I'm a summer college student working at a Public Library, and they have asked me to set up a staff intranet for them via drupal. I've got version 5.7 installed and running clean, and my first question (probably of many) is, how would I go about linking a staff member's login information from the LDAP server to the Drupal login, so they don't have to log into their profile at work, and then log in AGAIN to get into the intranet.
Boiled down, I suppose my question is, how do I set up the login so Drupal takes the user's LDAP information for their session in Windows (the only linux around here is the web server) and use that to log them into the intranet automatically?
I took a look at LDAP: Integration, but I'm not sure if that will meet my needs. Will this require custom coding, or is there another module that would accomplish this. I've searched around and turned up nothing so far.
Any help is appreciated.
Tom.
Comments
Single sign-on is probably
Single sign-on is probably what you are looking for. I believe LDAP can do it but Kerberos is probably more popular. There are the "webserver auth" module (http://drupal.org/project/webserver_auth) and "HTTP authentication" module (http://drupal.org/project/httpauth).
Once you have Drupal having Apache handle the authentication, mod_auth_kerb (http://modauthkerb.sourceforge.net) should get Apache using Kerberos as the authentication method and Microsoft has some documentation on using it: "Providing Active Directory authentication via Kerberos protocol in Apache" - http://support.microsoft.com/kb/555092
Thanks for the reply... I
Thanks for the reply...
I don't really have control over what is used for the login, so I believe I may be stuck with LDAP. I'll take a look at those two modules you posted, and see what they can do for me.
Authenticating to an LDAP
Authenticating to an LDAP server is easy once you have the proper query to use with the LDAP integration module. But the user still has to put in their username and password when they access the site. Kerberos documentation is probably more readily available for single sign-on rather than LDAP (I didn't even know LDAP had any sort of single sign-on capabilities until yesterday when I googled a bit).
Whatever approach you take, knowing how to get Apache to authenticate users via LDAP or Kerberos is good to learn. Very convenient to not have to duplicate authentication information to multiple servers.
Thanks again for posting
Thanks again for posting back.
If you have the links to the LDAP single sign-on pages you found, I'd be grateful, but I'm going to do my own searching for a while as well.
Tom.
----------------------------------------
My Drupal experience so far:
http://thedrupalexperience.blogspot.com/
LDAP SSO links
IBM had a bunch of pages (http://publib.boulder.ibm.com/infocenter/wsiihelp/v8r3/topic/com.ibm.web...) but that stuff looks like it might be more specific to their WebSphere software and probably not easy to implement.
Linux Journal has an article on single sign-on with LDAP (http://www.linuxjournal.com/article/8375) but it, along with most other articles that googling "ldap single signon" came up with use Kerberos to provide the single signon capabilities with the authentication information stored in an LDAP server.