LDAP Authentication: Implement ldap_user_authenticate

No there is no way to hook into the user creation process, outside the hooks provided by the user module. The idea is to use the user module as the point of integration between authentication and authorization modules; otherwise authentication, authorization, and provisioning modules can't be decoupled. There is a function ldap_create_drupal_account($name, $mail, $dn, $sid, $edit = array()) that can create an ldap associated drupal account.

After checking for credentials or whatever external login routine you have passes, your module should:

1. call ldap_create_drupal_account(). if you pass an existing account in (the 5th parameter), it will update the account to associate it with an ldap server/user. Otherwise it will create a drupal account.
2. use the user_authenticate() function as you mentioned to sign the user in.

Cloning ldap_sso.module as a point of departure might be a starting point.

in 7.x-2.0 users that are ldap identified can be configured to automatically get ldap data associated with their account (email, first name, etc.) regardless of how they authenticate. If I'm missing what you are trying to do, please try giving an example use case.

Since this is a more general behavior I'm closing this issue. If you have a more specific use case, feel free to open it back up.

Hi John,

Firstly thanks for all your hard work on the LDAP module. Very much appreciated.

I'm not sure if I am missing the original issue summary, however when reading it, I see it as something similar to what I am trying to achieve.

I am using Drupal as a backend to a mobile app. The mobile app lives on the same server as my Drupal installation.

I need users to log into the app and authenticate via LDAP. I tried using the Services module however I could only get Drupal accounts to authenticate and not LDAP accounts.

So my next attempt was to build a custom login script that my mobile app could post to. In this script, I bootstrap drupal, and accept some post vars which I pass to the user_authenticate function.

The problem with this is that it will only authenticate Drupal accounts, not LDAP accounts.

Is there some way for my custom script to tap the functionality of your LDAP module? I would like my custom login script to have similar functionality to mixed mode where when authenticating, Drupal auth is tried first then LDAP auth.

thanks

The function _ldap_authentication_user_login_authenticate_validate() does all of this work. Its the longest, most convoluted function in all the ldap_* modules because of the workflows.

I would suggest cloning _ldap_authentication_user_login_authenticate_validate and turning it into:

ldap_user_authenticate($username, $password, $options = NULL) where options were optional overrides to the ldap authentication conf properties (such as sids, authenticationMode, loginUIUsernameTxt, loginUIPasswordTxt, etc.).

If done right, _ldap_authentication_user_login_authenticate_validate could leverage ldap_user_authenticate and there would be no redundant code.

This function could also be mapped to a REST webservice.

Hi John,

Thanks for the quick reply. I had quickly looked at that function and but at first glance it appeared convoluted :-)

I am a bit of a noob when it comes to modules so forgive me if I ask any silly questions.

In my custom script, once I have bootstrapped Drupal, I have valid data submitted via my mobile app, I attempted to call _ldap_authentication_user_login_authenticate_validate() found in ldap_authentication.inc via ldap_authentication_user_login_authenticate_validate($form, &$form_state) in ldap_authentication.module. It doesn't seem like $form does anything so I attempted the following:

$form_state = array();
$form_state['values']['name'] = $username;
$form_state['values']['pass'] = $password; // where username and password are from $_POST vars

$account = ldap_authentication_user_login_authenticate_validate(NULL, $form_state);

if ($account->uid && user_access('access site', $account))
{
// valid login
}

When I execute I get the following error.

Fatal error: require_once(): Failed opening required 'sites/all/modules/ldap/ldap_authorization/ldap_authorization_drupal_role/LdapAuthorizationConsumerRole.class.php'

Since I am feeling my way through this I'm hoping to you could steer me a little.

thank again.

Solved that problem by doing a chdir to the Drupal root. All working now. Cheers.

I added a new param $return_user to the function also. It dictates if null or the drupal user object is returned at the end of the function.