1
|
|
2
|
provisioning = creating or synching ... to drupal or to ldap
|
3
|
|
4
|
|
5
|
|
6
|
==========================================
|
7
|
LDAP User Data Structures in Drupal User Object
|
8
|
==========================================
|
9
|
|
10
|
|
11
|
'data' =>
|
12
|
array (
|
13
|
'ldap_user' =>
|
14
|
array (
|
15
|
'init' =>
|
16
|
array (
|
17
|
'sid' => 'activedirectory1',
|
18
|
'dn' => 'cn=hpotter,ou=people,dc=hogwarts,dc=edu',
|
19
|
'mail' => 'hpotter@hogwarts.edu',
|
20
|
),
|
21
|
),
|
22
|
'ldap_authorizations' =>
|
23
|
array (
|
24
|
'drupal_role' =>
|
25
|
array (
|
26
|
'cn=gryffindor,ou=groups,dc=hogwarts,dc=edu' =>
|
27
|
array (
|
28
|
'date_granted' => 1351194052,
|
29
|
),
|
30
|
'cn=honors students,ou=groups,dc=hogwarts,dc=edu' =>
|
31
|
array (
|
32
|
'date_granted' => 1351194052,
|
33
|
),
|
34
|
'students' =>
|
35
|
array (
|
36
|
'date_granted' => 1351194052,
|
37
|
),
|
38
|
),
|
39
|
),
|
40
|
),
|
41
|
|
42
|
'ldap_user_puid_sid' =>
|
43
|
array (
|
44
|
'und' =>
|
45
|
array (
|
46
|
0 =>
|
47
|
array (
|
48
|
'value' => 'activedirectory1',
|
49
|
'format' => NULL,
|
50
|
'safe_value' => 'activedirectory1',
|
51
|
),
|
52
|
),
|
53
|
),
|
54
|
'ldap_user_puid' =>
|
55
|
array (
|
56
|
'und' =>
|
57
|
array (
|
58
|
0 =>
|
59
|
array (
|
60
|
'value' => '101',
|
61
|
'format' => NULL,
|
62
|
'safe_value' => '101',
|
63
|
),
|
64
|
),
|
65
|
),
|
66
|
'ldap_user_puid_property' =>
|
67
|
array (
|
68
|
'und' =>
|
69
|
array (
|
70
|
0 =>
|
71
|
array (
|
72
|
'value' => 'guid',
|
73
|
'format' => NULL,
|
74
|
'safe_value' => 'guid',
|
75
|
),
|
76
|
),
|
77
|
),
|
78
|
'ldap_user_current_dn' =>
|
79
|
array (
|
80
|
'und' =>
|
81
|
array (
|
82
|
0 =>
|
83
|
array (
|
84
|
'value' => 'cn=hpotter,ou=people,dc=hogwarts,dc=edu',
|
85
|
'format' => NULL,
|
86
|
'safe_value' => 'cn=hpotter,ou=people,dc=hogwarts,dc=edu',
|
87
|
),
|
88
|
),
|
89
|
),
|
90
|
'ldap_user_prov_entries' =>
|
91
|
array (
|
92
|
),
|
93
|
'ldap_user_last_checked' =>
|
94
|
array (
|
95
|
),
|
96
|
'ldap_authorizations' =>
|
97
|
array (
|
98
|
),
|
99
|
|
100
|
|
101
|
|
102
|
|
103
|
==========================================
|
104
|
Rough Summary of provisioning configuration and controls
|
105
|
==========================================
|
106
|
|
107
|
1. configured triggers (admin/config/people/ldap/user) or configuration of other modules
|
108
|
determine when provisioning happens.
|
109
|
|
110
|
// configurable drupal acct provision triggers
|
111
|
LDAP_USER_DRUPAL_USER_PROV_ON_USER_UPDATE_CREATE
|
112
|
LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE
|
113
|
LDAP_USER_DRUPAL_USER_PROV_ON_ALLOW_MANUAL_CREATE
|
114
|
|
115
|
// configurable ldap entry provision triggers
|
116
|
LDAP_USER_LDAP_ENTRY_PROV_ON_USER_UPDATE_CREATE
|
117
|
LDAP_USER_LDAP_ENTRY_PROV_ON_AUTHENTICATE
|
118
|
LDAP_USER_LDAP_ENTRY_DELETE_ON_USER_DELETE
|
119
|
|
120
|
|
121
|
2. hook_user_* functions (and elsewere such as ldap_authentication) will check if appropriate triggers are enabled and initiate calls to ldapUserConf methods:
|
122
|
|
123
|
ldapUserConf::provisionDrupalAccount()
|
124
|
ldapUserConf::synchToDrupalAccount()
|
125
|
ldapUserConf::ldapAssociateDrupalAccount()
|
126
|
ldapUserConf::deleteDrupalAccount()
|
127
|
|
128
|
ldapUserConf::provisionLdapEntry()
|
129
|
ldapUserConf::synchToLdapEntry()
|
130
|
ldapUserConf::deleteProvisionedLdapEntries()
|
131
|
|
132
|
3. to get mappings and determine which attributes are needed "ldap_contexts" and "prov_events" are passed into
|
133
|
ldap_servers_get_user_ldap_data()
|
134
|
ldapUserConf::drupalUserToLdapEntry()
|
135
|
|
136
|
|
137
|
4. Should provisioning happen?
|
138
|
|
139
|
------------
|
140
|
4.A. Server Level: Does an ldap server configuration support provisioning?
|
141
|
ldapUserConf::drupalAcctProvisionServer = <sid> | LDAP_USER_NO_SERVER_SID; // servers used for to drupal acct provisioning
|
142
|
ldapUserConf::ldapEntryProvisionServer = <sid> | LDAP_USER_NO_SERVER_SID; // servers used for provisioning to ldap
|
143
|
|
144
|
This is directly configured at config/people/ldap/user
|
145
|
|
146
|
------------
|
147
|
4.B. Trigger Level: Does provisioning occur for a given trigger?
|
148
|
ldapUserConf::provisionEnabled($direction, $provision_trigger)
|
149
|
|
150
|
This method is based on the configuration of two sets of checkboxes at config/people/ldap/user
|
151
|
|
152
|
ldapUserConf::drupalAcctProvisionTriggers (see "LDAP Entry Provisioning Options"), contains:
|
153
|
LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE
|
154
|
LDAP_USER_DRUPAL_USER_PROV_ON_USER_UPDATE_CREATE
|
155
|
LDAP_USER_DRUPAL_USER_PROV_ON_ALLOW_MANUAL_CREATE
|
156
|
|
157
|
ldapUserConf::ldapEntryProvisionTriggers (see "Drupal Account Provisioning Options"), contains:
|
158
|
LDAP_USER_LDAP_ENTRY_PROV_ON_USER_UPDATE_CREATE
|
159
|
LDAP_USER_LDAP_ENTRY_DELETE_ON_USER_DELETE
|
160
|
LDAP_USER_LDAP_ENTRY_PROV_ON_AUTHENTICATE
|
161
|
|
162
|
@todo. A hook to allow other modules to intervene here
|
163
|
|
164
|
------------
|
165
|
4.C Field Level: Does provisioning occur for a given field and ldap server for a given "prov_event" and "ldap _context"?
|
166
|
|
167
|
ldapUserConf::isSynched($field, $prov_event, $direction)
|
168
|
|
169
|
This depends on:
|
170
|
ldapUserConf::synchMapping[$direction][$field]['prov_events']
|
171
|
which is populated by various ldap and possibly other modules.
|
172
|
|
173
|
"ldap_contexts" (any module can provide its own context which is just a string)
|
174
|
ldap_user_insert_drupal_user
|
175
|
ldap_user_update_drupal_user
|
176
|
ldap_authentication_authenticate
|
177
|
ldap_user_delete_drupal_user
|
178
|
ldap_user_disable_drupal_user
|
179
|
all
|
180
|
|
181
|
"prov_events"
|
182
|
LDAP_USER_EVENT_SYNCH_TO_DRUPAL_USER
|
183
|
LDAP_USER_EVENT_CREATE_DRUPAL_USER
|
184
|
LDAP_USER_EVENT_SYNCH_TO_LDAP_ENTRY
|
185
|
LDAP_USER_EVENT_CREATE_LDAP_ENTRY
|
186
|
LDAP_USER_EVENT_LDAP_ASSOCIATE_DRUPAL_ACCT
|
187
|
|
188
|
|
189
|
|