By marton on

I have successfully configured the LDAPAuth module (I must use authentication) to integrate AD users into Drupal.

The question is now, how to integrate the users securitygroups located in AD's "Member of:" field for each user.
How do I do this?
Which of the 3 settings do I use?
("Group is specified in user's DN", "Groups are specified by LDAP attributes", "Groups exist as LDAP entries where a multivalued attribute contains the members' CNs")

Example(s) would be fine.

/MartOn

Categories: Drupal 4.7.x

Comments

marton’s picture

marton commented

I solved this..
this is not an issue anymore.

/MartOn

lias’s picture

lias commented

I also use active directory and ldap-auth module. I know I will have to move to groups and would like to have the info. if you wouldn't mind sharing?
Thanks.
Lsabug

marton’s picture

marton commented

Sorry for not posting the solution :-)
Here is my config:

Prereq:
I use a system account that have accest to AD, because we do not allow anonymous connections.

ldapAuth settings:

Server settings:

Organization name: here I put our Active directory name
LDAP Server: here I put IP adress to a AD controller
LDAP Port: 389
TLS encryption Not selected
Store passwords in encrypted form Not select

Login procedure:

Do not store users password during sessions Not selected

When logging in , drupal will look... I chose Drupals own database, if fails look to LDAP

Base DNs: here you have to set your DN path to where your users reside.

Example:
If you have a AD named: ad.mycompany.int
And users are stored in the Internal OU (it will automatically look in sub-OUs, so this is the top most)
String is then: OU=Internal,DC=ad,DC=mycompany,DC=int

Username attribute: sAMAccountName

Advanced config:

DN for non-anonymous search: your sys AD account
Password for non-anonymous search: password for your sys AD account

ldapdata settings:

Drupal-LDAP fields mapping

Same, but read-only mode SELECTED
Drupal field - LDAP attribute
mail = mail
the other I have blank, since I do not need them

Editing LDAP attributes directly

Attributes displayed on user pages: Here I checked Last Name, Common Name & Company Name
Attributes that can be edited by users: Here I have non chosen since I do not want drupal to write back to AD

Advanced configuration

Here is the same as on ldapauth

ldapgroups settings:

Group is specified in user's DN Not select
Attribute of the DN which contains the group name: OU
Groups are specified by LDAP attributes: SELECTED
Attribute names (one per line): MemberOf

Groups exist as LDAP entries where a multivalued attribute contains
the members' CNs Not Selected
Nodes containing groups (one per line):
Here I have the same DN as in ldapauth

Example:
If you have a AD named: ad.mycompany.int
And users are stored in the Internal OU (it will automatically look in sub-OUs, so this is the top most)
String is then: OU=Internal,DC=ad,DC=mycompany,DC=int

Attribute holding group members: memberUid

Thats it!
I hope this works for you also, thou it may not if you have different security setup and AD-build-up/configuration.

/MartOn

lias’s picture

lias commented

I appreciate it!

BenMirkhah’s picture

BenMirkhah commented

Thanks for writing this post, worked great after editing
modules\ldap_integration\ldap_integration\ldapgroups.conf.php
to something like
'CN=LDAP_group_name,OU=Teams,OU=Security Groups,DC=our_company_name,DC=com' => 'Drupal_role_name'

Мак Сим’s picture

Мак Сим commented

Thank You!

wastrilith2k’s picture

wastrilith2k commented

This would be helpful to me also!

Thanks,

James

yclaic’s picture

yclaic commented

Our organization is changing everyday. How can I sync these data?