By anner on

I have had LDAP auth working fine against a *nix based LDAP system we've been using, but not we're switching to AD (not! my choice) and I need to get it working with drupal. I get up an new LDAP config with the new server name/IP, the new base DN, the sAMAccountName as the UserName Attribute, the mail as the email attribute, and a someone with full search capability as the DN for non-anonymous search--but when I try to log in against the AD, I just get a blank screen. It doesn't successfully authenticate me because I get "access denied" if I then try and access anything.

I put a print statement in my "ldapauth_user_filter" function and it never prints...so that isn't getting called. This is running in IIS, so my logs *suck* (again, not my choice). If anyone could point me in the right direction, that would be greatly appreciated.

When using apache, the php "white screen of death" has information in the apache logs. Where is the same information in IIS?

I know others must have this working, so any help is welcome.

Thanks,
Anne

Categories: Drupal 5.x

Comments

apg’s picture

apg commented

Hello... I may be wrong here, but, it is my understanding that Active Directory uses kerberos for auth, not ldap. While you can get all kinds O' user data from the ldap portion of Active Directory, to actually authenticate the username / password pair, I believe it uses kerberos...

apg’s picture

apg commented

although... ldapsearch can use simple auth, against an AD server:
ldapsearch -WxH 'ldap://example.com' -D
'CN=joeuser,OU=users,DC=example,DC=com' -b
'ou=users,dc=example,dc=com' "(sAMAccountName=*)"

anner’s picture

anner commented

I'm talking about the LDAP auth module, which says it works with AD. Does someone out there have it working?

epruett’s picture

epruett commented

I have LDAP Integration running fine on Drupal 5.3
Yes it is a bit of a bear to get going…. In Administer > LDAP Intergration

SERVER SETTINGS
Name – anything
LDAP server – use the IP address ( the internal network one)
LDAP port – normally 389
No check on Use Start-TLS
No check on Store passwords in encrypted form

LOGIN PROCEDURE
Base DNs – you need a authentic path here like –
CN=Bob Smith, OU=Helpdesk , OU=Users, OU=Office, DC=Domain, DC=Com
UserName attribute: sAMAccountName
Email attribute: mail

ADVANCED CONFIGURATION:
An Active Account is needed here to get to the server something like…
YourDomain\Bob.Smith

TAKE only what you need.
GIVE less than you have.

sameer.bagwe’s picture

sameer.bagwe commented

install php-ldap module and include in /etc/php.ini

on redhat/fedora:

yum install php-ldap

that should solve your problem

anner’s picture

anner commented

This helped alot--and somehow didn't occur to me in the craziness around getting this site up. But it didn't fix everything. Now I'm getting login errors: Login attempt failed for arramey: %error (which I wasn't getting before).

Everything looks right to me.
Configure LDAP Server
Server settings
Name: *
X AD

Choose a unique name for this server configuration.
LDAP server: *
my internal IP

LDAP port:
389

Didnt check:
Use Start-TLS
Store passwords in encrypted form

Login procedure
Base DNs:
dc=ad, dc=mysite

UserName attribute:

The attribute that holds the users' login name. (eg. cn for eDir or sAMAccountName for Active Directory).
sAMAccountName

Email attribute:
mail

The attribute that holds the users' email address. (eg. mail).
Advanced configuration
DN for non-anonymous search:
cn=mydomainadmin,ou=users,dc=ad,dc=mysite

???
ideas?

Anne

jladew’s picture

jladew commented

Hi,
I am getting the following error:
Result Messages:
Binding with DN for non-anonymous search (). Using password entered in form.
Binding with null DN for anonymous search.
Successfully bound to server
Failed to find test user jimmy by searching on sAMAccountName = jimmy. Error Message: Operations error

Here are my setting:
LdapServerType: Default LDAP or AD
Ldap Port: 3268 or 389 (tried both)
use Start TLS: unchecked
Binding Method: Bind with Users Credentials.

Base DNs: ou=users,dc=ad,dc=domainname
AuthName Attribute: sAMAccountName
Expression for user DN: cn=%username