Know Your Role: LDAP Authorization for Drupal
Light Directory Access Protocol (LDAP) can be used to manage the roles of users within an IP network. Drupal has provided the convenience of maintaining authorization of the user’s permissions without relying on an external directory service, by checking the user’s credentials once they log in. We can do this, by configuring the LDAP with an ‘Authorization’ page within the configuration of the module.
I’ll give you an example. Let’s say someone has been using an external directory service for years such as Novell Directory Services. This is their normal routine, and the credentials of the users are utilized by a number of systems including Drupal, so they want to keep the User administration in Novell. A number of roles were initially setup for convenience, and we need to have some of the roles removed or adapted relying on the relationship with groups in Novell.
First, the two modules need to be enabled by checking the boxes within the LDAP page. These modules are ‘LDAP Authorization (Previously LDAP groups)’ and ‘LDAP Authorization – Drupal Roles’. Then, we can go to the LDAP Configuration page, and click ‘authorization’. Once you have clicked on ‘authorization’, you should see The Drupal Role Module with columns for ‘LDAP server ID’, ‘Description’, ‘Module’, ‘Consumer Type’, ‘Enabled’ and ‘Operations’. Under Enabled, it should say ‘no’ and under Operations, you will see a link that says ‘add’. Click on the add link to go to the settings. Dot the circle for the server that is with the configuration mode and check ‘Enable this configuration’.
The first option is labeled ‘STRATEGY II.A DERIVE DRUPAL ROLES FROM DN IN USER’S LDAP ENTRY’. This option is for organizations that want to develop a family tree in their directory.
The second option is labeled ‘STRATEGY II.B DERIVE DRUPAL ROLES FROM ATTRIBUTE IN USER’S LDAP ENTRY’. We use this strategy if users’ LDAP entries contain an attribute such as memberOf that contains a list of groups the user belongs to.
The third option is labeled ‘STRATEGY II.C DERIVE DRUPAL ROLES FROM LDAP GROUP ENTRIES’. This option should be used if you would not use Strategy II.B
We choose the second option because all our users have a ‘memberOf’ that contains a list of groups the user belongs to.
Our next step is to configure the mappings. We need to know the raw authorization ID in order to link to the Drupal role. Browse the directory to get this information by looking at a user’s memberOf attribute or go to the group and copy the distinguished name. Use the authorization ID to match up with the Drupal roles you have just set. On the “LDAP to Drupal Role Mapping and Filtering” screen, you can add multiple roles with one role per line underneath the “Mapping of LDAP to Drupal Role” text. A user can be created with Authenticated Role if the user’s tokens are correct from their directory account and the group isn’t found that matches the role mapping. Therefore you should only provide permissions to users that have roles. A user without a role should have very limited access for security reasons and as a precaution.
A setup like this minimizes the time spent on administration and only requires your attention if you should decide to adjust the role permissions.
Catalino Calacar is a professional writer for Orange county Drupal developers a web development company that are capable of managing small projects to larger initiatives, from concept to launch.