i am using drupal as a content management system for an Intranet. The staff already has user names and password provided by the Active Directory running on Windows Server 2003. I will like the staff to log in to Drupal using the already existing username and password, ie the authentication must be done via the Active Directory.

I tried the ldap module for Drupal...didnt work.
I tried the webserve auth module for Apache...didnt work.

Can some one guide me here to get this to work please.

Here is my environement stats:

Drupal v 4.6.0
Apache 2.0.54
mySQL 4.1.11
php 5.0.4
phpMyAdmin 2.6.2
OS - Windows Server 2003

Thanks

Comments

sepeck’s picture

I would give the WebServer Auth module in combination with IIS a try. I don't know of anyone else with your setup.

-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

xamount’s picture

Why IIS and not Apache? However, i'll still give IIS a go.
However what steps do i follow apart from changing over to IIS?

Do i just run IIS and allow active directory through IIS together with installing the webserver auth module in drupal?

So if i do the above then users should be able to log in as normal?

sepeck’s picture

Well, I was thinking that the Webserver authentication module may pick up on IIS options. I don't know much about Apache. I have not tried the module.

-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

xamount’s picture

How much will it cost to pay a developer to have my drupal intranet integrated with my active directory?

sepeck’s picture

I have no idea. Someone who understands IIS and MySQL and AD? Perhaps search through iis-faq.com or the MS site. You want to look into web server authentication. Put the webserver_auth module and instead of anonymous access configure IIS authentication itself.... Sounds like a pain to figure out but certainly do-able. I will point out two things, I have not done it and literally have no time to even pretend to try it for an unknown time frame.

-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

xamount’s picture

I tried everything you said. Played around with IIS user authentication, tried webserver_auth, tried ldap integration module.
Nothing worked. Still stuck at square one.

Is there any other way? how much would it cost to get a working module for this?

jsloan’s picture

I am using both Drupal 4.5 and 4.6 on Windows 2003/IIS5. The NTLM authentication works fine. I use it to identify the user and then look up the account in the Active Directory (LDAP) to retrieve the user name and email address. they are automatically logged in If the user has an account on the site --- otherwise they remain a "anonymous" visitor, but I do add the LDAP info to the PHP session so that they can post and email.

Give me a day to review the setup and I'll post the info here.....

jim

xamount’s picture

Thank you very much, your case scenario is exactly what I am trying to accomplish. I anxiously await your instructions.

sepeck’s picture

If you could add a page here:http://drupal.org/handbook/config/contribmodules

and use my ccontact form to let me know, I can review and approve it for the handbook. Otherwise, let me know when you post it here and I can reformat it and post it there for you. I would rather you get the credit for the documentation though. :)

-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

jsloan’s picture

Here are a few notes that you can use to get NTLM authentication working using the module webserver_auth. This does not authenticate against the LDAP (I'll post instructions on that later) rather this will pass logon credentials to the server via the browser. A type of single signon...

my environment:
Server
-Windows 2000
-IIS5
-PHP 4.3.1
-Drupal 4.6 w/module: webserver_auth

Client
-XP(SP2)
-IE6(sp2)
-Firefox 1.0.4

Assumptions:
Server and Workstations are members of a NT domain. The user has logged on the workstation using a domain account.

Settings:
On the IIS web server make sure that the “Integrated Windows authentication” is checked on and I turn Anonymous access off. (This is in properties>Directory Security>Anonymous access and authentication control [Edit])

IE browser settings for User Authentication should be set to Automatic.
(Tools>Internet Options...>Security>Local Intranet>Custom Level>User Authentication)

Firefox settings; (type in about:config in the address bar) find the Preference Name of network.automatic-ntlm-auth.trusted-uris and set the value to a comma separated list of servers that use NTLM authentication. My value is for our domain so I used .mchs.com

To make sure everything is working point your browser to a phpinfo() page.
(just put the following line in a text file and name it phpinfo.php)
phpinfo();
Under the section titled “PHP Variables” you should see the NT account name in the _SERVER[“AUTH_USER”]

If this is successful then the webserver_auth module should work. The behavior of the module is dependent on your user settings. If you allow visitors to create accounts without administrator approval then an account will be created upon the first visit of an NTLM authenticated user.

This will establish an operational base for using NTLM. I notice that you are using Apache 2.0 on Windows 2003. I have not tried that setup. You will need to get an Apache Module to handle the server side NTLM. I have sucessfully implemented the mod_ntlm on Apache 1.3 on Linux (Debian Sarge) and this is the direction our Intranet is going.

I hope this helps....
jim

xamount’s picture

Your environment
Server
-Windows 2000
-IIS5
-PHP 4.3.1
-Drupal 4.6 w/module: webserver_auth

My Environment:
Server
-Windows 2003
-IIS6
-PHP 5.0.4
-Drupal 4.6 w/module: webserver_auth

I dont think the change in server 2000 to 2003 makes a difference however. the difference in PHP i am not sure.

I followed your steps. However, now i get a blank page for my drupal site. The last thing i did before the blank page was to enable users to be automatically created when they enter the site.

I then re-enable anonymous login on IIS6 and now i get back the site but at the top of the site there are php errors as follows:

warning: array_merge() [function.array-merge]: Argument #2 is not an array in C:\Apache2\htdocs\modules\webserver_auth.module on line 28.

user error: Duplicate entry '' for key 2
query: INSERT INTO users (created, changed, uid) VALUES ('1117733056', '1117733056', '25') in C:\Apache2\htdocs\includes\database.mysql.inc on line 66.

warning: Invalid argument supplied for foreach() in C:\Apache2\htdocs\modules\user.module on line 174.

What really bothers me is that the errors point to the old directory where i have apache installed too. I had Apache and then changed over to IIS by just basically copying all the files from the HTDOCS folder and pasting to the IIS wwwroot folder. I dont think this is an issue as the site was fully functional before i followed your steps.

Apache does not run in the background in case you are thinking that. The service has been stopped. Only the IIS6 service is running.

What could be causing these php errors?

xamount’s picture

It is important to note that when i reverse the step where i allow users to be created automatically without administrators approval, everything is back to normal on both IE and Firefox.

jsloan’s picture

The webserver_auth.module is being loaded from the \Apache2\htdocs\ directory... double check the installation and paths to the new directory (Or just point the IIS home directory path to \Apache2\htdocs\ )

Did the phpinfo() test work in regard to your NTLM settings?

xamount’s picture

I set the home directory for IIS to both \Apache2\htdocs\ and Inetpub/wwwroot and i still get the blank page.

I dont think that is the problem however. The site was fully functional (with every aspect of the site working) when I had IIS installed and pointing to Inetpub/wwwroot.

> Did the phpinfo() test work in regard to your NTLM settings?

Yes it did work. The HTTP_AUTH showed my domain and username.

jsloan’s picture

Let's get back to a working install:
Set the status of the modules webserver_auth to 0
Use your favorite tool to update the mysql tables - here is the code to use:

UPDATE `system` SET `status` = '0' WHERE `filename` = 'modules/webserver_auth.module' LIMIT 1 ;

Take a look at your users list and delete any users that may have been created by the module.
Then enable the module and test again.

xamount’s picture

I am still getting the blank page when i tried what you just said.

The index page is blank only, however if i try to access another page i get tru.

I am going to re-install drupal from start and create a new database for it etc. This will illiminate all installation problems that I might have had. (My site was only a test site so i wont lose much info.)

Then I will try your instructions again and let you know what happens.

xamount’s picture

I re-install Drupal, re-created my sql database. This should have eliminated all installation problems if any existed.

I am still getting the initial php errors at the top of the page.


warning: array_merge() [function.array-merge]: Argument #2 is not an array in C:\Inetpub\wwwroot\modules\webserver_auth.module on line 28.
user error: Duplicate entry '' for key 2
query: INSERT INTO users (created, changed, uid) VALUES ('1117733056', '1117733056', '25') in C:\Inetpub\wwwroot\includes\database.mysql.inc on line 66.
warning: Invalid argument supplied for foreach() in C:\Inetpub\wwwroot\modules\user.module on line 174.

As you can see, it is now at least pointing to the correct Inetpub/wwwroot directory.

If I were to try to access the site more than once, i get a blank page.

If order to get back my site, i must re-ebable anonymous login.

xamount’s picture

You said you were going to post LDAP support instructions at a later point.

Do you want me to try those instructions instead or do they depend on getting the webserver_auth to work first?

jsloan’s picture

I will look into the error...

the LDAP implementation does not require the NTLM, but when working it will allow the auto-login and then what I call "Identified Visitors".(domain users that are identified via NTLM and LDAP but do not have an account on the department site)

-more later-

xamount’s picture

hey just a gentle reminder for the ldap support.

jsloan’s picture

Sorry that this thread was dropped on my end. This year we are rolling out our new Intranet based on 4.7.0 and I've been using the Ldap_integration module for authentication. See the my other post below.

Nikkol’s picture

jsloan - you seem rather versed in ldap auth. Is it possible to allow auto registration if a user has a domain account (either doing it through webserver_auth or throug ldap) but then also allow people to outside our domain to register their own account? I'd like local users not to have to keep up with two usernames and passwords.

Any help is greatly appreciated!!!

jsloan’s picture

I'm using the ldap_integration module. It has a login procedure setting for "Drupal's own database. If it fails, will look on the LDAP directory" that way I can have accounts I create and autocreated Active Directory accounts. As long as you have the User settings set for "Visitors can create accounts and no administrator approval is required." then users can create their own accounts.

Use the LDAP integration module and look at this patch I posted that fixes a few little problems.

imerlin’s picture

I've successfully integrated apache to our ADS server for other webs like source control and intranet. Not using Drupal for intranet atm but If the webserv auth module works, this should too.

I've never cared much for ntlm auth in apache, try krb instead. I'll try this myself when I have the time.

tomhung’s picture

LDAP Auth module works great. We also use LDAP Data to sync some AD fields with Drupal profiles. Its been wonderful. The docs are bit dodgey but we got it to work.

If you are still interested in specifics, email me and i'll send you a sanitized version of my setup.

G

tomhung’s picture

We are connecting Drupal to Active Directory. We want people to login to Drupal with their AD account and password. We want the Drupal profile to have many of the AD attributes.

We grouped the profile attributes into editable and non-editable attributes (profile categories or fieldsets). This lets the user edit their non sensitive account information (ex. display name, phone, fax, etc). For the non-editable profile attributes, we remove these from the profile $form via a hook_form_alter (ex. manager, dept, title, etc). This way their profile displays all the attributes but only lets them edit/sync the ones we choose.

*note: when someone changes username (ex. women changes name with marriage) sometimes we have to delete the drupal user and hit the LDAP Sync button to get them reconnected.

LDAP Authorization

Authentication mode

* Choose authentication mode: Mixed mode. The LDAP authentication is performed only if Drupal authentication fails
* Choose user conflict resolve procedure: Associate local account with the LDAP entry

Security Options

* Do not store users' passwords during sessions: Checked
* Sync LDAP password with the Drupal password: Not Checked

LDAP UI Options

* Remove password change fields from user edit form: Checked
* Alter email field on user edit form: Remove email field from form

LDAP Server settings (List tab, edit)

Server Settings

* Name: Corporate
* LDAP Server: ldap.domainname.com
* LDAP Port: 389
* Use Start-TLS: Not Checked
* Store passwords in encrypted form: Not Checked

Login Procedure

* Base DNs: OU=Managed,DC=domain,DC=com
* UserName attribute: sAMAccountName
* Email attribute: mail
* PHP to transform login name: EMPTY
* PHP to filter users based on their LDAP data: EMPTY

Advanced configuration

create a service account with non-anonymous search & password
* DN for non-anonymous search: CN=accountname,OU=Service Accounts,DC=domain,DC=com

LDAP Data:

Drupal-LDAP fields mapping

* Drupal user profile field mapping: Read/write: Drupal user profile fields have LDAP attributes. LDAP attributes updated upon Drupal profile change.

Create profile attributes then link them to the LDAP attributes. I'll display ours yours may very as to what you want to link.

Drupal Field: LDAP attribute

   profile_displayName - displayName
   profile_title - title
   profile_department - department
   profile_officephone - telephoneNumber
   profile_extentionphone - otherTelephone
   profile_faxphone - facsimileTelephoneNumber
   profile_manager - manager
   profile_cellphone - mobile
   profile_office - physicalDeliveryOfficeName
   profile_status - extensionAttribute4
   profile_fn - givenName
   profile_ln - sn
   profile_company - company

Attribute visibility & access control

* Attributes: EMPTY
* PHP to filter attributes: EMPTY

Advanced configuration

This is a AD service account that has write access to the attributes linked above. We use the same SA Account as LDAP Auth.
You will provide the DN and Password
* DN for non-anonymous search: CN=accountname,OU=Service Accounts,DC=domain,DC=com

LDAP Sync:

This will sync the users as well as their attributes to drupal users/profile

LDAPsync settings

Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com)
Sync time interval: 1 hour

HELP:

ADSI Edit

We use this tool to get the DN and query
http://technet.microsoft.com/en-us/library/cc773354(WS.10).aspx

PHP LDAP Query

We use this man page to help build the LDAP Sync query string
http://www.php.net/manual/en/function.ldap-search.php

dgtlmoon’s picture

I just rewrote the tutorial/documentation here https://www.drupal.org/node/1302070 there is a small patch required #1917254: LDAP Authorization does not map ldap groups to drupal roles