I've installed the LDAP module and it seems to work to authenticate against our corporate Active Directory server. As an additional step, I tried installing the "webserver_auth" module (on Apache) to do the inital NTLM login. The goal would be that a user who is logged into out corporate network would be able hit Drupal and be logged in without having to manually log in.

Here's the catch, we want to use LDAP groups to grant access within Drupal. Basically, using AD (and I would assume a non-anonymous search login) we would use the NTLM user (which is the sAMAccountName) and then do the LDAP group lookup.

Is this reasonable? Would it be something that could be added to the basic LDAP module to just use the NTLM user if it's present as the Drupal user and then grant rights based on the LDAP groups?

Oh.... and the "webserver_auth" module DID log the user in fine... The problem was that it looks like NEW users don't get set up using the LDAP module and old users don't get updated.

Comments

miglius’s picture

ldapdata is the module which takes care of syncing drupal and ldap user's data.

WAKeaney’s picture

So, am I to understand that if a user is successfully authenticated through webserver_auth/NTLM, that ldapdata will still handle their LDAP Group-based role assignments?
I see a number of related tickets in the Issues queue, but no definite solutions.