1 |
85ad3d82
|
Assos Assos
|
|
2 |
|
|
provisioning = creating or synching ... to drupal or to ldap
|
3 |
|
|
|
4 |
|
|
|
5 |
|
|
|
6 |
|
|
==========================================
|
7 |
|
|
LDAP User Data Structures in Drupal User Object
|
8 |
|
|
==========================================
|
9 |
|
|
|
10 |
|
|
|
11 |
|
|
'data' =>
|
12 |
|
|
array (
|
13 |
|
|
'ldap_user' =>
|
14 |
|
|
array (
|
15 |
|
|
'init' =>
|
16 |
|
|
array (
|
17 |
|
|
'sid' => 'activedirectory1',
|
18 |
|
|
'dn' => 'cn=hpotter,ou=people,dc=hogwarts,dc=edu',
|
19 |
|
|
'mail' => 'hpotter@hogwarts.edu',
|
20 |
|
|
),
|
21 |
|
|
),
|
22 |
|
|
'ldap_authorizations' =>
|
23 |
|
|
array (
|
24 |
|
|
'drupal_role' =>
|
25 |
|
|
array (
|
26 |
|
|
'cn=gryffindor,ou=groups,dc=hogwarts,dc=edu' =>
|
27 |
|
|
array (
|
28 |
|
|
'date_granted' => 1351194052,
|
29 |
|
|
),
|
30 |
|
|
'cn=honors students,ou=groups,dc=hogwarts,dc=edu' =>
|
31 |
|
|
array (
|
32 |
|
|
'date_granted' => 1351194052,
|
33 |
|
|
),
|
34 |
|
|
'students' =>
|
35 |
|
|
array (
|
36 |
|
|
'date_granted' => 1351194052,
|
37 |
|
|
),
|
38 |
|
|
),
|
39 |
|
|
),
|
40 |
|
|
),
|
41 |
|
|
|
42 |
|
|
'ldap_user_puid_sid' =>
|
43 |
|
|
array (
|
44 |
|
|
'und' =>
|
45 |
|
|
array (
|
46 |
|
|
0 =>
|
47 |
|
|
array (
|
48 |
|
|
'value' => 'activedirectory1',
|
49 |
|
|
'format' => NULL,
|
50 |
|
|
'safe_value' => 'activedirectory1',
|
51 |
|
|
),
|
52 |
|
|
),
|
53 |
|
|
),
|
54 |
|
|
'ldap_user_puid' =>
|
55 |
|
|
array (
|
56 |
|
|
'und' =>
|
57 |
|
|
array (
|
58 |
|
|
0 =>
|
59 |
|
|
array (
|
60 |
|
|
'value' => '101',
|
61 |
|
|
'format' => NULL,
|
62 |
|
|
'safe_value' => '101',
|
63 |
|
|
),
|
64 |
|
|
),
|
65 |
|
|
),
|
66 |
|
|
'ldap_user_puid_property' =>
|
67 |
|
|
array (
|
68 |
|
|
'und' =>
|
69 |
|
|
array (
|
70 |
|
|
0 =>
|
71 |
|
|
array (
|
72 |
|
|
'value' => 'guid',
|
73 |
|
|
'format' => NULL,
|
74 |
|
|
'safe_value' => 'guid',
|
75 |
|
|
),
|
76 |
|
|
),
|
77 |
|
|
),
|
78 |
|
|
'ldap_user_current_dn' =>
|
79 |
|
|
array (
|
80 |
|
|
'und' =>
|
81 |
|
|
array (
|
82 |
|
|
0 =>
|
83 |
|
|
array (
|
84 |
|
|
'value' => 'cn=hpotter,ou=people,dc=hogwarts,dc=edu',
|
85 |
|
|
'format' => NULL,
|
86 |
|
|
'safe_value' => 'cn=hpotter,ou=people,dc=hogwarts,dc=edu',
|
87 |
|
|
),
|
88 |
|
|
),
|
89 |
|
|
),
|
90 |
|
|
'ldap_user_prov_entries' =>
|
91 |
|
|
array (
|
92 |
|
|
),
|
93 |
|
|
'ldap_user_last_checked' =>
|
94 |
|
|
array (
|
95 |
|
|
),
|
96 |
|
|
'ldap_authorizations' =>
|
97 |
|
|
array (
|
98 |
|
|
),
|
99 |
|
|
|
100 |
|
|
|
101 |
|
|
|
102 |
|
|
|
103 |
|
|
==========================================
|
104 |
|
|
Rough Summary of provisioning configuration and controls
|
105 |
|
|
==========================================
|
106 |
|
|
|
107 |
|
|
1. configured triggers (admin/config/people/ldap/user) or configuration of other modules
|
108 |
|
|
determine when provisioning happens.
|
109 |
|
|
|
110 |
|
|
// configurable drupal acct provision triggers
|
111 |
|
|
LDAP_USER_DRUPAL_USER_PROV_ON_USER_UPDATE_CREATE
|
112 |
|
|
LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE
|
113 |
|
|
LDAP_USER_DRUPAL_USER_PROV_ON_ALLOW_MANUAL_CREATE
|
114 |
|
|
|
115 |
|
|
// configurable ldap entry provision triggers
|
116 |
|
|
LDAP_USER_LDAP_ENTRY_PROV_ON_USER_UPDATE_CREATE
|
117 |
|
|
LDAP_USER_LDAP_ENTRY_PROV_ON_AUTHENTICATE
|
118 |
|
|
LDAP_USER_LDAP_ENTRY_DELETE_ON_USER_DELETE
|
119 |
|
|
|
120 |
|
|
|
121 |
|
|
2. hook_user_* functions (and elsewere such as ldap_authentication) will check if appropriate triggers are enabled and initiate calls to ldapUserConf methods:
|
122 |
|
|
|
123 |
|
|
ldapUserConf::provisionDrupalAccount()
|
124 |
|
|
ldapUserConf::synchToDrupalAccount()
|
125 |
|
|
ldapUserConf::ldapAssociateDrupalAccount()
|
126 |
|
|
ldapUserConf::deleteDrupalAccount()
|
127 |
|
|
|
128 |
|
|
ldapUserConf::provisionLdapEntry()
|
129 |
|
|
ldapUserConf::synchToLdapEntry()
|
130 |
|
|
ldapUserConf::deleteProvisionedLdapEntries()
|
131 |
|
|
|
132 |
|
|
3. to get mappings and determine which attributes are needed "ldap_contexts" and "prov_events" are passed into
|
133 |
|
|
ldap_servers_get_user_ldap_data()
|
134 |
|
|
ldapUserConf::drupalUserToLdapEntry()
|
135 |
|
|
|
136 |
|
|
|
137 |
|
|
4. Should provisioning happen?
|
138 |
|
|
|
139 |
|
|
------------
|
140 |
|
|
4.A. Server Level: Does an ldap server configuration support provisioning?
|
141 |
|
|
ldapUserConf::drupalAcctProvisionServer = <sid> | LDAP_USER_NO_SERVER_SID; // servers used for to drupal acct provisioning
|
142 |
|
|
ldapUserConf::ldapEntryProvisionServer = <sid> | LDAP_USER_NO_SERVER_SID; // servers used for provisioning to ldap
|
143 |
|
|
|
144 |
|
|
This is directly configured at config/people/ldap/user
|
145 |
|
|
|
146 |
|
|
------------
|
147 |
|
|
4.B. Trigger Level: Does provisioning occur for a given trigger?
|
148 |
|
|
ldapUserConf::provisionEnabled($direction, $provision_trigger)
|
149 |
|
|
|
150 |
|
|
This method is based on the configuration of two sets of checkboxes at config/people/ldap/user
|
151 |
|
|
|
152 |
|
|
ldapUserConf::drupalAcctProvisionTriggers (see "LDAP Entry Provisioning Options"), contains:
|
153 |
|
|
LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE
|
154 |
|
|
LDAP_USER_DRUPAL_USER_PROV_ON_USER_UPDATE_CREATE
|
155 |
|
|
LDAP_USER_DRUPAL_USER_PROV_ON_ALLOW_MANUAL_CREATE
|
156 |
|
|
|
157 |
|
|
ldapUserConf::ldapEntryProvisionTriggers (see "Drupal Account Provisioning Options"), contains:
|
158 |
|
|
LDAP_USER_LDAP_ENTRY_PROV_ON_USER_UPDATE_CREATE
|
159 |
|
|
LDAP_USER_LDAP_ENTRY_DELETE_ON_USER_DELETE
|
160 |
|
|
LDAP_USER_LDAP_ENTRY_PROV_ON_AUTHENTICATE
|
161 |
|
|
|
162 |
|
|
@todo. A hook to allow other modules to intervene here
|
163 |
|
|
|
164 |
|
|
------------
|
165 |
|
|
4.C Field Level: Does provisioning occur for a given field and ldap server for a given "prov_event" and "ldap _context"?
|
166 |
|
|
|
167 |
|
|
ldapUserConf::isSynched($field, $prov_event, $direction)
|
168 |
|
|
|
169 |
|
|
This depends on:
|
170 |
|
|
ldapUserConf::synchMapping[$direction][$field]['prov_events']
|
171 |
|
|
which is populated by various ldap and possibly other modules.
|
172 |
|
|
|
173 |
|
|
"ldap_contexts" (any module can provide its own context which is just a string)
|
174 |
|
|
ldap_user_insert_drupal_user
|
175 |
|
|
ldap_user_update_drupal_user
|
176 |
|
|
ldap_authentication_authenticate
|
177 |
|
|
ldap_user_delete_drupal_user
|
178 |
|
|
ldap_user_disable_drupal_user
|
179 |
|
|
all
|
180 |
|
|
|
181 |
|
|
"prov_events"
|
182 |
|
|
LDAP_USER_EVENT_SYNCH_TO_DRUPAL_USER
|
183 |
|
|
LDAP_USER_EVENT_CREATE_DRUPAL_USER
|
184 |
|
|
LDAP_USER_EVENT_SYNCH_TO_LDAP_ENTRY
|
185 |
|
|
LDAP_USER_EVENT_CREATE_LDAP_ENTRY
|
186 |
|
|
LDAP_USER_EVENT_LDAP_ASSOCIATE_DRUPAL_ACCT
|
187 |
|
|
|
188 |
|
|
|