By keathmilligan on

I've seen a lot of posts from people with issues and questions regarding getting Drupal to work with LDAP and ActiveDirectory. I recently go intranet application working, so I thought I'd share my experience. I also saw a couple of requests for deployment examples, so I hope this helps.

Integrating Drupal with your organization's existing LDAP directory infrastructure allows your users to log onto your Drupal site using their existing account names and passwords. They don't have to create another account and have yet another password to remember.

My set up is Drupal 5.1.x on Fedora Core 5, Apache 2 & PHP 5.1. My directory server is ActiveDirectory. I downloaded and installed the 5.1.x version of the ldap_integration module. I am not using the LDAP groups support.

After installing the module, go to the ldapauth config page and add a server entry for your network's directory server:

Server Settings

The Name field is just a name you select for this entry - it can be anything you like.

The LDAP server field is the domain name (or less desirably the IP address) of your LDAP server. In many Windows environments, this will be your domain controller.

The LDAP port is usually 389 unless your administrator has changed it.

TLS encryption usually does not need to be used, but your environment may be different.

Leave Store passwords in encrypted form unchecked for now.

Login Procedure

In my case, I do not plan to allow users to interact with their LDAP information from the Drupal site, so I elected to check Do not store user's passwords during sessions - this is more secure.

Also in my case, I want to use LDAP for all user management, so I checked LDAP directory only for user look up.

Your organization's Base DN is usually going to be something like "dc=companyname,dc=com". Examples:

dc=mycompany,dc=com
dc=engineering,dc=mycompany,dc=com
dc=mynetwork,dc=net

For ActiveDirectory, the UserName attribute is usually "sAMAccountName".

Advanced Configuration

ActiveDirectory usually does not permit anonymous searches. You will need to supply a DN (distinguished name) and password that Drupal will use to perform its look ups. You should create a dedicated account with a non-expiring password for this purpose or change your AD's configuration accordingly. For testing purposes, you can use your own username and password.

The DN is usually an email-formatted address "username@somecompany.com" or a Windows-style domain\username "MYDOMAIN\username". The email style form is probably best, but both will work.

Save the configuration. Now users should be able to log into your site using their existing network id / password.

Logging in

Note: Drupal will always use it's internal user database for authenticating the original admin user, so if this user account name is currently set to the same name as your Windows account name, I recommend changing it.

Your users should be able to enter their normal network login name (e.g. "bsmith") and password into the Drupal login fields and immediately login. The ldap_integration module will automatically create a Drupal user entry for them. You can use this entry to manage role/group memberships.

Tweaking

The 5.1.x ldap_auth module has an issue with email addresses. When it creates a Drupal user for someone who logs in with their LDAP credentials, it populates their email address with their DN instead. The user can go back and edit it later, but I wanted this to happen automatically, so I tweaked the code a little to do this.

In the module source code, there is a note saying the ldapdata module will take care of this, but the ldapdata module is not present in the 5.1.x version of ldap_integration. The fix for this is trivial, though:

In modules/ldap_integration/ldapauth.module at about line 659, I commented out the following lines:

/*    	
      $dn = _ldapauth_login2dn($login_string);
      
      // Register this new user.
      // Changes to this user_save():
      //   1. 'pass' => in "LDAP then Drupal" mode, actual password
      //                is written. In "LDAP only" mode, a random
      //                password is set
      if (variable_get('ldap_login_process', LDAP_FIRST_LDAP) == LDAP_FIRST_LDAP) {
        $pass = user_password(20);
      }
      //   2. 'mail' => we cannot access the LDAP info from here, so
      //                we just write anything as e-mail address. If
      //                ldapdata module is enabled, it will write the
      //                right value upon login
      $mail = $dn;
      //   3. 'init' => same. BTW: what's the use of this field?
*/

And then replaced them with:

/* KM: hack to get correct email address without ldapdata */
$ldap_user = _ldapauth_user_lookup($login_string);
if ($user) {
    $dn = $ldap_user['dn'];
    if ($ldap_user['mail'])
        $mail = $ldap_user['mail'][0];
    else
        $mail = $dn;
}

Now email addresses are populated correctly.

Categories: Drupal 5.x

Comments

hyperlogos’s picture

hyperlogos commented

I downloaded and installed the 5.1.x version of the ldap_integration module.

What does that mean? There are 5.x-1.x and 5.x-1.0 versions. Which did you install? There is no such thing as a 5.1.x version.

I don't mean to get on you or anything - I just want to find out, so I can do precisely what you have done, and try to avoid the IT department in my place of employment installing some kind of junk that we can't use when drupal will do the job...

keathmilligan’s picture

keathmilligan commented

I flubbed the version number. I guess what I meant was "the version designed for Drupal 5.1". The specific version I used was 5.x-1.x-dev, but I'd try 5.x-1.0 first - that is the official release that kreaper put out yesterday.

I hear you on the IT thing. With Drupal, you could definitely build a much better intranet than the commercial apps your IT guys are likely to recommend... Sharepoint <shudder>....

hyperlogos’s picture

hyperlogos commented

What about LDAP Groups?

psnamak’s picture

psnamak commented

I am having problems with the following error " Fatal error: Call to undefined function ldap_connect() in /var/www/drupal/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 101"

I am using Ubuntu 6.01 with MySQL 5 and Php 5.1 and my Active Directory uses a default port of 389.

I really need to implement this for my company's intranet site.

Thanks in Advance.

psnamak’s picture

psnamak commented

I did fix this "Call to undefined function ldap_connect() by issuing an apt-get install php5-ldap.

sorry I had to allow ldap support on my php.

Thanks

psnamak’s picture

psnamak commented

I have enable LDAP authentication as per above - got active directory users to authenticate.

How to I enable Active Directory Users to be able to auto login to my drupal site without supplying any username and password. i.e get user name and passwords from my windows logged in cretentials.

Thanks in Advance.

Peter

hyperlogos’s picture

hyperlogos commented

That is to say, NT authentication.

Read http://www.4guysfromrolla.com/webtech/020201-1.shtml for more info. Tidbits: Now in order to identify the user accessing your site through their login you can get the username using Request.ServerVariables("LOGON_USER"). This will return a value only if Anonymous Access is DISABLED and you only have Basic Authentication OR Windows NT Challenge/Response ENABLED and 

dim arrSomething, strNTUser
arrSomething = split(Request.ServerVariables("LOGON_USER"),"\")
strNTUser = arrSomething(1)

Now, I have no idea if you can do this within PHP... http://www.thescripts.com/forum/thread569237.html is a kind of interesting page. Unless you can figure out how to get access to ASP variables from within PHP I'd say you'll have to write an ASP (or ASP.NET) page to handle it. You could do NT auth, then log the user in. But it will involve writing some code and probably tweaking the ldap_integration module. Not a project for a newbie - not that I have any idea if you are or aren't.

Of course, odds are you must use IIS, but you probably are already if you're trying to do this.

keathmilligan’s picture

keathmilligan commented

There is a module, webserver_auth which seems to handle this integration, but I haven't tried it out yet. It looks like it would take some tweaking to get this to play right with ldap_integration. The Drupal 5 version isn't officially released yet, but there is a patch.

hyperlogos’s picture

hyperlogos commented

Found The Mod NTLM apache module which supposedly lets Apache do NTLM auth. Haven't tried it yet though.

styro’s picture

styro commented

Apparently there are newer solutions around these days that use GSSAPI (eg using Kerberos) and SPNEGO (thats the transparent authentication type negotiation bit) that are more cross platform. But I haven't used them myself yet :)

--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ

kreaper’s picture

kreaper commented

LDAP Integration module has ldapdata.module support - that will allow ldap attribute management via DRUPAL (and also groups-roles integration). These new changes are in HEAD. The hope is to hash out the bugs and release a 5.x.2.0..

kreaper

http://kreaper.blogsome.com

nvahalik’s picture

nvahalik commented

Under Active Directory, you will need to add your CN's to your "Base DNs":

cn=Users,dc=mycompany,dc=com
cn=Accounting,dc=mycompany,dc=com

One for each OU.

robdinardo’s picture

robdinardo commented

Hey Keith: Thank you for your post. It worked! There was a database issue with the ldapauth table, but at least it queried LDAP and allowed the user to log in! Thank you for documenting this so well. Much appreciated.

drupalegg’s picture

drupalegg commented

Thank you for posting this!
I got it to work!
Great documentation :)