On campus we have GTED, the Georgia Tech Enterprise Directory, an LDAP server that stores lots of information about people. Some is public, but a lot of it is private. With a departmental account, you can get a lot of information and feed it into Drupal to automatically set up groups of users.
- Drupal 7
- A departmental GTED account
- Installing the following modules (in dependency order). Note: All of the "LDAP *" modules are part of the LDAP module package.
- Organic Groups - optional, but we will include setup instructions; adding Organic Groups requires the following modules:
- List - Drupal Core Module
- Text - Drupal Core Module
- Entity API (entity)
- Entity reference (entityreference) - required for Organic Groups https://drupal.org/project/Entityreference
- Organic groups UI - Sub-module of Organic Groups
- Organic groups access control - Sub-module of Organic Groups
- LDAP Authorization - OG (organic Groups) (ldap_authorization_og)
Create your Roles
/admin/people/permissions/roles or People -> Permissions -> Roles and create the roles you are going to populate. For this demo, we will create three: Employees, Faculty and Staff.
Create your Organic Groups (Optional)
Organic Groups requires a content type and a bit of setup. We will assume that this has been done already. For this demo, we will create three: OGEmployees, OGFaculty and OGStaff.
Set Up LDAP
/admin/config/people/ldap or Configuration -> People -> LDAP Configuration
You can leave everything the same here, though you may want to check "Enabled Detailed Watchdog Logging" for testing.
Select the Add LDAP Server Configuration button.
- Machine name and name can be whatever you want.
- Check Enabled
- Server Type is default
- LDAP server is
ldaps://r.gted.gatech.eduThe ldaps:// in front is important!
- LDAP Port is 636. This is the secure LDAP port.
- Binding Method for Searches should be Service Account Bind
- DN for non-anonymous search is:
uid=XXXXXX,ou=Local Accounts,dc=gted,dc=gatech,dc=eduwith XXXXXX replaced by your departmental GTED login account
LDAP User to Drupal User Relationship
- The Base DNs for LDAP users, groups, and other entries will be
- AuthName attribute is uid. In GTED, your uid is your gt account.
- Not including for now - Email Attribute is gtprimaryemailaddress
LDAP Group Configuration
This is where things get funky.
The quick version:
- Check A user LDAP attribute such as memberOf exists that contains a list of their groups.
edupersonscopedaffiliationfor Attribute in User Entry Containing Groups
You should now have a GTED server set up. If it is not enabled, do that now.
Now let's ake sure you can connect and read a record. Click test. Under "Testing Drupal Username" enter a GT account that is an active user in Drupal (preferrably your own) and click the "Test"
You may see a bunch of error messages, but you should also see a lot of info about yourself.
LDAP supports groups, but GTED doesn't use them. What we do use is a field in the eduPerson schema named eduPersonScopedAffiliation. This can have multiple entries. Here's mine as an example:
- employee@psdept 490:arch-admin:college of arch adm & schools
- member@psdept 490:arch-admin:college of arch adm & schools
- faculty@psdept 490:arch-admin:college of arch adm & schools
Any of these can be used to sort people into a group. There are a lot more. Here's some examples from a grad student who is part of the HCI program, so they are a member of the College of Computing, College of Architecture, and Psychology departments.
There's plenty of things that we can do with all this. My goal was to set up automatic grouping for our Intranet, so we could have things only visible to faculty, or staff, or students.
Leave this alone for now. We could use LDAP to behave like CAS and handle authentication and have users auto-created when verified by LDAP. CAS works fine, so let's not mess with it.
Authorization - Roles
Add a Drupal Role Configuration.
Make sure the GTED server is selected
Check "Enable this Configuration"
Uncheck "Only apply the following LDAP to drupal role configuration to users authenticated via LDAP." The basic GT Drupal install is using CAS for authentication.
Enter your LDAP to Drupal in the "Mapping of LDAP to drupal role" box. The basic form for GTED will be the edupersonscopedaffiliation value, then the drupal group.
So for our three Roles, the entries should be:
Back on the Authorization screen. First, make sure your config is enabled. Frequently it won't be if it was just created. If you need to, just edit and Enable it. Click test on the entry you just created.
Enter your own GT Account, and a few others then test. If everything works, you should see entries in the "Authorization IDs" column for anyone who was filtered into a group.
Authorization - Organic Groups
This is very similar to the way that Roles are configured, except that the mappings correspond to the Organic Group name and role. For this demo we use:
Note: As of 4/16/2014 there is a bug in LDAP Authorization of Organic Groups. If a user has the "Administer Organic groups permissions" which GT Super Administrators do, then they will not be added to the Organic Groups on login. It seems to work fine for users without OG Admin rights. https://drupal.org/node/2064319