Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By piersonr on
The Webserver Auth is an excellent tool for using an Active Directory server for single-sign on in drupal. Unfortunately, I've had limited success in setting up the webserver authentication.
There is a module (Apache 2.0, Apache 2.2) for authenticating against an LDAP server, but I haven't been able to correctly set up an Apache directive to completely authenticate against our Active Directory server. Microsoft seems to recommend Kerberos authentication - is that easier to setup than LDAP authentication?
Some nodes have discussed AD integration to some extent [1]. While this is more of an apache oriented question, I thought it would be useful for other drupal users to have an example of a working Apache AD lookup directive. I don't know too much about AD, I've just been playing off of examples I've found on the net.
The directive I'm using is able to query our AD server, and the AD server log indicates that a correct username/password were found in the server, but the Apache server returns an Error 401, Authentication Required (This server could not verify that you are authorized to access the URL) and the Apache error log states that "auth_ldap authenticate: user joeshmoe authentication failed; URI / [ldap_search_ext_s() for user failed][No Such Object]".
Anyone have any thoughts or have a working AD lookup directive they could post? Thanks!
<directory />
AuthName "Active Directory Lookup"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.my.server.com/DC=server,DC=com?uid?sub?
# I've also tried cn and sAMAccount instead of uid
# AuthLDAPCompareDNOnServer off
# AuthLDAPBindDN
# AuthLDAPBindPassword
# Indicate that LDAP authentication is only valid method of authenticating (I've tried this both on and off)
AuthzLDAPAuthoritative off
# Must be a valid user in order to login
require valid-user
</Directory>
Comments
NTLM Authentication
Check out NTLM Authentication; the solutions there worked for me. BTW: Are you using Apache2 on NT or linux?
I am also having problems...
I also want to implement a single sign-on with Drupal and Apache2.
Here is my config:
Server: Windows XP (will be Win 2k3 Server in production, hopefully there should be no issues moving it)
HTTPD: Apache 2.0.55
PHP: 4.4.2
Drupal 4.7.2
I did look at the NTLM auth module but it seemed written for linux installs (and I'm a windows install). Also it was mentioned in an above linked thread about switching from Apache to IIS, another non-option form me.
I did use an apache module (mod_auth_sspi) and was able to successfully password protect the directory (and by typing in my Active Directory user/pw, authenticate into the site), however I dont want that coming up every time someone tries to view our page. Nor do I want everyone at the company to have an entry in the users table (though I could live with it if I can effectively manage permissions). There is other stuff I would like too - like translating people's usernames into their real names ("Welcome John Doe!" instead of "Welcome doej!").
At this point though, I'd just be happy to have NTLM authentication working inside drupal (eg. not part of a <directory> driective in httpd.conf). Utilizing SSO to autodetect their username (via IE or FF if configured correctly), and then letting them do whatever they have permissions to do (read only, post blog entries, post front page stuff, etc).
Any help would be greatly appreciated!
I have a similar setup...
Install the webserver_auth module
Turn on "Automatic Logon" in your browser.
For IE it is under Tools>Internet Options...>Security>Local Intranet>Custom Level:: Scroll down to the bottom and select "Automatic Logon only in Intranet Zone"
For Firefox type about:config into the address text field, find the setting network.automatic-ntlm-auth.trusted-uris, double-click it and enter a mask of your trusted domains. ex. [ *.domain.com ]
Under administer>settings>user select "Only site administrators can create new user accounts." This will prevent the creation of an account for every new webserver_auth authenticated visitor.
If the NTLM user id matches a registered drupal user id then the user will be logged in.
"Only site administrators..." setting being ignored
Hi,
I have the same setup (mod_sspi.so on Apache 2.x on Windows 2003 Server) with Drupal 6.x and webserver_auth module v6.x-1.0.
NTLM pass-thru works GREAT, but users are still being auto-created.. even though I have the "Only site administrators can create new user accounts" enabled.
Webserver Auth errors
I had the same errors you discovered here: Conflict with taxonomy access? It turns out that the error was in the corruption of the $user object when the webserver_auth account name was not found. I have submitted an explanation and proposed fixes along with a patch.