Webserver authentication

Doh! Shame I can't edit that last post - I missed 1 line out of the edit. An important one.

Try the new patch of the module. Use the same admin edit.

BTW my patches also make user 1 authenticated by the the same methods as everyone else.

Can you please use a standard '-u' option to a diff when creating a patch, it would me more readable then. I don't have a IIS server so I cannot test it.

sorry - just got carried away.

here is a combined unified diff.

this looks great! haven't been able to get everything working alright yet, but soon it will!! This is exactly what I want anyway!

when toggling http/ntlm auth on and then trying to change anything I get " Validation error ......"
why? it works fine when using only ldap auth.

ok, found the problem. You are reading authmap, and expect to find something in there, but you never create anything so it will work if one manually create all users in the authmap and set it to ldapauth (as requested in your validation) or changing the db_result to look in say users database instead.

It will not work on a new install of drupal and it will not work if you have used webserver_auth before without manually add it/change it.

Update: Authmap isn't updated if the users already exists, if one delete the users it will update accordingly.

Is this still in progress? The only thing for me left to fall in absolute love with LDAP Auth is that
NTLM (SSPI) Stuff for autologin.
This post looks like the most promising for me, so I hope ther'll come in some new patches or explanations :)

Greetings
Zewa

Ditto

Several issues I can see here:

1. As mentioned by cybertron1 the new user won't have an entry in the authmap table;
2. The module should perform authentication if the global $user is not an object, which means that authentication should not be performed on each page load, but rather once on the first page request;
3. I don't like the idea that user with uid=1 is forced to the LDAP authentication as well. This means that if ldap authentication is misconfigured, there is no access to the site to fix it.

subscribe

I'll admit it needs work. But it is currently working for me so I haven't updated the LDAP module on my installation.

1. On my server the users do have entries in authmap.
2. Okay - i've admitted it needs work.
3. I kind of see your point - but if LDAP auth is working - I'll never be able to login as user 1, because I'll be logged in as the username used in LDAP. At least if it is misconfigured. I can fix it by the back door (ie. removing ldap and and then logging in using the normal methods).

When I get some time I'll quite happily have a look at these issues but I have issues more pressing for me atm.

...the new user won't have an entry in the authmap table;

In that case, user experience should be no different than of an anon user. Maybe show a message similar to if a bad username typed in first time Drupal "sees" that user?

Here is a patch to the latest dev release.

It now makes no changes to use with user 1, so user 1 cannot authenticate by NTLM. Make sure you give admin rights to a user that is listed in LDAP else you won't have full admin rights without removing NTLM.

I don't know why people keep saying new users won't have an entry in authmap. This patch does not change the fact that LDAP integration is making authmap entries.

The only difference this is meant to make is that rather than authenticating the user against LDAP it takes the username that has already been authenticated by the webserver. If the webserver doesn't authenticate you will get the forbidden page.

silid: seems great! however, I am for the moment unable to get ntlm logon working this time around. I've got it working with webserver_auth so it isn't a problem with my iis.
I can login with ldap_auth, so that is not the problem.
It just doesn't log me in.

any ideas to look for?

Yeah sorry, it was my fault - glaring bug that I fixed after I uploaded it. I've been so busy I forgot to update it.

subscribing

I thing this is an important patch. The following worked fine:

- created ldap authentified user
- ldap_groups worked fine with it

but ran across some problems on a windows 2008 server with IIS 7:
- Its unclear how to logout without closing the browser. I realize this isn't a bug with the patch, but a feature or IIS integration.
- needs to support mixed mode authentication (webserver or drupal). I'm not sure if IIS will support this on the webserver side.

I think what the patch should strive to do is decouple ldap groups from ldap authentication such that any form of authentication can work with ldap groups. Then existing modules such webserver authentication can be used to complement ldap groups. http://drupal.org/project/webserver_auth

Is there functionality you need in the ldap_integration package besides ldap_groups?

subscribing

subscribing

While it might be useful, this is really unnecessary. It makes no sense to add this feature to LDAP Integration when there is already a module that does HTTP Authentication.

HTTP Auth (http://drupal.org/project/httpauth) has this functionality with a patch (http://drupal.org/node/449962). I'm currently using it on my Drupal site to allow HTTP Auth as another access method for feeds.

I could be wrong and you aren't doing this solely for HTTP Auth, but it seems to me that the other modules should hook into LDAP Integration rather than have us duplicate their functionality. The better solution would be to rewrite LDAP Integration to better fit within the Drupal authentication system so special cases won't need to be made in other modules.

Whether it gets postponed is up to the module maintainer.

Retsamedoc said: "I could be wrong and you aren't doing this solely for HTTP Auth"

I can't speak for Silid but it seemed like his goal was similar to mine: use LDAP for membership/authorization, but *not* for authentication.

We use webserver_auth module to read user ID from our Pubcookie (HTTPD Auth) login. Just today I put together webserver_auth with the latest (beta) ldap_integration (with John Barclay's recent enhancements) and the recent ldap_sync component.... and I managed to get what I want: We use webserver_auth for authentication, but the users and groups are provided by LDAP. ldap_sync is using the LDAP DN we configured in ldap_integration for "anonymous" lookup.

One concern I have is that users created via ldap_sync show "ldapauth" in their authmap records when strictly speaking those users are really "webserver_auth". I wonder if that will come back to bite me, but it is working for now. One problem I foresee is if a new user signs on (and auto-creates new account with webserver_auth auth type) before ldap_sync runs under cron and creates that account with expected authtype=ldapauth.

So, personally, I think it would be cleaner if the ldap_integration module had some configuration allowance for non-LDAP auth options (what Silid seemed to be doing), but I don't know that I am the person who could make that happen, code-wise.

I want to take a moment to thank John, Miglius, Richard (ldap_sync) and everyone else who has worked on this LDAP tool set. It's great.

Jim