Configuration of ldapauth module
Once the LDAP Integration module (also referred to as ldapauth module) is installed, it's time to enable the module and configure it.
- Enabled the module
- Proceed to Administer >> Site building >> Modules
- In the fieldset titled "Administration", enable the ldapauth module
- Configure the module
- Proceed to Administer >> Site Configuration >> LDAP Integration
- Click Configure LDAP Server
-
- Server Settings
- Name: Name of the LDAP Configuration. It must be unique
- LDAP Server: Hostname of the LDAP Server. For e.g. ldap.example.com For Active Directory, this would be the hostname of the AD domain controller. If you have multiple domain controllers, then common practice is to create a DNS Round Robin entry for all of the domain controllers and use that entry (dc.example.com).
- LDAP Port: Standard LDAP ports are 389 and 636. 389 is standard non-secure port where communications occur in cleartext (analogous to HTTP Port 80). 636 is the standard encrypted LDAP port (analogous to HTTP Port 443.
If you are using Active Directory, then you must select the encrypted port, 636. - Use TLS Encryption: Required for Active Directory. For encrypted communications, select this option. (TLS is the new name for SSL, so if your LDAP server requires "SSL", then you must check this box )
- Store passwords in encrypted form: This option is used by the optional ldapdata module, which allows for changing of passwords using Drupal. Using this option will cause the LDAP data module to perform MD5 encryption of the passwords before they are sent to LDAP. If your LDAP server natively performs encryption, then it could cause problems.
-
- Login Procedure
- Do not store users' passwords during sessions: If you are going to use the ldapdata module and allow users to modify their LDAP entries, this module will need to store the user password during the session, so that it can have write access to the LDAP directory.
Physically, these passwords are stored in the Drupal's session table in clear text. If the database is well protected, this should not be a problem, but some admins may feel uneasy about this.
If you are not going to use the ldapdata module, or you are, but only for read-only access, you can safely check this box and get extra security for your system.
- When logging in, Drupal will look up for the user in:
- Drupal's own database. If it fails, look in LDAP: Self-explanatory
- LDAP Directory only: Selecting this option will cause ONLY LDAP accounts to be authenticated and registered, except for the initial admin user (user with uid=1). Drupal's core administration relies on this user, so this user is NEVER authenticated with any database other than the local drupal database
- Base DNs: In the text area below, enter the base dn to search against when authenticating LDAP users. You can enter multiple DNs, one per line. PHP LDAP performs SUB scope searches by design. So if all of your users are organized under several sub-containers under say for e.g.,
cn=Users,dc=example,dc=org, then you only need to enter 1 base dn,cn=Users, dc=example, dc=com
For OpenLDAP etc, an example would beou=People,dc=example,dc=com
For Active Directory, an example would becn=Users,dc=example,dc=com - Username Attribute: The attribute in the user's object representing the username.
For Active Directory, it is sAMAccountName and for most Unix LDAP environments, it is uid
- Do not store users' passwords during sessions: If you are going to use the ldapdata module and allow users to modify their LDAP entries, this module will need to store the user password during the session, so that it can have write access to the LDAP directory.
-
- Advanced Configuration
- DN for non-anonymous searches: Enter the BINDDN of the account used to bind to the LDAP directory. For e.g.
cn=drupalread,ou=Service Accounts,ou=People,dc=example,dc=com - Password for non-anonymous searches: Enter the BIND password. Note: This password is stored in cleartext in the drupal database so you must take steps to protect the database
The process of authentication starts by establishing an anonymous connection to the LDAP directory and looking up for the user on it. Once this user is found, LDAP authentication is performed on them.However, some LDAP configurations (specially common in Active Directory setups) restrict anonymous searches.
If your LDAP setup does not allow anonymous searches, or these are restricted in such a way that login names for users cannot be retrieved as a result of them, then you have to specify here a DN//password pair that will be used for these searches.
For security reasons, this pair should belong to an LDAP account with stripped down permissions.Most LDAP and Active Directories do not allow anonymous binds
- DN for non-anonymous searches: Enter the BINDDN of the account used to bind to the LDAP directory. For e.g.
Save the Configuration
Save the configuration and you will be re-directed to the LDAP Integration configuration list page. You can have multiple LDAP servers configured and individually active and de-activate them. Deactivating a config will prevent it from being used by any of the LDAP modules.
NOTE: The LDAP Servers will be consulted in the order they are listed. They are listed in the order they are created. Future releases will include an option to re-order them for authentication.
Base DNs
I do have another question...
It seems that I have to list out the users whole AD tree. For example I have to use, "CN=Joe M. Johnson, OU=Developers,OU=AP-Users,OU=BU ABCIS,DC=ABC,DC=com"
The way our AD is configured the only OU that is the same across all of the users is the "DC=ABC,DC=com"
Any help would be greatly appreciated,
Patrick
TLS issues
Some isues:
This does not seem to be correct. I have an AD server; i have another app (Request-Tracker) auth against that AD server via TLS. That works fine.
If i set the port to 389 and do NOT check Start-TLS, the user authenticates, but login info is sent in the clear. If i set the port to anything else, authentication fails completely.
If i check Start-TLS with port 389, authentication WORKS, but login info is NOT encrypted.
If i check Start-TLS with port 636 (or any other port), authentication fails completely.
This is a gamebreaker for me.
TLS and AD working
This is what I had to do to get Drupal/LDAP/TLS working:
Procedure
1 - Create the following directory structure on the server: C:\openldap\sysconf (this path may be different depending on your setup)
2 - In that directory create a file named "ldap.conf"
3 - Edit ldap.conf and add the following directive:
TLS_REQCERT never
4 - Save ldap.conf and restart Apache HTTP server
5 - Then configured an LDAP server in Drupal as follows:
Name: (anything unique - I used the AD server name)
LDAP Server: ldaps://adhostname.domain.tld
LDAP Port: 636 (see below)
Use Start-TLS: unchecked
Store passwords in encrypted form: unchecked
Base DNs: dc=domain,dc=tld (you can be more specific if you wish--my accounts are everywhere, so I specified the domain without any OUs)
UserName attribute: sAMAccountName
Email attribute: mail
PHP to transform login name: (blank)
PHP to filter users based on their LDAP data: (blank)
DN for non-anonymous search: (either the DN or just the username of the service account you will use to bind--I prefer just the username)
Password for non-anonymous search: (the password)
Explanation
This works for me. I used a sniffer to confirm that it is using secure LDAP (636). The three pieces that took me a while to figure out were:
*Start-TLS is completely different than AD secure LDAP and to my knowledge isn't supported by AD
*The LDAP server should be prefixed with "ldaps://" and the port actually doesn't matter one bit as the PHP function "ldap_connect()" ignores the port if "ldaps://" is specified (I changed it to 636 anyway to avoid confusion)
*But the key change was creating C:\openldap\sysconf\ldap.conf. More on that below.
ldap.conf
The main issue with getting my configuration to work was that PHP (or OpenLDAP, I'm not sure which specifically) didn't trust my CA and by default it rejects certificates issued by CAs it doesn't trust. Adding the "TLS_REQCERT never" directive to the ldap.conf file told it to not worry about the certificate and carry on. Strictly speaking this lessens the security of the server and can make it susceptible to spoofing attacks. I'll leave it to you to decide whether to dig deeper into the ldap configuration as there appears to be a way to specify trusted CAs, but I have bigger issues to conquer at the moment.
Update: By the way, this secures the transmission of the password from the Drupal web server to the domain controller, but it does nothing for securing the password between the client and the Drupal web server. I'm going to work on that next.
I hope this helps,
Mike Hays
Mikes instructions were pretty much spot on.
I decided to see if I could get LDAP Integration working on a fresh Drupal install (running on Debian and Apache) and a fresh 2003 Active Directory running in a VMware test environment (not a live production environment).
My instructions are as follows:
1. Base install of Debian with Apache, PHP, MySQL (make sure the PHP-LDAP library is installed).
2. Ensured DNS and network settings were correctly configured on the Linux box (very, very important).
3. Installed a clean install of Drupal.
4. Installed the ldap_integration module.
5. Configured the ldap_integration module (refer below).
6. Modified /etc/ldap/ldap.conf (refer below).
7. Selected LDAP directory only under the Choose authentication mode (Settings page).
LDAP INTEGRATION MODULE.
Name: myroom.local
LDAP server: ldaps://server.myroom.local
LDAP port: 636
Use Start-TLS: unticked
Store passwords: unticked
Base DNs: cn=Users, dc=myroom, dc=local
UserName atrib: sAMAccountName
Email attrib: mail
PHP to transform: left blank
PHP to filter: left blank
DN for non-anon: drupal@myroom.local
Password: password
/etc/ldap/ldap.conf
HOST server.myroom.local
TLS_REQCERT never
I wanted to be sure that this configuration was working and that data sent between Drupal and Active Directory was encrypted, so I installed and ran Wireshark on the Active Directory server.
The data was encrypted as was expected.
NOTE:
Data sent between Drupal and the AD Server is encrypted - data sent between the clients web browser and Drupal is NOT encrypted.
To avoid sending login information in plain text, you should look at configuring and using SSL (https) on your web server, particularly during logon.
NOTE:
I also managed to get "Use Start-TLS" working properly (no errors) but I would need to retrace my steps to find out exactly what it was that made it work (at one stage I exported the Certificate from Active Directory and enabled /etc/ldap/ldap.conf to use it but whether or not that was the kickstart it needed I don't know).
I'll leave that to another day when I feel like documenting the steps. :-)
So far, I'm quite impressed with LDAP Integration - it works an absolute treat.
Active Directory LDAP over SSL (ldaps)
It is important to note that by default Active Directory LDAP is not configured for LDAPS.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Appendix A: Configuring LDAP over SSL Requirements for AD LDS
http://technet.microsoft.com/en-us/library/cc725767%28WS.10%29.aspx
LDAP over SSL - Modifying Active Directory with PHP
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl#install_cer...
How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663
After much problems I got it working on server 2008 (non-TLS)
Spending about two days to get it working. Yes yes, I didn't know anything about LDAP :-)
This are the creditals what I have used:
For debugging and testing I used Wireshark and later the free LDAP Browser from LDAPSoft
And for searching the domain tree, at Logon procedure:
dc=domain,dc=localUserName Attribute:
sAMAccountNameFor binding at Advanced Configuration:
cn=Administrator,cn=Users,dc=domain,dc=localAnd a password.
Hope that this is helpfull for someone!
Active Directory
For anyone who is banging their head against the wall with Active Directory BS, in the advanced configuration section, do not follow these directions... JUST PUT THE USERNAME AND PASSWORD. I was banging my head against the wall putting in CN this, DC that trying to get it to authenticate, and then finally just put the username and BINGO, it worked...GRRRR
"Drupal's own database" does not work when LDAP is active
Although I have configured the option
"When logging in, Drupal will look up for the user in:
* Drupal's own database. If it fails, look in LDAP"
my website is behaving as if I had chosen "LDAP Directory only" :
Except for the admin account (uid=1), authentication does not work any more for non-LDAP accounts. If I create a "local" account (I uncheck "use LDAP..." in the "edit user" tab), the login is impossible ; the only way to connect is to use the "lost password" mechanism and to use the temporary login link sent by e-mail. Whether the user or the admin puts a (new) password, a normal login will never work.
Does anyone know this problem and it's solution? Thanks in advance!
LDAP not seeming to work
Here is what I have set up:
server settings:
ldaps://(IP ADDRESS of server or server name)
LDAP Port: 636 (and I've attempted to use 389)
Login Procedure:
dc=(domain),dc=com
UserName: sAMAccountName
Email Attribute: mail
Advanced configuration:
DN for non-anonymous search: administrator
password is my password
I always get username password now found, when running Wireshark on the DC, i'm seeing a bunch of checksum errors and a TLSv1 Alert (Level: Fatal, Description: Unknown CA)
I'm not sure what is going on with it, I've checked and tried about 100 different methods... anyone have any ideas?
ldap.conf file
mikebrewer,
Do you follow the procedure I give above for creating an ldap.conf file? I think that will solve your issue.
Mike Hays
ldap auth fails after check Start TLS
ldap runs fine ...
both (users and groups) are in drupal after login ...
now i tested "Start TLS" by just activating the checkbox ...
saved config ...
clicked on "Test" ... auth successful ...
logged out ...
log in with ldap-user ... failed ...
so i unchecked the Start-TLS box and saved config ...
test : successfull ...
logged out ...
log in with ldap user ... failed ...
LDAP-Auth not working anymore ...
any ideas, what is broken now ?
Any luck? I am in the same
Any luck? I am in the same position as elmuchacho.