pbarabe/azqs2-ldap.md Secret

## azqs2-ldap.md

      
    Raw
  

              azqs2-ldap.md
            
          
    Map LDAP/Grouper memberships to Drupal roles in AZ QuickStart 2

This configuration works to map LDAP memberOf and/or Grouper isMemberOf affiliations to Drupal roles using Drupal 9.x or 10.x.
I. Install and Enable LDAP and Other Needed Modules

Mapping EDS/Grouper memberships to Drupal roles requires installing the ldap* module and enabling the ldap, ldap_authorization, and authorization_drupal_roles modules in the Drupal instance.
If the site is hosted on Pantheon, this can be done using terminus and the terminus-composer plugin.

Set the dev env of the site to sftp connection mode:

terminus connection:set mysite.dev sftp
Make the ldap module a composer dependency:

terminus remote:composer mysite.dev -- require 'drupal/ldap'
Enable the ldap, ldap_authorization, and authorization_drupal_roles modules:

terminus remote:drush mysite.dev -- en ldap ldap_authorization authorization_drupal_roles
Commit changes to the remote composer.json file and change the connection mode back to gi:

terminus env:commit mysite.dev && terminus connection:set mysite.dev git

II. Configure an LDAP Server Connection to EDS

This requires EDS client account credentials, which can be provisioned for UA IT professionals.
In your Drupal site, navigate to Administration -> Configuration -> People -> LDAP -> Servers and add a new server.

Server

Name: UA EDS (or whatever you like)
Machine-readable name: ua_eds (or whatever you like)
Enabled: checked
LDAP Server Type: Default LDAP
Server address: (get this from your EDS account credentials setup or Confluence)
Server port: (get this from your EDS account credentials setup or Confluence)
Encryption: SSL


Binding

Service Account Bind: selected
DN for non-anonymous search: uid=my-eds-account-name,ou=App Users,dc=eds,dc=arizona,dc=edu

(replace my-eds-account-name with the application/username of your EDS account credentials)
Password for non-anonymous search: your EDS account passphrase


Users

Base DNs for LDAP users, groups, and other entries: ou=People,dc=eds,dc=arizona,dc=edu
Authentication name attribute: uid
Account name attribute: uid
Email attribute: mail


Groups

Groups are not relevent...: unchecked
LDAP Group Entry Attribute Holding User's DN, CN, etc.: uid
Derive from user attribute

A user LDAP attribute such as memberOf exists...: checked
Attribute in User Entry Containing Groups: ismemberof


Click Save
Test the server configuration

In the table listing your server configuration, click the dropdown under Operations and select Test
Send a test query using your NetID for the value of Authentication name and verify that the query returns your information from EDS, including any isMemberOf affiliations.


III. Configure an Authorization Profile


Navigate to Administration -> Configuration -> People -> Authorization Profile and add a new profile.

Profile Name: EDS isMemberOf (or whatever you like)
Machine-readable name: eds_ismemberof (or whatever you like)
Enabled: checked
Provider: LDAP Authorization (selected)
Consumer: Drupal Roles (selected)
Configure LDAP Authorization profider

LDAP Server used in configuration: UA EDS (selected)


Configure Conditions

Revoke Drupal Roles grants previously granted by LDAP Authorization in this profile: checked

Do this if you want Drupal roles that are mapped to LDAP isMemberOf groups to be removed when a user logs in and is no longer a member of the group.


LDAP Authorization - add one or more new queries:

LDAP Query: arizona.edu:dept:my-dept:my-stem:mygroup
Role: Select the Drupal role the specified LDAP Query should be mapped to


Click Save


If you are a member of one of the mapped groups, test the configuration by logging out and logging back in again. If configured correctly, you should then be a member of the Drupal role(s) that you mapped.

Adapted from:


A previous implementation documented for Drupal 7
This comment in an LDAP issue thread