Magento Group from LDAP [WIP]

.gitignore

@@ -70,3 +70,6 @@ composer.lock
 # Magento2 sources
 /dist
 /bin
+
+# Ignore nano text editor temp files
+.*.swp

Api/ConfigInterface.php

@@ -38,6 +38,7 @@ interface ConfigInterface
     const CONFIG_KEY_ATTRIBUTE_FIRST_NAME = 'ldap/attribute/first-name';
     const CONFIG_KEY_ATTRIBUTE_LAST_NAME = 'ldap/attribute/last-name';
     const CONFIG_KEY_ATTRIBUTE_EMAIL = 'ldap/attribute/email';
+    const CONFIG_KEY_ATTRIBUTE_ROLE = 'ldap/attribute/role';
 
     /**
      * default values
@@ -53,6 +54,7 @@ interface ConfigInterface
     const DEFAULT_ATTRIBUTE_FIRST_NAME = 'givenname';
     const DEFAULT_ATTRIBUTE_LAST_NAME = 'sn';
     const DEFAULT_ATTRIBUTE_EMAIL = 'mail';
+    const DEFAULT_ATTRIBUTE_ROLE = 'null';
 
     /**
      * Returns the LDAP user filter
@@ -103,6 +105,14 @@ function getDefaultRoleId();
      */
     function getAttributeNameEmail();
 
+    /**
+     * Returns the attribute key in LDAP defining the user’s role,
+     * otherwise returns the default role specified in the role key.
+     *
+     * @return string
+     */
+    function getAttributeNameRole();
+
     /**
      * Returns an prepared array for the ldap connector
      *
@@ -172,4 +182,4 @@ function getAllowEmptyPassword();
      * @return boolean
      */
     function getUseStartTls();
-}
+}

Block/System/Account/Edit/Main.php

@@ -38,6 +38,8 @@ protected function _prepareForm()
             return $result;
         }
 
+	// TODO: does the role need to be disabled here? Perhaps only disable the role if specified
+	// in ldap (aka - role var is not null?). Dig into this before merge
         $fieldsToDisable = ['username', 'firstname', 'lastname', 'email', 'password', 'password_confirmation'];
 
         /** @var AbstractElement[] $field */

Model/Ldap/Configuration.php

@@ -115,6 +115,17 @@ public function getAttributeNameEmail()
         );
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function getAttributeNameRole()
+    {
+        return $this->deploymentConfig->get(
+            ConfigInterface::CONFIG_KEY_ATTRIBUTE_ROLE,
+            ConfigInterface::DEFAULT_ATTRIBUTE_ROLE
+        );
+    }
+
     /**
      * {@inheritdoc}
      */

Model/Ldap/UserMapper.php

@@ -62,7 +62,18 @@ public function mapUser($ldapAttributes, $password, User $user)
         }
 
         /** @noinspection PhpUndefinedMethodInspection */
-        $user->setRoleId($this->configuration->getDefaultRoleId());
+	// TODO: Add check here of role, switching to user-
+	// specific role instead of default role
+
+	// Example logic - written but not tested
+        $role = $this->getRole($ldapAttributes);
+
+	if(is_null($overrideRole) {
+	        $role = $this->configuration->getDefaultRoleId();
+	}
+
+        $user->setRoleId($role);
+	// end example logic
 
         if ($this->configuration->getCachePassword()) {
             $user->setPassword($password);
@@ -116,4 +127,13 @@ private function getEmail($ldapAttributes)
     {
         return $this->getFirstAttribute($ldapAttributes, $this->configuration->getAttributeNameEmail());
     }
+
+    /**
+     * @param array $ldapAttributes
+     * @return string
+     */
+    private function getRole($ldapAttributes)
+    {
+        return $this->getFirstAttribute($ldapAttributes, $this->configuration->getAttributeNameRole());
+    }
 }

README.md

@@ -39,12 +39,13 @@ for `setup:config:set` and `setup:install`
      --ldap-bind-password         The password corresponding to the username above, but this may be omitted if the LDAP server permits an anonymous binding to query user accounts.
      --ldap-allow-empty-password  Allow empty password
      --ldap-cache-password        To save the user password in the Magento database. Then, users will be able to log in even when the LDAP server is not reachable.
-     --ldap-role                  Role that is assigned
+     --ldap-role                  Role that is assigned by default if the LDAP attribute is not set or not set to a valid role name
      --ldap-user-filter           Ldap search filter. Placeholders are ":usernameAttribute" and ":username". (default: "(&(objectClass=*)(:usernameAttribute=:username))")
      --ldap-attribute-username    Attribute in LDAP defining the user’s username. (default: "uid")
      --ldap-attribute-first-name  Attribute in LDAP defining the user’s first name. (default: "givenname")
      --ldap-attribute-last-name   Attribute in LDAP defining the user’s last name. (default: "sn")
      --ldap-attribute-email       Attribute in LDAP defining the user’s email. (default: "mail")
+     --ldap-attribute-role        Attribute in LDAP defining the Magento role. (default: role specified in --ldap-role")
 
 ```
 
@@ -82,6 +83,7 @@ Example for memberOf
         'first-name' => 'givenname',
         'last-name' => 'sn',
         'email' => 'mail',
+        'role' => 'magerole',
     ),
     'allow-empty-password' => false,
     'cache-password' => false,

Setup/ConfigOptionsList.php

@@ -54,6 +54,7 @@ class ConfigOptionsList implements ConfigOptionsListInterface
     const INPUT_KEY_ATTRIBUTE_FIRST_NAME = 'ldap-attribute-first-name';
     const INPUT_KEY_ATTRIBUTE_LAST_NAME = 'ldap-attribute-last-name';
     const INPUT_KEY_ATTRIBUTE_EMAIL = 'ldap-attribute-email';
+    const INPUT_KEY_ATTRIBUTE_ROLE = 'ldap-attribute-role';
 
     /**
      * @var Role
@@ -183,6 +184,18 @@ public function getOptions()
                 'Attribute in LDAP defining the user’s email.',
                 ConfigInterface::DEFAULT_ATTRIBUTE_EMAIL
             ),
+
+            // TODO: Work on this and test this - current example is untested
+            /*
+            new TextConfigOption(
+                ConfigOptionsList::INPUT_KEY_ATTRIBUTE_ROLE,
+                TextConfigOption::FRONTEND_WIZARD_TEXT,
+                ConfigInterface::CONFIG_KEY_ATTRIBUTE_ROLE,
+                'Attribute in LDAP defining the user’s role.',
+                ConfigInterface::DEFAULT_ATTRIBUTE_ROLE
+            ),
+            */
+
         ];
     }
 
@@ -209,6 +222,7 @@ public function createConfig(array $options, DeploymentConfig $deploymentConfig)
             ConfigOptionsList::INPUT_KEY_ATTRIBUTE_FIRST_NAME => ConfigInterface::CONFIG_KEY_ATTRIBUTE_FIRST_NAME,
             ConfigOptionsList::INPUT_KEY_ATTRIBUTE_LAST_NAME => ConfigInterface::CONFIG_KEY_ATTRIBUTE_LAST_NAME,
             ConfigOptionsList::INPUT_KEY_ATTRIBUTE_EMAIL => ConfigInterface::CONFIG_KEY_ATTRIBUTE_EMAIL,
+            ConfigOptionsList::INPUT_KEY_ATTRIBUTE_ROLE => ConfigInterface::CONFIG_KEY_ATTRIBUTE_ROLE,
         ];
 
         $flagConfig = [