Last updated January 22, 2007. Created by Daren Schwenke on January 22, 2007.
Log in to edit this page.
This is a module I wrote for Drupal 5.0 to take care of authenticating, where the webserver has already done the user authentication via Basic Auth. In my case the user logged in via Basic Auth is also available as a user in Ldap so I can pull the 'cn' name and user thier real name as thier Drupal name. Also auto populate the email address and keep the id the same as my corporate assigned user id.
Enabling this module without first creating a user with admin priv with the same uid number as assigned via ldap will result in you locking yourself out of your site as the normal login block is totally bypassed by this module and becomes unavailable.
To speed things up, I also added a row into the users table that directly maps to my user id obtained from basic auth. Also prevents users in large orgs with multiple John Smiths from being assigned the same account.
Once again, this module totally bypasses the normal login block within Drupal substituting existing webserver based basic authentication. For those interested in doing ldap authentication WITHIN the Drupal login block, this module is not for you. Instead consider: http://drupal.org/project/ldap_integration for this.
If you need to support Basic Auth, but don't have hooks for ldap, considrer using this: http://drupal.org/project/securesite or this http://drupal.org/project/httpauth
Some wierdness present. Users on first visit to site get the basic auth prompt twice, and the user shows up as logging in twice in the logs.
I also commented out the "Log out" button in my application in user.module as it doesn't do anything other than adding extra lines into the logs after turning on this module.
This module works as is for me, and perhaps it will save someone attempting to do the same thing as me some time. A good familarity with basic auth, ldap, and directly modifying the 'users' table is probably a must.
<?php
/*
ldap_auth module
hook_init is run EVERY page load. We need to handle our own consumption of resources or spiral to death.
*/
function ldap_auth_init() {
# if global $user has a uid already, bail as we are already logged in.
global $user;
if ($user->uid > 0) { return; }
$user_tid=strtolower(trim($_SERVER['LDAP_USER']));
require_once './includes/common.inc';
require_once './includes/theme.inc';
$result = db_fetch_object(db_query('SELECT u.uid,u.name FROM {users} u WHERE u.tid = \'%s\'',$user_tid));
# User doesn't exist in database. Retrieve user info and add user.
if (! $result->uid) {
$ldap_server = 'directory.appl.yourcompany.com';
$ds=ldap_connect($ldap_server);
if ($ds) {
$r=ldap_bind($ds);
$sr=ldap_search($ds, "o=yourcompany.com", "(uid=$user_tid)");
$info = ldap_get_entries($ds, $sr);
$user_mail = $info[0]['mail'][0];
$user_name = $info[0]['cn'][0];
$user_number = trim($info[0]['personalnumber'][0]);
# Use replace instead of insert to avoid errors in the event the uid has been added ahead of time, such as in the case of the administrators...
db_query("REPLACE INTO {users} (uid,tid,name,mail,status,created) VALUES (%d,'%s','%s','%s',1,%d)",
$user_number,$user_tid,$user_name,$user_mail,time());
ldap_close($ds);
} else {
drupal_set_message(t('Unable to contact Ldap server %name.', array('%name' => check_plain($ldap_server))));
return;
}
} else {
# User exists in database. Set user info from there.
$user_name = $result->name;
$user_number = $result->uid;
}
# Log in, updating logs and redirecting to where the user requested, or home. Good stuff stolen from persistent login module.
drupal_set_message(t('Authenticated via Ldap. Welcome %name.', array('%name' => check_plain($user_name))));
$l = array('ldap_auth_login' => 1,'name' => $user_name,'uid' => $user_number);
drupal_load('module', 'user');
$user = user_load(array('uid' => $l['uid']));
user_login_submit('ldap_auth_login',$l);
drupal_goto(substr(drupal_get_destination(), 12));
}
?>