--- D:/SL/DrupalModules/ldap_integration/ldapauth.module	Sun Oct 12 20:22:30 2008
+++ W:/bookings/sites/all/modules/ldap_integration/ldapauth.module	Thu Oct 23 11:43:47 2008
@@ -10,6 +10,7 @@
 
 define('LDAPAUTH_AUTH_MIXED',           0);
 define('LDAPAUTH_AUTH_EXCLUSIVED',      1);
+define('LDAPAUTH_AUTH_HTTP',            2); 
 define('LDAPAUTH_CONFLICT_LOG',         0);
 define('LDAPAUTH_CONFLICT_RESOLVE',     1);
 define('LDAPAUTH_EMAIL_FIELD_NO',       0);
@@ -34,8 +35,45 @@
  * Implements hook_init().
  */
 function ldapauth_init() {
+  global $user;
   include_once(drupal_get_path('module', 'ldapauth') .'/ldap_integration/ldapauth.conf.php');
   require_once(drupal_get_path('module', 'ldapauth') .'/ldap_integration/LDAPInterface.php');
+
+  if (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_HTTP) {
+    $authname = '';
+    // Make sure we get the remote user whichever way it is available.
+    if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
+      $authname = $_SERVER['REDIRECT_REMOTE_USER'];
+    }
+    elseif (isset($_SERVER['REMOTE_USER'])) {
+      $authname = $_SERVER['REMOTE_USER'];
+    }
+
+    $authname = trim($authname);
+    // Pretty up the username from NTLM authentication (i.e. Windows)
+    // Get 'bar' from 'foo1\foo2\bar'
+    $authname = array_pop(explode("\\", $authname));
+    // Get 'foo' from 'foo@bar'
+    $authname = array_shift(explode('@', $authname));
+
+    // Perform some cleanup so plaintext passwords aren't available under
+    // mod_auth_kerb.
+    unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
+
+    // Retrieve user credentials
+    $result = db_query("SELECT uid FROM {authmap} WHERE authname = '%s' AND module = 'ldapauth'", $authname);
+    $expected = db_fetch_array($result);
+    if (isset($user) && $user->uid === $expected['uid']) {
+      // Do nothing: user is already logged into Drupal with session data matching
+      // HTTP authentication.
+    }
+    else {
+      $login['name'] = $authname;
+      $login['pass'] = 'password';
+      ldapauth_authenticate($login);
+    }
+  }
+
 }
 
 /**
@@ -135,7 +173,7 @@
         // If authentication is being done in "LDAP only" mode, passwords
         // should not be written to the database, or users would be able
         // to log in even after removing their LDAP entry.
-        if (isset($account->ldap_authentified) && (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || !LDAPAUTH_SYNC_PASSWORDS)) {
+        if (isset($account->ldap_authentified) && (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_HTTP || !LDAPAUTH_SYNC_PASSWORDS)) {
           $edit['pass'] = NULL;
         }
       }
@@ -148,7 +186,7 @@
          '#title' => t(LDAPAUTH_PROFILE),
          '#attributes' => array('class' => 'ldapauth-entry'),
          '#weight' => LDAPAUTH_PROFILE_WEIGHT,
-         'ldap_server' => array('#type' => 'user_profile_item', '#title' => t('LDAP server'), '#value' => l($row->name, 'admin/settings/ldapauth/edit/'. $row->sid), '#weight' => 0),
+         'ldap_server' => array('#type' => 'user_profile_item', '#title' => t('LDAP server'), '#value' => l($row->name, 'admin/settings/ldap/ldapauth/edit/'. $row->sid), '#weight' => 0),
          'ldap_dn' => array('#type' => 'user_profile_item', '#title' => t('LDAP dn'), '#value' => $account->ldap_dn, '#weight' => 1),
         );
       }
@@ -256,11 +294,11 @@
   // (Design decision) uid=1 (admin user) must always authenticate to local database
   // this user is critical for all drupal admin and upgrade operations so it is best
   // left with drupal's native authentication.
-  $result = db_query("SELECT uid FROM {users} WHERE name = '%s' AND uid = '1'", $name);
-  if ($account = db_fetch_object($result)) {
-    user_authenticate($form_values);
-    return;
-  }
+//  $result = db_query("SELECT uid FROM {users} WHERE name = '%s' AND uid = '1'", $name);
+//  if ($account = db_fetch_object($result)) {
+//    user_authenticate($form_values);
+//    return;
+//  }
 
   if (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_MIXED) {
     // Authenticate local users first.
@@ -379,9 +417,11 @@
     if (empty($dn))
       continue;
 
-    // Try to authenticate.
-    if (!$_ldapauth_ldap->connect($dn, $pass))
-      continue;
+    if (LDAPAUTH_LOGIN_PROCESS != LDAPAUTH_AUTH_HTTP) {
+      // Try to authenticate.
+      if (!$_ldapauth_ldap->connect($dn, $pass))
+        continue;
+    }
 
     if (function_exists('ldapauth_user_filter') && !call_user_func('ldapauth_user_filter', $_ldapauth_ldap->retrieveAttributes($dn)))
       continue;
--- D:/SL/DrupalModules/ldap_integration/ldapauth.admin.inc	Tue Oct 14 23:09:50 2008
+++ W:/bookings/sites/all/modules/ldap_integration/ldapauth.admin.inc	Wed Oct 22 15:57:45 2008
@@ -18,7 +18,8 @@
 function ldapauth_admin_settings() {
   $options_login_process = array(
     LDAPAUTH_AUTH_MIXED => t('Mixed mode. The LDAP authentication is performed only if Drupal authentication fails'),
-    LDAPAUTH_AUTH_EXCLUSIVED => t('LDAP directory only')
+    LDAPAUTH_AUTH_EXCLUSIVED => t('LDAP directory only'),
+    LDAPAUTH_AUTH_HTTP => t('HTTP/NTLM Authentication. Will just do lookups on the username. Authentication will be left to the server.')
   );
   $options_login_conflict = array(
     LDAPAUTH_CONFLICT_LOG => t('Disallow login and log the conflict'),
@@ -28,7 +29,7 @@
   $form['system-options'] = array(
     '#type' => 'fieldset',
     '#title' => t('Authentication mode'),
-    '#description' => t('<strong>NOTE:</strong> These settings have no effect on Drupal user with uid 1. The admin account never uses LDAP.'),
+    '#description' => t(''),
     '#collapsible' => TRUE,
     '#collapsed' => FALSE,
   );