Once the LDAP Integration module (also referred to as ldapauth module) is installed, it's time to enable the module and configure it.

Enable the module

  • Proceed to Administer >> Site building >> Modules
  • Enable the ldapauth module

Configure the module

  • Proceed to Administer >> Site Configuration >> LDAP >> Authentication

Settings

These are options that will be used with all LDAP servers.

  • Choose authentication mode:
    • Mixed Mode When logging in, Drupal will look up for the user in Drupal's own database. If the id / password does not match or the user is marked as an LDAP authenticated user, it will look in LDAP.
    • LDAP Directory only: Selecting this option will cause ONLY LDAP accounts to be authenticated and registered, except for the initial admin user (user with uid=1). Drupal's core administration relies on this user, so this user is NEVER authenticated with any database other than the local drupal database
  • Choose user conflict resolve procedure: Decide what you want to happen if a user id exists in LDAP AND in the Drupal user database.
  • Security Options: Review these settings and set as desired.
    • Do not store users' passwords during sessions: If you are going to use the ldapdata module and allow users to modify their LDAP entries, this module will need to store the user password during the session, so that it can have write access to the LDAP directory.

      Physically, these passwords are stored in the Drupal's session table in clear text. If the database is well protected, this should not be a problem, but some admins may feel uneasy about this.

      If you are not going to use the ldapdata module, or you are, but only for read-only access, you can safely check this box and get extra security for your system.

  • LDAP UI Options: Review these settings and set as desired.

Add Server / Edit Server via List

You can add multiple LDAP Servers to use with the LDAP Authentication module. Server settings can be edited via the List tab once added.

Server settings

  • Name: Name of the LDAP Configuration. It must be unique
  • Machine Name: (Optional) After you enter a name, a "Machine Name" version will have been created. You can click on the edit link to change this as needed. It must be unique
  • LDAP Server: Hostname of the LDAP Server. For e.g. ldap.example.com For Active Directory, this would be the hostname of the AD domain controller. If you have multiple domain controllers, then common practice is to create a DNS Round Robin entry for all of the domain controllers and use that entry (dc.example.com). To connect to a server with SSL, use the format: ldaps://ldap.server.xxx/, for the server name and specify the correct SSL port below.
  • LDAP Port: Standard LDAP ports are 389 and 636. 389 is the standard non-secure port where communications occur in cleartext (analogous to HTTP Port 80). 636 is the standard encrypted LDAP port (analogous to HTTP Port 443).
  • Use TLS Encryption: Often required for Active Directory lookups. For encrypted communications, select this option. (TLS is a new variation on SSL, so if your LDAP server requires "SSL", then you must check this box or use the ldaps:// server definition (see above))
  • Store passwords in encrypted form: This option is used by the optional ldapdata module, which allows for changing of passwords using Drupal. Using this option will cause the LDAP data module to perform MD5 encryption of the passwords before they are sent to LDAP. If your LDAP server natively performs encryption, then it could cause problems.
  • LDAP password encryption types: This defines how your ldap server prefers to store your passwords.

Login Procedure

  • Base DNs: In the text area below, enter the base dn to search against when authenticating LDAP users. You can enter multiple DNs, one per line. PHP LDAP performs SUB scope searches by design. So if all of your users are organized under several sub-containers under say for e.g., cn=Users,dc=example,dc=org, then you only need to enter 1 base dn, cn=Users, dc=example, dc=com
    For OpenLDAP etc, an example would be ou=People,dc=example,dc=com
    For Active Directory, an example would be cn=Users,dc=example,dc=com
  • Username Attribute: The LDAP attribute in the user's object representing the username.
    For Active Directory, it is sAMAccountName and for most Unix LDAP environments, it is uid
  • Email Attribute: The LDAP attribute in the user's object representing the user's email address.
    For most LDAP environments, it is mail
  • Persistent and Unique User Id attribute: (Optional) The LDAP attribute in the user's object that will remain constant even if the user's name, id, and e-mail changes (e.g. they get married, etc.).
    For most LDAP environments, this can be entryUUID. For AD, the objectGUID is a good choice. This can also be a site specific attribute like employeeNumber
  • PHP filters: (Optional) Advanced ways to change user information or selections. Beyond the scope of this page.

Advanced Configuration

The process of authentication starts by establishing an anonymous connection to the LDAP directory and looking for the user on it. Once this user is found, LDAP authentication is performed on them.

However, some LDAP configurations (especially common in Active Directory setups) restrict anonymous searches.

If your LDAP setup does not allow anonymous searches, or these are restricted in such a way that login names for users cannot be retrieved as a result of them, then you have to specify here a DN//password pair that will be used for these searches.

For security reasons, this pair should belong to an LDAP account with stripped down permissions. Most LDAP and Active Directories do not allow anonymous binds

  • DN for non-anonymous searches: Enter the BINDDN of the account used to bind to the LDAP directory, e.g. CN=drupalread,OU=Service Accounts,OU=People,DC=example,DC=com
  • Password for non-anonymous searches: Enter the BIND password. Note: This password is stored in cleartext in the Drupal database so you must take steps to protect the database
  • Clear current password and change DN: Once a dn and password is entered and saved, this option can be used to change it.
  • Test If a dn and password has been set and saved, this button will verify that they can be used to connect to the LDAP server.
    Note: If other settings are changed, e.g. port, they must be saved first prior to using the "Test" button.

Save the Configuration
Save the configuration and you will be re-directed to the LDAP Integration configuration list page. You can have multiple LDAP servers configured and individually active and de-activate them. Deactivating a config will prevent it from being used by any of the LDAP modules.

List

This tab will display all the LDAP server defined.

NOTE: The LDAP Servers will be consulted in the order they are listed. The servers can to be reorder here.

In addition, you can delete or export server settings from this tab.

Import Server

This tab can be used with server settings exported via the list tab to create LDAP server entries. This is useful if you are using the same setting across multiple servers.

Note that as of 6.x-1.0-beta3, ldap_integration also supports the Features module API. So an alternate way to quickly set up LDAP authentication is to use a Feature with the settings defined.

Comments

pswartz’s picture

I do have another question...
It seems that I have to list out the users whole AD tree. For example I have to use, "CN=Joe M. Johnson, OU=Developers,OU=AP-Users,OU=BU ABCIS,DC=ABC,DC=com"

The way our AD is configured the only OU that is the same across all of the users is the "DC=ABC,DC=com"

Any help would be greatly appreciated,
Patrick

rmunsch’s picture

Some isues:

  • LDAP Port: Standard LDAP ports are 389 and 636. 389 is standard non-secure port where communications occur in cleartext (analogous to HTTP Port 80). 636 is the standard encrypted LDAP port (analogous to HTTP Port 443.)
    If you are using Active Directory, then you must select the encrypted port, 636.
  • Use TLS Encryption: Required for Active Directory. For encrypted communications, select this option. (TLS is the new name for SSL, so if your LDAP server requires "SSL", then you must check this box )

This does not seem to be correct. I have an AD server; i have another app (Request-Tracker) auth against that AD server via TLS. That works fine.

  • If i set the port to 389 and do NOT check Start-TLS, the user authenticates, but login info is sent in the clear.
  • If i set the port to anything else, authentication fails completely.
  • If i check Start-TLS with port 389, authentication WORKS, but login info is NOT encrypted.
  • If i check Start-TLS with port 636 (or any other port), authentication fails completely.

This is a gamebreaker for me.

dogbertdp’s picture

This is what I had to do to get Drupal/LDAP/TLS working:

Procedure
1 - Create the following directory structure on the server: C:\openldap\sysconf (this path may be different depending on your setup)
2 - In that directory create a file named "ldap.conf"
3 - Edit ldap.conf and add the following directive:

TLS_REQCERT never

4 - Save ldap.conf and restart Apache HTTP server
5 - Then configured an LDAP server in Drupal as follows:

Name: (anything unique - I used the AD server name)
LDAP Server: ldaps://adhostname.domain.tld
LDAP Port: 636 (see below)
Use Start-TLS: unchecked
Store passwords in encrypted form: unchecked
Base DNs: dc=domain,dc=tld (you can be more specific if you wish--my accounts are everywhere, so I specified the domain without any OUs)
UserName attribute: sAMAccountName
Email attribute: mail
PHP to transform login name: (blank)
PHP to filter users based on their LDAP data: (blank)
DN for non-anonymous search: (either the DN or just the username of the service account you will use to bind--I prefer just the username)
Password for non-anonymous search: (the password)

Explanation
This works for me. I used a sniffer to confirm that it is using secure LDAP (636). The three pieces that took me a while to figure out were:
*Start-TLS is completely different than AD secure LDAP and to my knowledge isn't supported by AD
*The LDAP server should be prefixed with "ldaps://" and the port actually doesn't matter one bit as the PHP function "ldap_connect()" ignores the port if "ldaps://" is specified (I changed it to 636 anyway to avoid confusion)
*But the key change was creating C:\openldap\sysconf\ldap.conf. More on that below.

ldap.conf
The main issue with getting my configuration to work was that PHP (or OpenLDAP, I'm not sure which specifically) didn't trust my CA and by default it rejects certificates issued by CAs it doesn't trust. Adding the "TLS_REQCERT never" directive to the ldap.conf file told it to not worry about the certificate and carry on. Strictly speaking this lessens the security of the server and can make it susceptible to spoofing attacks. I'll leave it to you to decide whether to dig deeper into the ldap configuration as there appears to be a way to specify trusted CAs, but I have bigger issues to conquer at the moment.

Update: By the way, this secures the transmission of the password from the Drupal web server to the domain controller, but it does nothing for securing the password between the client and the Drupal web server. I'm going to work on that next.

I hope this helps,

Mike Hays

Anonymous’s picture

I decided to see if I could get LDAP Integration working on a fresh Drupal install (running on Debian and Apache) and a fresh 2003 Active Directory running in a VMware test environment (not a live production environment).

My instructions are as follows:

1. Base install of Debian with Apache, PHP, MySQL (make sure the PHP-LDAP library is installed).
2. Ensured DNS and network settings were correctly configured on the Linux box (very, very important).
3. Installed a clean install of Drupal.
4. Installed the ldap_integration module.
5. Configured the ldap_integration module (refer below).
6. Modified /etc/ldap/ldap.conf (refer below).
7. Selected LDAP directory only under the Choose authentication mode (Settings page).

LDAP INTEGRATION MODULE.

Name: myroom.local
LDAP server: ldaps://server.myroom.local
LDAP port: 636
Use Start-TLS: unticked
Store passwords: unticked

Base DNs: cn=Users, dc=myroom, dc=local
UserName atrib: sAMAccountName
Email attrib: mail

PHP to transform: left blank
PHP to filter: left blank

DN for non-anon: drupal@myroom.local
Password: password

/etc/ldap/ldap.conf

HOST server.myroom.local
TLS_REQCERT never

I wanted to be sure that this configuration was working and that data sent between Drupal and Active Directory was encrypted, so I installed and ran Wireshark on the Active Directory server.

The data was encrypted as was expected.

NOTE:

Data sent between Drupal and the AD Server is encrypted - data sent between the clients web browser and Drupal is NOT encrypted.

To avoid sending login information in plain text, you should look at configuring and using SSL (https) on your web server, particularly during logon.

NOTE:

I also managed to get "Use Start-TLS" working properly (no errors) but I would need to retrace my steps to find out exactly what it was that made it work (at one stage I exported the Certificate from Active Directory and enabled /etc/ldap/ldap.conf to use it but whether or not that was the kickstart it needed I don't know).

I'll leave that to another day when I feel like documenting the steps. :-)

So far, I'm quite impressed with LDAP Integration - it works an absolute treat.

chicagomom’s picture

Thanks for your documentation (and to Mike too) - these were also key for me in getting Drupal 6 running on Server 2008/IIS7. However, I don't like leaving TLS_REQCERT never there as it does not protect against man in the middle attacks. I understand that the AD certificate must be installed on the webserver to be able to do without that command.

Does anyone know where the certificate must be placed on a Windows box? And does anything need to be specified in php.ini in order to tell PhP where the certs are located?

mcdazz, is that what you did? Or did you ultimately leave TLS_REQCERT never in place?

rob.dux’s picture

It is important to note that by default Active Directory LDAP is not configured for LDAPS.

By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article.

http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

Appendix A: Configuring LDAP over SSL Requirements for AD LDS
http://technet.microsoft.com/en-us/library/cc725767%28WS.10%29.aspx

LDAP over SSL - Modifying Active Directory with PHP
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl#install_cer...

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663

kratie’s picture

Hi Mike,

I am using Drupal 6 on IIS.
My LDAP authentication is working fine.

If I tried to check the start-TLS check-box and tried to login, it wouldn't allow me.
There are several web-application running on my server. So i wont be able to restart the server. Please can you suggest me any other alternatives ??
It would be of great help if you can guide in in right direction.

regards,
kratie

windsurf’s picture

Hey, the above worked for me (for Active Directory). A couple things I wasn't sure about that I'll share:

LDAP Server: I too needed the protocol prefix, so it ended up looking like, ldaps://10.10.0.9. In my setup, my Drupal was hosted on my local box, and my AD server is at 10.10.0.9.

DN for non-anonymous search: I just put the username, not foo@domain.com, just the foo part. No other prefix like foo\\username either, just foo!

C:\openldap\sysconf\ldap.conf <-- That file goes on the server where the Drupal site is hosted. On OS X 10.6, the location of that file is:
/private/etc/openldap/ldap.conf

mickster917’s picture

My web server already has a ldap.conf file at etc/openldap/ldap.conf. It read "TLS-REQCERT allow" but I changed it to "TLS_REQCERT never". This did not change anything as far as not letting me authenticate using Active Directory with the "Start-TLS" checked.

Linux web server
Active Directory
Apache
PHP5

Errors I am getting are:
# warning: ldap_start_tls(): Unable to start TLS: Server is unavailable in /srv/www/htdocs/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 155.
# warning: ldap_errno(): supplied argument is not a valid ldap link resource in /srv/www/htdocs/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 168.
# warning: ldap_error(): supplied argument is not a valid ldap link resource in /srv/www/htdocs/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 168.

I am authenticating just fine when I don't check the "Start-TLS" box, but I am setting up an intranet site for a government office and want to protect the credentials as much as possible. I've been working on this for four days now. Someone please help!!!

Cornell Jake’s picture

Spending about two days to get it working. Yes yes, I didn't know anything about LDAP :-)

This are the creditals what I have used:
For debugging and testing I used Wireshark and later the free LDAP Browser from LDAPSoft

And for searching the domain tree, at Logon procedure:
dc=domain,dc=local

UserName Attribute:
sAMAccountName

For binding at Advanced Configuration:
cn=Administrator,cn=Users,dc=domain,dc=local
And a password.

Hope that this is helpfull for someone!

jetnet’s picture

For anyone who is banging their head against the wall with Active Directory BS, in the advanced configuration section, do not follow these directions... JUST PUT THE USERNAME AND PASSWORD. I was banging my head against the wall putting in CN this, DC that trying to get it to authenticate, and then finally just put the username and BINGO, it worked...GRRRR

malco23’s picture

That worked for me! Wow I thought I was going crazy. Thanks a bunch.

davidbessler’s picture

What did you put in for Base DNs under login procedure?

Also, are you logging in with username@domain.com or just username?

chicagomom’s picture

I have read a number of different configs for this when querying ActiveDirectory (username/password, username@domain.com, CN=username,DC=domain,DC=com). In my case I had to use the CN this and DC that under advanced configuration in order to get it to work properly with Drupal 6 on IIS7. With the Drupal 5 version of the module, querying the same AD server, I only had to use the username and password.

I also had to add an ldap.conf file to the web server with TLS_REQCERT never command, but would like to figure out how to get the appropriate AD certificate installed on the web server so this can be eliminated, as TLS_REQCERT never does not protect the process from man-in-the-middle attacks. If anyone has documentation on how to do that on a Windows box, please add a comment so it can be rolled into the documentation.

MFH’s picture

Although I have configured the option
"When logging in, Drupal will look up for the user in:
* Drupal's own database. If it fails, look in LDAP"
my website is behaving as if I had chosen "LDAP Directory only" :
Except for the admin account (uid=1), authentication does not work any more for non-LDAP accounts. If I create a "local" account (I uncheck "use LDAP..." in the "edit user" tab), the login is impossible ; the only way to connect is to use the "lost password" mechanism and to use the temporary login link sent by e-mail. Whether the user or the admin puts a (new) password, a normal login will never work.
Does anyone know this problem and it's solution? Thanks in advance!

mikebrewer’s picture

Here is what I have set up:

server settings:

ldaps://(IP ADDRESS of server or server name)
LDAP Port: 636 (and I've attempted to use 389)

Login Procedure:

dc=(domain),dc=com
UserName: sAMAccountName
Email Attribute: mail

Advanced configuration:

DN for non-anonymous search: administrator

password is my password

I always get username password now found, when running Wireshark on the DC, i'm seeing a bunch of checksum errors and a TLSv1 Alert (Level: Fatal, Description: Unknown CA)

I'm not sure what is going on with it, I've checked and tried about 100 different methods... anyone have any ideas?

dogbertdp’s picture

mikebrewer,
Do you follow the procedure I give above for creating an ldap.conf file? I think that will solve your issue.

Mike Hays

elmuchacho’s picture

ldap runs fine ...
both (users and groups) are in drupal after login ...
now i tested "Start TLS" by just activating the checkbox ...
saved config ...
clicked on "Test" ... auth successful ...
logged out ...
log in with ldap-user ... failed ...

so i unchecked the Start-TLS box and saved config ...
test : successfull ...
logged out ...
log in with ldap user ... failed ...

LDAP-Auth not working anymore ...

any ideas, what is broken now ?

cwualex’s picture

Any luck? I am in the same position as elmuchacho.

redsatboy’s picture

I have the fckeditor enabled.

so when I entered ou=xxx,o=xxx in the Login procedure > Base DNs: ... I was really getting <p>ou=xxx,o=xxx</p> and no login.

went to the plain text editor added the same ... test ... save..

logged in fine..

kratie’s picture

Hi,

I have downloaded ldap_integration-6.x-1.x-dev.tar for my Drupal 6.
I have enabled the LDAP module .

I could not find -> Administer >> Site Configuration >> LDAP Integration

instead I have,

Administer >> Site Configuration >> Authentication (Configure LDAP authentication settings.) with options
1. Authentication mode
2. Security Option
3. LDAP UI optionss

I am a newbie, can someone throw some light on this issue.

scottatdrake’s picture

I had the same problem. I think the handbook needs to be updated. Look for "Add Server":

Administer >> Site Configuration >> LDAP >> Authentication >> Add Server

gwenbleyen’s picture

I'm using this module in combination with Active Directory

These are my settings, just follow these steps:

1. admin>site settings>LDAP

Server Settings
---------------
2. add server
3. Name: AD (Pick any name you want, but be sure it's unique)
4. LDAP server: IP or Hostname of the server
5. port: 389! (Am using Active Directory)
6. Use Start-TLS: UNCHECKED
7. Store passwords in encrypted form: UNCHECKED

Login Procedure
---------------
8. Base DNs: cn=Users, dc="yourdomain", dc="yourdomain" (Basically, this forms the "path" where your wanted users will be found. It may contain more DCs, depending on your DC settings)
9. UserName attribute: sAMAccountName
10. Email attribute: mail
11. PHP to transform login name: EMPTY
12. PHP to filter users based on their LDAP data: EMPTY

Advanced Configuration
------------------
13. DN for non-anonymous search: "username" (As far as I know, this user must have administrator rights, e.g. Administrator)
14. Password for non-anonymous search: "the user's password"

15. Save settings

Thats about it.
At the moment I'm trying to figure out the Groups configuration.
When I got this section working I'll post my settings.

chicagomom’s picture

This configuration will work where non-SSL lookups are enabled, but is considered insecure as it sends the search user/pass information in cleartext. So, it would not be considered a best practice in a production environment.

ronho’s picture

Getting thios error when attempting to log in:
Fatal error: Call to undefined function ldap_connect() in C:\xampp\htdocs\drupal\sites\all\modules\ldap_integration\includes\LDAPInterface.inc on line 132

Environment:
Windows Server 2003 with Drupal Core Version 6.17 installed using XAMP (PHP, MySQL, Apache)
Active Directory 2008
ldap_integration-6.x-1.0-beta2.tar.gz Module installed
Server setting same as yours except unique names and IP addr,

I ran the Test button on server setup and it verified connection to server.

When I go to log a user id, I got the error above. I looked at hte LDAPinterface.inc and did not find the function ldap_connect().

Can you help? or do you know who I can refer this too? This seems so straight forward, yet I can't get pass this.. Am I missing something?

Thanks

Ron

diego.B’s picture

Hi people!
I need to filter the access of my drupal only for a gidNumber LDAP
them I write in "PHP to filter users based on their LDAP data":

return $ldap['gidNumber']==1000;

but it don't work, what's the problem? Without this line the logging works fine but all LDAP users can log and I need that only the users with gidNumber=1000 log.

Help please! Thank you!

kapayne’s picture

I really appreciate the ldap integration suite but I have been going around and around trying to figure out how to let users register with their email address as their username. We are using openldap which has no problem writing an email address to the cn and I've set the drupal side to allow special characters (@ and .); from what I've seen the provisioning module restricts the username to be some combination of %f and %l - is there anyway around this?
thanks!

ronho’s picture

Getting this error when attempting to log in:
Fatal error: Call to undefined function ldap_connect() in C:\xampp\htdocs\drupal\sites\all\modules\ldap_integration\includes\LDAPInterface.inc on line 132

Environment:
Windows Server 2003 with Drupal Core Version 6.17 installed using XAMP (PHP, MySQL, Apache)
Active Directory 2008
ldap_integration-6.x-1.0-beta2.tar.gz Module installed

Server settings:
Name: sfmclan
LDAP server: 10.38.6.29 (How should this be entered?)
port: 389
Use Start-TLS: UNCHECKED
Store passwords in encrypted form: UNCHECKED

Login Procedure
Base DNs: cn=Users,dc=sftc,dc=org
UserName attribute: sAMAccountName
Email attribute: mail
PHP to transform login name: EMPTY
PHP to filter users based on their LDAP data: EMPTY

Advanced Configuration
DN for non-anonymous search: cn_Administrator,cn=Users,dc=sftc,dc=org
Password for non-anonymous search: (password)

I ran the Test button on server setup and it verified connection to server.

Configuration Settings:
Authentication Mode is Mixed
Disallow loginand log conflict is CHECKED
Do Not Store users' passwords during session is CHECKED
Remove password change fields from user edit form is CHECKED
Do Nothing is CHECKED for After Email on user edit form.

When I go to log a user id, I got the error above. I looked at the LDAPinterface.inc and did not find the function ldap_connect().

Can anyone help? or do you know who I can refer this too? This seems so straight forward, yet I can't get pass this.. Am I missing something?

Thanks

jmuth’s picture

Ron -

I have the EXACT same error too. If you find a fix, please post it here and I will do the same.

Regards -
Jim

EmersonWeb’s picture

I have LDAP auth up and working just fine AND have the users settings set to allow account creation only by Administrators. However if a user hits a restricted page or tries to access the admin and logs in using LDAP creds, the check passes and they get added into my users list with no roles.

Any way to disable that?

kokjoon’s picture

I have the same problem too. Take a look at the Site Configuration -> LDAP -> Groups, it may help you by restricting which user belonging in a Group get to be created automatically and others doesn't. For me it doesn't help much as I have no access to group creation and adding/removing a user to a specific group/ou in LDAP Server .

Another way I found that might be of use (I would welcome feedback from the gurus). Before you proceed, I warn you it comes with no guarantee or warranty what so ever. You will need to have access to at least the user1 account or backend database (in the event you need to remove the snippet from admin/database).

  1. Go to your Site Configuration -> LDAP -> Authentication.
  2. Under the 'PHP to filter users based on their LDAP data:' section type in the following php snippet below.
    // Checks if user already in system and is active
    // If user doesn't exist return false and user won't be able to login
    // If user exist and active proceed to get the user's role and match with the allowed roles
    
    $account = user_load(array('name' => $name, 'status' => 1));
    if(!$account) return false;
    
    //Roles allowed to login via LDAP
    $arr_allowed_roles = array('Finance', 'HR', 'ITS');
    
    return count(array_intersect($arr_allowed_roles, array_values($account->roles))) ? true : false;
    
marascos’s picture

So, in hopes to save time for others here is what I found:

I followed the above instructions to configure the ldap auth but kept running into two issues:

1 - The "Test" button on the configuration page did nothing
2 - Attempting to authenticate with LDAp credentials returned an HTTP 500 server error

I solved both of these issues by installing php5-ldap (sudo apt-get install php5-ldap) on my server then restarting apache. This was on an Ubuntu LAMP server running PHP5 and Drupal 6.

Jean Gionet’s picture

I have multiple Active Directory servers configured with this module. Doing a TEST connection on either one from the Admin interface produces a "successful connection" message.

Now my question is: How can you specify which Active Directory you want to authenticate from on the Login Screen?

Let's say I have 2 people with the name "John Doh". 1 is on the "Finance" Active Directory server, the other on "Marketing" AD Server.
Since they are on separate domains/sites/location they can have the same username. (dohjo)
Active Servers:
Finance\dohjo
Marketing\dohjo

Is there a way a drop-down can show up so they can select which AD server to authenticate of? or somehow let them allow them to enter "adservername\dohjo" in the login field?

thanks!

A Day In The Life

ww9rivers’s picture

It could be my ignorance, but it seems that the ldapauth module does not have a way to put a user into Drupal's user system. The problem is that, if I want to grant access permission to a user who is in the LDAP directory but has not yet logged in on the Drupal site, I can't.

So I have located the code in ldapauth.module, which I think could be pulled out and made into an ldapauth_add_user() function, which will take a $name, look the user up and save the result in Drupal using user_save() if the user is found in a directory.

Understanding that there is an LDAP API coming in Drupal 7, I think the LDAP Integration module will still be used for a while. I would like to do this if it is possible to submit a patch.

I would also like to know if there is a way to do what I would like to do.

Thanks and regards,
--
Wei

kokjoon’s picture

I wanted ldap to search based on a certain path only. Other path should not be search or authenticated via the ldap as the drupal install are for a specific group of users (well due to my restriction to the AD server). So I tried with the following with the 6.x-1.0-beta2 installed on my drupal. I tried configuring the Base DNs (the below is not my real DNs path)

Base DNs
OU=IT,OU=Staff,OU=Branch1,OU=MY,DC=example,DC=com
OU=IT,OU=Staff,OU=Branch2,OU=MY,DC=example,DC=com
OU=IT,OU=Staff,OU=Branch5,OU=UK,DC=example,DC=com

It turns out that only the last OU was validated successfully. For instance if the user is locatied in the first DN entry(OU=IT,OU=Staff,OU=Branch1,OU=MY,DC=example,DC=com), with proper authentication is provided, it will still return as fail. I wonder if this is a bug or I misunderstood the usage of multi Based DNs.

After several attempts, I found a work around. I created 3 separate ldap server entry with similar information except for the Based DNs. And the authentication worked like a charm though not the best way I hope to use.

I hope anyone having similar situation or scenario will benefit from it.

broyhill’s picture

I have had the LDAP Authentication Module (Drupal 6.x) working against an AD server for a couple of years, no problem. (note: I use a DN//password pair with an LDAP account with stripped down permissions).

So... our sysadmin people just added a second AD server to our network for redundancy (or whatever). They wanted me to test to see if Drupal's LDAP would work with both servers. I added the server and configured it, and it passed the "Test" button. So when both AD servers are running, they both work fine. I can de-activate either one and it still works. However, if the first AD server fails (simulated by our sysadmin by simply disconnecting it), Drupal's LDAP does not find the second server. The only way I can make it work is to go in to the LDAP settings and deactivate the first server. According to documentation on http://drupal.org/node/118123, "the LDAP Servers will be consulted in the order they are listed. They are listed in the order they are created. Future releases will include an option to re-order them for authentication." This doesn't seem to be happening, and I'm not sure where to go from here. Searched the issue queue but did not find this one.

Not being a sysadmin myself, I don't know if the our test is valid, but this is where I'm at with the process. Any enlightenment is welcome.

nisher’s picture

For those that don't like using the "TLS_REQCERT never" option, here's what I did:

I have multiple Active Directory servers and wanted to use a DNS alias to access them in a round robin fashion, so I used a SAN certificate. I issued the certificate using the server name of my first DC in the Common Name field (dc1.example.com) and listed the DNS alias (ldap.example.com) and the FQDNs of the other two DCs in the Subject Alternative field. I then reissued the SAN certificate for the other two DCs, changing the Common Name field to the FQDN of the DC that the certificate would be installed to each time.

I then added the entire certificate chain, the three server certificates, the intermediate certificates, and the Root certificate, into a pem file. I created C:\openldap\sysconf\ldap.conf and used the TLS_CACERT parameter to point to the .pem file. After restarting Apache, I could then configure the LDAP Authentication module to utilize LDAPS via my DNS alias.

I had to enter the ldap server as "ldaps://ldap.example.com" and specify port 636. TLS remained unchecked.

I hope this helps someone.

felixvang’s picture

I got part of it right. I test it and it said Successfully bound to server, but how would I get it prompt to verify active directory username and password when I http://localhost? Anyone?

Here's my setting:

Server Properties

sid = dc1
name = dc1
status = 1
ldap_type = ad
address = 192.168.101.10
port = 389
tls = 0
bind_method = 1
basedn = Array
binddn = CN=Administrator,CN=Users,DC=horizon,DC=local
user_dn_expression =
user_attr = sAMAccountName
mail_attr = mail
mail_template =
unique_persistent_attr = dn
allow_conflicting_drupal_accts = 0
ldap_to_drupal_user =
testing_drupal_username =

l_langill’s picture

Is there a way to set the LDAP_OPT_PROTOCOL_VERSION? I need to set it to version 3.