Community Documentation

Configuration of ldapdata module

Last updated March 18, 2010. Created by Tresler on February 11, 2007.
Edited by mississippiman, RobRoy, kreaper. Log in to edit this page.

This module allows mapping of LDAP user attributes to Drupal fields. It uses the profile module.

Configuration

  • Goto Administer >> Site configuration >> ldapdata
  • The active LDAP configuration are listed on the page. Select edit to configure LDAP attribute mapping
  • Drupal-LDAP fields mapping: Currently, the following attributes can be mapped between Drupal and LDAP
    • mail (E-mail address)
    • password (User Password)
    • signature (Signature line)

    The Drupal to LDAP mapping for these can be done in multiple ways

    1. Changes in account fields will be mapped to LDAP attributes and back: Checking this box will allow the Drupal users to modify the above attributes in Drupal and have it automatically updated in LDAP. This option requires a user account with read/write privileges to LDAP.
    2. Same, but read-only mode: Check this box if the users can view the LDAP information in the Drupal profile but not have the ability to change them
    3. No mapping: This option will clear any existing mappings that are present for this configuration

    Enter the attribute names that map to the specified drupal fields in the text boxes. Consult the LDAP Documentation and/or administrator for details on the attribute names

  • Drupal-LDAP fields mapping: In this section, configure which attributes are visible to in the My account section of the user and which attributes are modifiable by the user. In order to extend the attribute list that is appearing here, the configuration file modules/ldap_integration/ldapdata.conf.php can be modified.
  • Advanced configuration: In this section, enter the bind dn and bind password of an LDAP account that has read/write abilities to the user and group objects.
  • Click Save configuration to save this configuration.

All active ldap configurations can be configured to map ldap attributes to drupal fields The same configuration that was used to authenticate the user into Drupal will be used to perform attribute mapping.

Login or register to post comments

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

Unfortunately outdated

Posted by jyg on December 9, 2009 at 10:39pm

It would be great if the module developer(s) would update this documentation to match the current version of the module, with examples relating module configuration to existing LDAP data. (If I could get this working, and new enough about LDAP, I'd do it for you...)

jyg

How to get usefull attribute?

Posted by Bouley_h on December 18, 2009 at 5:06pm

The ldap authentification works well but I need to restrict users on some attribute values attribut1='some data'. T've tried to put a php filter in the authentication form :
PHP to filter users based on their LDAP data:
it doesn't work - I think it's just because I don't get the ldap attribut from the ldap request.

Before starting serious debugging : Who can tell me how to get some more attribut from the ldap server?

LDAP Authorization, LDAP Data, & LDAP Sync configuration example

Posted by tomhung on December 16, 2010 at 11:40pm

I have had several requests for how we set up our LDAP Authorization, LDAP Data, & LDAP Sync. This is our case. Your mileage may vary.

We are connecting Drupal to Active Directory. We want people to login to Drupal with their AD account and password. We want the Drupal profile to have many of the AD attributes.

We grouped the profile attributes into editable and non-editable attributes (profile categories or fieldsets). This lets the user edit their non sensitive account information (ex. display name, phone, fax, etc). For the non-editable profile attributes, we remove these from the profile $form via a hook_form_alter (ex. manager, dept, title, etc). This way their profile displays all the attributes but only lets them edit/sync the ones we choose.

*note: When someone changes username (ex. women changes name with marriage) sometimes we have to delete the drupal user and hit the LDAP Sync button to get them reconnected.

LDAP Authorization

Authentication mode

* Choose authentication mode: Mixed mode. The LDAP authentication is performed only if Drupal authentication fails
* Choose user conflict resolve procedure: Associate local account with the LDAP entry

Security Options

* Do not store users' passwords during sessions: Checked
* Sync LDAP password with the Drupal password: Not Checked

LDAP UI Options

* Remove password change fields from user edit form: Checked
* Alter email field on user edit form: Remove email field from form

LDAP Server settings (List tab, edit)

Server Settings

* Name: Corporate
* LDAP Server: ldap.domainname.com
* LDAP Port: 389
* Use Start-TLS: Not Checked
* Store passwords in encrypted form: Not Checked

Login Procedure

* Base DNs: OU=Managed,DC=domain,DC=com
* UserName attribute: sAMAccountName
* Email attribute: mail
* PHP to transform login name: EMPTY
* PHP to filter users based on their LDAP data: EMPTY

Advanced configuration

create a service account with non-anonymous search & password
* DN for non-anonymous search: CN=accountname,OU=Service Accounts,DC=domain,DC=com

LDAP Data:

Drupal-LDAP fields mapping

* Drupal user profile field mapping: Read/write: Drupal user profile fields have LDAP attributes. LDAP attributes updated upon Drupal profile change.

Create profile attributes then link them to the LDAP attributes. I'll display ours yours may very as to what you want to link.

Drupal Field: LDAP attribute

   profile_displayName - displayName
   profile_title - title
   profile_department - department
   profile_officephone - telephoneNumber
   profile_extentionphone - otherTelephone
   profile_faxphone - facsimileTelephoneNumber
   profile_manager - manager
   profile_cellphone - mobile
   profile_office - physicalDeliveryOfficeName
   profile_status - extensionAttribute4
   profile_fn - givenName
   profile_ln - sn
   profile_company - company

Attribute visibility & access control

* Attributes: EMPTY
* PHP to filter attributes: EMPTY

Advanced configuration

This is a AD service account that has write access to the attributes linked above. We use the same SA Account as LDAP Auth.
You will provide the DN and Password
* DN for non-anonymous search: CN=accountname,OU=Service Accounts,DC=domain,DC=com

LDAP Sync:
This will sync the users as well as their attributes to drupal users/profile

LDAPsync settings

Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com)
Sync time interval: 1 hour

HELP:

ADSI Edit

We use this tool to get the DN and query
http://technet.microsoft.com/en-us/library/cc773354(WS.10).aspx

PHP LDAP Query

We use this man page to help build the LDAP Sync query string
http://www.php.net/manual/en/function.ldap-search.php