function ldapgroups_admin_edit in LDAP integration 6
Same name and namespace in other branches
- 5.2 ldapgroups.module \ldapgroups_admin_edit()
- 5 ldapgroups.module \ldapgroups_admin_edit()
Implements the LDAP server edit page.
Parameters
$form_state: A form state array.
$op: An operatin - edit or reset.
$sid: A LDAP server ID.
Return value
The form structure.
1 string reference to 'ldapgroups_admin_edit'
- ldapgroups_menu in ./
ldapgroups.module - Implementation of hook_menu().
File
- ./
ldapgroups.admin.inc, line 65 - Module admin page callbacks.
Code
function ldapgroups_admin_edit(&$form_state, $op, $sid) {
if ($op == 'reset' && $sid) {
$form['sid'] = array(
'#type' => 'value',
'#value' => $sid,
);
return confirm_form($form, t('Are you sure you want to reset the groups mapping to defaults ?'), 'admin/settings/ldap/ldapgroups', t('<em>This action cannot be undone.</p>'), t('Reset'), t('Cancel'));
}
elseif ($op == 'edit' && $sid) {
$edit = db_fetch_array(db_query("SELECT * FROM {ldapauth} WHERE sid = %d", $sid));
$form['description'] = array(
'#value' => t('Configure LDAP groups to Drupal roles mapping settings for the %server.', array(
'%server' => $edit['name'],
)),
);
// How to find groups section
$form['group-definitions'] = array(
'#type' => 'fieldset',
'#title' => t('Group Definitions'),
'#description' => t('Define how group information is stored in your LDAP database by using one or more of the methods below.'),
'#collapsible' => TRUE,
'#collapsed' => FALSE,
);
$form['group-definitions']['group_dn'] = array(
'#type' => 'fieldset',
'#title' => t('Group by DN'),
'#description' => t('Use this method if your users\' DNs look like <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">cn=jdoe,<strong>ou=Group1</strong>,cn=example,cn=com</em> and <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">Group1</em> turns out to be the group you want.</p>'),
'#collapsible' => TRUE,
'#collapsed' => !$edit['ldapgroups_in_dn'],
);
$form['group-definitions']['group_dn']['ldapgroups_in_dn'] = array(
'#type' => 'checkbox',
'#title' => t('Group is specified in user\'s DN'),
'#default_value' => $edit['ldapgroups_in_dn'],
'#description' => t('Check to enable this method.'),
);
$form['group-definitions']['group_dn']['ldapgroups_dn_attribute'] = array(
'#type' => 'textfield',
'#title' => t('Attribute of the DN which contains the group name'),
'#default_value' => $edit['ldapgroups_dn_attribute'],
'#size' => 50,
'#maxlength' => 255,
'#description' => t('The name of the attribute which contains the group name. In the example above, it would be <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">ou</em>, as the DN contains the string <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">ou=Group1</em> and <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">Group1</em> happens to be the desired group name. Note: If the attribute appears more than once in the DN, the user will be listed in multiple groups.'),
);
$form['group-definitions']['group_attr'] = array(
'#type' => 'fieldset',
'#title' => t('Group by attribute'),
'#description' => t('Use this method if your user\'s LDAP entries contain attributes that define their group membership, e.g. AD\'s memberof attribute.</p>'),
'#collapsible' => TRUE,
'#collapsed' => !$edit['ldapgroups_in_attr'],
);
$form['group-definitions']['group_attr']['ldapgroups_in_attr'] = array(
'#type' => 'checkbox',
'#title' => t('Groups are specified by LDAP attributes'),
'#description' => t('Check to enable this method.'),
'#default_value' => $edit['ldapgroups_in_attr'],
);
$form['group-definitions']['group_attr']['ldapgroups_attr'] = array(
'#type' => 'textarea',
'#title' => t('Attribute names (one per line)'),
'#default_value' => implode("\n", $edit['ldapgroups_attr'] ? unserialize($edit['ldapgroups_attr']) : array()),
'#cols' => 50,
'#rows' => 6,
'#description' => t('If the groups are stored in the user entries, along with the rest of their data, then enter here a list of attributes which may contain them.'),
);
$form['group-definitions']['group_entry'] = array(
'#type' => 'fieldset',
'#title' => t('Group by entry'),
'#description' => t('Groups exist as LDAP entries with a multivalued attribute containing either the members\' DNs or username. E.g. Standard LDAP group objects like groupOfNames that use the \'member\' multivalue attribute or posixGroup with memberUID.'),
'#collapsible' => TRUE,
'#collapsed' => !$edit['ldapgroups_as_entries'],
);
$form['group-definitions']['group_entry']['ldapgroups_as_entries'] = array(
'#type' => 'checkbox',
'#title' => t('Groups exist as LDAP entries with a multivalued membership attribute'),
'#description' => t('Check to enable this method.'),
'#default_value' => $edit['ldapgroups_as_entries'],
);
$form['group-definitions']['group_entry']['ldapgroups_entries'] = array(
'#type' => 'textarea',
'#title' => t('Base LDAP DNs containing groups (one per line)'),
'#default_value' => implode("\n", $edit['ldapgroups_entries'] ? unserialize($edit['ldapgroups_entries']) : array()),
'#cols' => 50,
'#rows' => 6,
'#description' => t('Base DNs to search for group entries. The module will look under each of these for group entries.'),
);
$form['group-definitions']['group_entry']['ldapgroups_entries_attribute'] = array(
'#type' => 'textfield',
'#title' => t('Attribute holding group members'),
'#default_value' => $edit['ldapgroups_entries_attribute'],
'#size' => 50,
'#maxlength' => 255,
'#description' => t('Name of the multivalued attribute which holds either the DNs or LDAP usernames of group members, for example: !attr', array(
'!attr' => theme('placeholder', LDAPGROUPS_DEFAULT_ENTRIES_ATTRIBUTE),
)),
);
// Access rules section
$form['groups_limit'] = array(
'#type' => 'fieldset',
'#title' => t('LDAP Groups Server Access Rules'),
'#collapsible' => TRUE,
'#collapsed' => !$edit['ldapgroups_groups'],
);
$form['groups_limit']['info'] = array(
'#type' => 'fieldset',
'#title' => t('Server Access Rules Help'),
'#description' => '<p>' . t('Rules can be define below that will limit who can access this server. These rules can take two forms.') . '</p><p>' . t('First, it can just be a list of groups. In this case, the user must be a member of at least one of these groups to be allowed access.') . '</p><p>' . t('The second form uses rules of the format: "action-type: group-name". Each rule group-name is compared to the user\'s groups. If the user is a member of the rule\'s group, the action is applied. The last matching rule determines the user\'s access rights. Note that all rule sets start with access denied.') . '</p><p>' . t('The action types are:') . '</p>' . '<ul><li>' . t('ALLOW - Access granted if user is in the group and not denied by rule below it.') . '</li>' . '<li>' . t('ALLOW-X - If the user is in the group, access is granted and rule processing ends.') . '</li>' . '<li>' . t('DENY - User is denied if they are in the group unless granted by a rule below this one.') . '</li>' . '<li>' . t('DENY-X - User denied if in group and no further rules are processed.') . '</li></ul>' . '<p>' . t('In addition, there are two "PSEUDO" groups that can be used in rules:') . '</p>' . '<ul><li>' . t('ALL - Matches all authenticated LDAP users') . '</li>' . '<li>' . t('EXISTING - Matches existing users who have been authenticated by LDAP in the past.') . '</li></ul>' . '<p>' . t('Here\'s an example ruleset to deny all Group1 users but allow existing users and (new) Group2 users to access the server.') . '</p>' . '<ul><li>' . t('DENY-X: cn=Group1,ou=Groups,dc=myorg') . '</li>' . '<li>' . t('ALLOW-X: EXISTING') . '</li>' . '<li>' . t('ALLOW: cn=Group2,ou=Groups,dc=myorg') . '</li></ul>' . '<p>' . t('Note that rule types and groups are case insensitive. However, group names must have the same spacing as returned by the server to match. E.g. if server return cn=X,ou=Groups... then a rule group name, cn=X, ou=Groups... will not match because of the space after the comma.') . '</p>',
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['groups_limit']['ldapgroups_groups'] = array(
'#type' => 'textarea',
'#title' => t('Group access rules'),
'#default_value' => implode("\n", $edit['ldapgroups_groups'] ? unserialize($edit['ldapgroups_groups']) : array()),
'#cols' => 50,
'#rows' => 5,
'#description' => t('Leave blank to allow all LDAP authenticated users access. Otherwise, enter a one per line list of LDAP groups or access rules. If the user is not in any of those groups or the last matching rule denies access, the login will be denied.'),
);
// Mappings section
$form['group_filter'] = array(
'#type' => 'fieldset',
'#title' => t('LDAP group to Drupal role filtering'),
'#description' => t('If there is nothing entered in this section, the module will automatically decide Drupal roles name. These will be based on the names of the LDAP groups. For example:<ul><li>LDAP group: Admins => Drupal role: Admins</li><li>LDAP group: ou=Underlings,dc=myorg,dc=mytld => Drupal role: Underlings.</li></ul>'),
'#collapsible' => TRUE,
'#collapsed' => !($edit['ldapgroups_mappings'] || $edit['ldapgroups_filter_php'] || $edit['ldapgroups_mappings_filter']),
);
$options_filter_mode = array(
LDAPGROUPS_ROLE_MODE_AUTO => t("Use automatic LDAP group name to Drupal role name mapping"),
LDAPGROUPS_ROLE_MODE_USE_MAP => t("Use LDAP group to Drupal role mapping defined below"),
LDAPGROUPS_ROLE_MODE_DISABLED => t("Do not user LDAP groups for Drupal roles (i.e. access restrictions only)."),
);
$form['group_filter']['ldapgroups_mappings_filter'] = array(
'#type' => 'radios',
'#title' => t('Select how to map LDAP groups to Drupal roles'),
'#options' => $options_filter_mode,
'#default_value' => $edit['ldapgroups_mappings_filter'],
);
$mappings = '';
foreach ($edit['ldapgroups_mappings'] ? unserialize($edit['ldapgroups_mappings']) : array() as $group => $role) {
$mappings .= $group . '|' . $role . "\n";
}
$form['group_filter']['ldapgroups_mappings'] = array(
'#type' => 'textarea',
'#title' => t('Mapping of LDAP groups to Drupal roles'),
'#default_value' => $mappings,
'#cols' => 50,
'#rows' => 5,
'#description' => t('Enter a list of LDAP groups and their Drupal role mappings, one per line with a | delimiter. Should be in the form [ldap group]|[drupal role],[drupal role] such as:<br/>cn=ED IT NAG Staff,DC=ad,DC=uiuc,DC=edu|admin<br/>cn=Ed Webs UIUC Webmasters,DC=ad,DC=uiuc,DC=edu|author, reviewer'),
);
$form['group_filter']['ldapgroups_filter_php'] = array(
'#type' => 'textarea',
'#title' => t('PHP to filter roles by'),
'#default_value' => $edit['ldapgroups_filter_php'],
'#cols' => 25,
'#rows' => 5,
'#description' => t('Enter PHP to filter LDAP groups. Careful, bad PHP code here will break your site. If left empty, no filtering will be done. The groups array <code>$groups</code> is available in the code context. It should return a filtered <code>$groups</code> array as in example below. The code is evaluated before the above mapping is applied.<br /><code>$groups = array_filter($groups, create_function(\'$a\', \'return preg_match(\\\'/Staff/\\\', $a);\'));</code><br /><code>return $groups;</code>'),
);
$form['sid'] = array(
'#type' => 'hidden',
'#value' => $sid,
);
$form['submit'] = array(
'#type' => 'submit',
'#value' => t('Update'),
);
return $form;
}
else {
drupal_goto('admin/settings/ldap/ldapgroups');
}
}