles or People -> Permissions -> Roles and create the roles you are going to populate. For this demo, we will create three: Employees, Faculty and Staff.

Create your Organic Groups (Optional)

Organic Groups requires a content type and a bit of setup. We will assume that this has been done already. For this demo, we will create three: OGEmployees, OGFaculty and OGStaff.

Set Up LDAP

Head to /admin/config/people/ldap or Configuration -> People -> LDAP Configuration

Settings

You can leave everything the same here, though you may want to check "Enabled Detailed Watchdog Logging" for testing.

Servers

Select the Add LDAP Server Configuration button.

Connection Settings

  • Machine name and name can be whatever you want.
  • Check Enabled
  • Server Type is default
  • LDAP server is ldaps://r.gted.gatech.edu The ldaps:// in front is important!
  • LDAP Port is 636. This is the secure LDAP port.

Binding Method

  • Binding Method for Searches should be Service Account Bind
  • DN for non-anonymous search is: uid=XXXXXX,ou=Local Accounts,dc=gted,dc=gatech,dc=edu with XXXXXX replaced by your departmental GTED login account

LDAP User to Drupal User Relationship

  • The Base DNs for LDAP users, groups, and other entries will be ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu
  • AuthName attribute is uid. In GTED, your uid is your gt account.
  • Not including for now - Email Attribute is gtprimaryemailaddress

LDAP Group Configuration

This is where things get funky.

The quick version:

  • Check A user LDAP attribute such as memberOf exists that contains a list of their groups.
  • Enter edupersonscopedaffiliation for Attribute in User Entry Containing Groups

Save!

Testing

You should now have a GTED server set up. If it is not enabled, do that now.

Now let's ake sure you can connect and read a record. Click test. Under "Testing Drupal Username" enter a GT account that is an active user in Drupal (preferrably your own) and click the "Test"

You may see a bunch of error messages, but you should also see a lot of info about yourself.

More Details

LDAP supports groups, but GTED doesn't use them. What we do use is a field in the eduPerson schema named eduPersonScopedAffiliation. This can have multiple entries. Here's mine as an example:

  • member@gtaccounts
  • employee@gt
  • member@gt
  • credit-alum@gt
  • former-credit-student@gt
  • employee@psdept 490:arch-admin:college of arch adm & schools
  • member@psdept 490:arch-admin:college of arch adm & schools
  • employee@coa
  • member@coa
  • faculty@gt
  • faculty@coa
  • faculty@psdept 490:arch-admin:college of arch adm & schools

Any of these can be used to sort people into a group. There are a lot more. Here's some examples from a grad student who is part of the HCI program, so they are a member of the College of Computing, College of Architecture, and Psychology departments.

  • credit-student@gt
  • student@gt
  • graduate-student@gt
  • masters-student@gt
  • student-employee@coa
  • student-employee@gt
  • member@coa
  • student@coc
  • member@coc
  • student@psych
  • student@coa
  • member@psych

There's plenty of things that we can do with all this. My goal was to set up automatic grouping for our Intranet, so we could have things only visible to faculty, or staff, or students.

User

Leave this alone for now. We could use LDAP to behave like CAS and handle authentication and have users auto-created when verified by LDAP.  CAS works fine, so let's not mess with it.

Authorization - Roles

Add a Drupal Role Configuration.

Make sure the GTED server is selected

Check "Enable this Configuration"

Uncheck "Only apply the following LDAP to drupal role configuration to users authenticated via LDAP." The basic GT Drupal install is using CAS for authentication.

Enter your LDAP to Drupal in the "Mapping of LDAP to drupal role" box. The basic form for GTED will be the edupersonscopedaffiliation value, then the drupal group.

So for our three Roles, the entries should be:

employee@gt|Employees
faculty@gt|Faculty
staff@gt|Staff

Click Add

Back on the Authorization screen. First, make sure your config is enabled. Frequently it won't be if it was just created. If you need to, just edit and Enable it. Click test on the entry you just created.

Enter your own GT Account, and a few others then test. If everything works, you should see entries in the "Authorization IDs" column for anyone who was filtered into a group.

Authorization - Organic Groups

This is very similar to the way that Roles are configured, except that the mappings correspond to the Organic Group name and role. For this demo we use:

employee@gt|node:OGEmployees:2
faculty@gt|node:OGFaculty:2
staff@gt|node:OGStaff:2

Note: As of 4/16/2014 there is a bug in LDAP Authorization of Organic Groups. If a user has the "Administer Organic groups permissions" which GT Super Administrators do, then they will not be added to the Organic Groups on login. It seems to work fine for users without OG Admin rights.  https://drupal.org/node/2064319