I'm attempting to get LDAP integration working at my university. I am running into some obstacle however.

Here is the configuration:
I only have the LDAPAUTH module enabled, since I would only users to be able to log in to Drupal using their LDAP username and passwords.
Choose authentication mode: LDAP directory only
Choose user conflict resolve procedure: Disallow login and log the conflict
Do not store users' passwords during sessions: unchecked
Server settings:
ldaps://ldap1.x.x.edu
Port: 636
StartTLS: ON
Store passwords in encrypted form: off
Login Procedure:
ou=people
dc=ourschool
dc=edu
UserName attribute: uid
Email attribute: mail
Advanced Configuration: not used

Currently the only account being used is id 1, anyone in ldap should be able to log in to drupal at this point, correct?

Drupals logs are stating no problems, except when an ldap user attempts to login, it says their login is incorrect.

I am wondering how I could troubleshoot this more, since there is not much information given back, for example if the connection is made.

I have ldap working on a php application I made so I know its not a server issue.

Any help is appreciated, I have followed all the docs and tutorials I could find as well.

Thank you,
Bassglider

Comments

miglius’s picture

miglius commented

Base DNs for you should be one line:
ou=people,dc=ourschool,dc=edu

bassglider’s picture

bassglider commented

I fixed that, thanks, but it must be a different issue, when I try to login with an LDAP account, I get this error
Sorry, unrecognized username or password. Have you forgotten your password?

miglius’s picture

miglius commented

Have you checked drupal logs for ldapauth? Anything there?

bassglider’s picture

bassglider commented

I checked the logs and found this:
Could not start TLS. It does not seem to be supported by this PHP setup.
I turned START TLS off since we are using ldaps currently. The error goes away, and the login
situation is the same.
When I edit base dn's
ou=people,dc=ourschool,dc=edu
it saves it as:
ou=people
dc=ourschool
dc=edu

cpugeniusmv’s picture

cpugeniusmv commented

Is the SSL certificate on the LDAP box self signed?

johnbarclay’s picture

johnbarclay commented

If you are at a university, your LDAP is probably not searchable anonymously because of FERPA constraints. You should see if this is the case and, if so, setup a service or machine account that has limited search rights on the LDAP. Then enter its DN and password in the Advanced configuration.

"The process of authentication starts by establishing an anonymous connection to the LDAP directory and looking up for the user on it. Once this user is found, LDAP authentication is performed on them."

bassglider’s picture

bassglider commented

I attempting to use the advanced configuration with the same dn that is in the my php ldap script on a different application.
from php file:
$dn = "cn=dlus-trng, ou=Specials, dc=ourschool, dc=edu";
to
DN for non-anonymous search: cn=dlus-trng,ou=Specials,dc=ourschool,dc=edu
and entered the same password that my script uses (my LDAP script works btw).

I saved this and tried to log in with my ldap username password and receive the familiar error:
Sorry, unrecognized username or password. Have you forgotten your password?

I checked the logs again:
Message Login attempt failed for myldapusername.
ldapauth 11/20/2008 - 09:16 LDAP Configuration ITS LDAP SERVER has been updated. ... myusername

I am waiting on a response about the SSL cert being self signed.

bassglider’s picture

bassglider commented

I found out that the certificate is either a bad certificate or self-signed, is there a temporary way around this until we get a signed cert?

Thanks

maikelm’s picture

maikelm commented

hy

I have a problem with ldap integration module, I install this module in drupal 5.x and its works very well. But when I install the module in drupal 6, its failed. the configuration datas are correct. The autentication process does not give any error, only say "Sorry, unrecognized username or password. Have you forgotten your password?"

my configuration is:
***********************Server sttings***************
name: nombre
LDAP server: 10.0.0.200
LDAP port: 389
***********************Login procedures***************
Base DNs: dc=hty,dc=cu
***********************Advanced procedure***************
DN for non-anonymous search:
cn=ad search, ou=Systems, ou=hty Domain Impersonals, dc=hty, dc=cu

Password for non-anonymous search:
uF2,rtdTUBSFH,.64hfduh

cpugeniusmv’s picture

cpugeniusmv commented

Try adding a line with:

TLS_REQCERT allow

into your /etc/openldap/ldap.conf file on the web server.

I don't remember all the details about setting up our self-signed certificate, but I remember this helped.

bassglider’s picture

bassglider commented

Is there anything in the code that I can modify to allow an unsigned cert, I'm afraid I do not have access to the /etc/ directory?

cpugeniusmv’s picture

cpugeniusmv commented

Not that I'm aware of. You might be able to get away with a .ldaprc file in the web server user's home directory, but you probably don't have permission to do that either if you don't have permission to get into /etc.

bassglider’s picture

bassglider commented

With an .ldaprc file, I probably could do this, but does it override the entire /etc/ldap.conf file or only override/add options i put into it?

If i did this would I need to see the whole ldap.conf file to paste into .ldaprc and then add TLS_REQCERT allow

Thanks

cpugeniusmv’s picture

cpugeniusmv commented

As far as I understand, the options from ldap.conf get parsed first and then if there's anything from .ldaprc that contradicts ldap.conf, .ldaprc wins.

bassglider’s picture

bassglider commented

I don't have access to modify either,
I'll see what I can do, thanks for helping me narrow the problem down

web41% pwd
/etc/openldap
web41% ls -la
total 18
drwxr-xr-x 2 root root 512 Aug 8 14:54 .
drwxr-xr-x 80 root sys 7168 Nov 20 15:45 ..
-rw-r--r-- 1 root root 18 Aug 8 14:54 ldap.conf
web41% cat ldap.conf
TLS_REQCERT never

SyITec’s picture

SyITec commented

Drupal newbie here.

I've been trying to get the LDAP_AUTHENTICATION working for the past week. I'm running Ubuntu 8.10 server (64-bit) with drupal 6.6 and the 6.x-1.0-alpha2 module. I installed LAMP and that is basically it. I've tried almost everything from the forums to google search and no luck. I've haven't been able to login with any AD accounts. I get the same messages everyone is receiving. Do I need to install libnss-ldap or LDAP tools, etc? Any help would be appreciated.

cgmonroe’s picture

cgmonroe commented
Status: Active » Closed (fixed)

Clearing out old support requests - reopen if still needed.