Posted by roynilanjan on February 17, 2012 at 7:50am
3 followers
| Project: | Lightweight Directory Access Protocol (LDAP) |
| Version: | 7.x-2.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | major |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Hi,
Can I add other authorization mechanism other than NTLM.For me i need to configure there mod_auth_kerb as well in SSO section from admin.
| Attachment | Size |
|---|---|
| ldapsso.png | 36.51 KB |
Comments
#1
Its not really setup for this yet. In the next week I will be focusing on LDAP SSO. The general idea is to have a plugin architecture for the various methods.
Keep in mind you do not need to use ldap authentication to implement ldap authorization or other ldap functionality. The idea was to decouple them in drupal 7. Here is a thread on this in drupal 6 #324732: Webserver authentication. Unfortunateley it looks like httpauth isn't being developed.
Are you interested in helping with the ldap kerberos plugin. It would entail coding the a small set of methods in a class.
#2
Sure I'm interested to implement the kerberos authentication for single-signon specially ..
Please give the existing code details & let me advise if you have any thinking of you..
How the other authentication mechanism for single signon should incorporate(specially kerberos)
#3
ok. I'll let you know. I'm going to look at CAS, Shib, etc modules and see how they implement SSO. Its quite tricky with the drupal user module authentication workflow and I want to get the workflow correct. I'm not sure if its correct now in the LDAP SSO NTLM currently. My first thoughts are its like implementing payment processors where you have one base class for each user workflow.
#4
roynilanjan, I submitted a patch to enable mod_auth_kerb support here: http://drupal.org/node/1450932 . I do not have that available in my envrionment, so it is untested, but it is ported from the ldap_sso (version 6) issue queue by someone who supposedly has it working. I do not know all of the permutations that various LDAP authentication web server modules may pass user credentials in, but between the mod_auth_sspi implementation and mod_auth_kerb implementation, it will work with both 'ldap_username' and 'ldap_username@realm.com'.
#5
I committed hotspoons patch. I want to get a beta out before I start tackling some bigger issues. I'll get abck to this, but here are my initial notesL
It depends on the sso implementation, but here is what the classes need so far.
properties:
$server (storage place for $_SERVER variable to help with simpletest mock servers)
$Implementation
$authenticationConf (LdapAuthenticationConf object)
methods:
getSsoUserName()
logout($user)
Attached is my work so far that I haven't committed.
#6
#7
John, I'll need to learn how simpletest works as I haven't encountered a need to implement it in the small published modules or bespoke project-specific modules I've developed. Since active development and the discovery of SSO issues seems to be much more active here, I'll need to back-port these fixes to my D6 version eventually.
#8