Once the LDAP Integration module (also referred to as ldapauth module) is installed, it's time to enable the module and configure it.
Enable the module
- Proceed to Administer >> Site building >> Modules
- Enable the ldapauth module
Configure the module
- Proceed to Administer >> Site Configuration >> LDAP >> Authentication
Settings
These are options that will be used with all LDAP servers.
- Choose authentication mode:
- Mixed Mode When logging in, Drupal will look up for the user in Drupal's own database. If the id / password does not match or the user is marked as an LDAP authenticated user, it will look in LDAP.
- LDAP Directory only: Selecting this option will cause ONLY LDAP accounts to be authenticated and registered, except for the initial admin user (user with uid=1). Drupal's core administration relies on this user, so this user is NEVER authenticated with any database other than the local drupal database
- Choose user conflict resolve procedure: Decide what you want to happen if a user id exists in LDAP AND in the Drupal user database.
- Security Options: Review these settings and set as desired.
- Do not store users' passwords during sessions: If you are going to use the ldapdata module and allow users to modify their LDAP entries, this module will need to store the user password during the session, so that it can have write access to the LDAP directory.
Physically, these passwords are stored in the Drupal's session table in clear text. If the database is well protected, this should not be a problem, but some admins may feel uneasy about this.
If you are not going to use the ldapdata module, or you are, but only for read-only access, you can safely check this box and get extra security for your system.
- Do not store users' passwords during sessions: If you are going to use the ldapdata module and allow users to modify their LDAP entries, this module will need to store the user password during the session, so that it can have write access to the LDAP directory.
- LDAP UI Options: Review these settings and set as desired.
Add Server / Edit Server via List
You can add multiple LDAP Servers to use with the LDAP Authentication module. Server settings can be edited via the List tab once added.
Server settings
- Name: Name of the LDAP Configuration. It must be unique
- Machine Name: (Optional) After you enter a name, a "Machine Name" version will have been created. You can click on the edit link to change this as needed. It must be unique
- LDAP Server: Hostname of the LDAP Server. For e.g. ldap.example.com For Active Directory, this would be the hostname of the AD domain controller. If you have multiple domain controllers, then common practice is to create a DNS Round Robin entry for all of the domain controllers and use that entry (dc.example.com). To connect to a server with SSL, use the format: ldaps://ldap.server.xxx/, for the server name and specify the correct SSL port below.
- LDAP Port: Standard LDAP ports are 389 and 636. 389 is the standard non-secure port where communications occur in cleartext (analogous to HTTP Port 80). 636 is the standard encrypted LDAP port (analogous to HTTP Port 443).
- Use TLS Encryption: Often required for Active Directory lookups. For encrypted communications, select this option. (TLS is a new variation on SSL, so if your LDAP server requires "SSL", then you must check this box or use the ldaps:// server definition (see above))
- Store passwords in encrypted form: This option is used by the optional ldapdata module, which allows for changing of passwords using Drupal. Using this option will cause the LDAP data module to perform MD5 encryption of the passwords before they are sent to LDAP. If your LDAP server natively performs encryption, then it could cause problems.
- LDAP password encryption types: This defines how your ldap server prefers to store your passwords.
Login Procedure
- Base DNs: In the text area below, enter the base dn to search against when authenticating LDAP users. You can enter multiple DNs, one per line. PHP LDAP performs SUB scope searches by design. So if all of your users are organized under several sub-containers under say for e.g.,
cn=Users,dc=example,dc=org
, then you only need to enter 1 base dn,cn=Users, dc=example, dc=com
For OpenLDAP etc, an example would beou=People,dc=example,dc=com
For Active Directory, an example would becn=Users,dc=example,dc=com
- Username Attribute: The LDAP attribute in the user's object representing the username.
For Active Directory, it is sAMAccountName and for most Unix LDAP environments, it is uid - Email Attribute: The LDAP attribute in the user's object representing the user's email address.
For most LDAP environments, it is mail - Persistent and Unique User Id attribute: (Optional) The LDAP attribute in the user's object that will remain constant even if the user's name, id, and e-mail changes (e.g. they get married, etc.).
For most LDAP environments, this can be entryUUID. For AD, the objectGUID is a good choice. This can also be a site specific attribute like employeeNumber - PHP filters: (Optional) Advanced ways to change user information or selections. Beyond the scope of this page.
Advanced Configuration
The process of authentication starts by establishing an anonymous connection to the LDAP directory and looking for the user on it. Once this user is found, LDAP authentication is performed on them.
However, some LDAP configurations (especially common in Active Directory setups) restrict anonymous searches.
If your LDAP setup does not allow anonymous searches, or these are restricted in such a way that login names for users cannot be retrieved as a result of them, then you have to specify here a DN//password pair that will be used for these searches.
For security reasons, this pair should belong to an LDAP account with stripped down permissions. Most LDAP and Active Directories do not allow anonymous binds
- DN for non-anonymous searches: Enter the BINDDN of the account used to bind to the LDAP directory, e.g.
CN=drupalread,OU=Service Accounts,OU=People,DC=example,DC=com
- Password for non-anonymous searches: Enter the BIND password. Note: This password is stored in cleartext in the Drupal database so you must take steps to protect the database
- Clear current password and change DN: Once a dn and password is entered and saved, this option can be used to change it.
- Test If a dn and password has been set and saved, this button will verify that they can be used to connect to the LDAP server.
Note: If other settings are changed, e.g. port, they must be saved first prior to using the "Test" button.
Save the Configuration
Save the configuration and you will be re-directed to the LDAP Integration configuration list page. You can have multiple LDAP servers configured and individually active and de-activate them. Deactivating a config will prevent it from being used by any of the LDAP modules.
List
This tab will display all the LDAP server defined.
NOTE: The LDAP Servers will be consulted in the order they are listed. The servers can to be reorder here.
In addition, you can delete or export server settings from this tab.
Import Server
This tab can be used with server settings exported via the list tab to create LDAP server entries. This is useful if you are using the same setting across multiple servers.
Note that as of 6.x-1.0-beta3, ldap_integration also supports the Features module API. So an alternate way to quickly set up LDAP authentication is to use a Feature with the settings defined.
Comments
Base DNs
I do have another question...
It seems that I have to list out the users whole AD tree. For example I have to use, "CN=Joe M. Johnson, OU=Developers,OU=AP-Users,OU=BU ABCIS,DC=ABC,DC=com"
The way our AD is configured the only OU that is the same across all of the users is the "DC=ABC,DC=com"
Any help would be greatly appreciated,
Patrick
TLS issues
Some isues:
This does not seem to be correct. I have an AD server; i have another app (Request-Tracker) auth against that AD server via TLS. That works fine.
If i set the port to 389 and do NOT check Start-TLS, the user authenticates, but login info is sent in the clear. If i set the port to anything else, authentication fails completely.
If i check Start-TLS with port 389, authentication WORKS, but login info is NOT encrypted.
If i check Start-TLS with port 636 (or any other port), authentication fails completely.
This is a gamebreaker for me.
TLS and AD working
This is what I had to do to get Drupal/LDAP/TLS working:
Procedure
1 - Create the following directory structure on the server: C:\openldap\sysconf (this path may be different depending on your setup)
2 - In that directory create a file named "ldap.conf"
3 - Edit ldap.conf and add the following directive:
TLS_REQCERT never
4 - Save ldap.conf and restart Apache HTTP server
5 - Then configured an LDAP server in Drupal as follows:
Name: (anything unique - I used the AD server name)
LDAP Server: ldaps://adhostname.domain.tld
LDAP Port: 636 (see below)
Use Start-TLS: unchecked
Store passwords in encrypted form: unchecked
Base DNs: dc=domain,dc=tld (you can be more specific if you wish--my accounts are everywhere, so I specified the domain without any OUs)
UserName attribute: sAMAccountName
Email attribute: mail
PHP to transform login name: (blank)
PHP to filter users based on their LDAP data: (blank)
DN for non-anonymous search: (either the DN or just the username of the service account you will use to bind--I prefer just the username)
Password for non-anonymous search: (the password)
Explanation
This works for me. I used a sniffer to confirm that it is using secure LDAP (636). The three pieces that took me a while to figure out were:
*Start-TLS is completely different than AD secure LDAP and to my knowledge isn't supported by AD
*The LDAP server should be prefixed with "ldaps://" and the port actually doesn't matter one bit as the PHP function "ldap_connect()" ignores the port if "ldaps://" is specified (I changed it to 636 anyway to avoid confusion)
*But the key change was creating C:\openldap\sysconf\ldap.conf. More on that below.
ldap.conf
The main issue with getting my configuration to work was that PHP (or OpenLDAP, I'm not sure which specifically) didn't trust my CA and by default it rejects certificates issued by CAs it doesn't trust. Adding the "TLS_REQCERT never" directive to the ldap.conf file told it to not worry about the certificate and carry on. Strictly speaking this lessens the security of the server and can make it susceptible to spoofing attacks. I'll leave it to you to decide whether to dig deeper into the ldap configuration as there appears to be a way to specify trusted CAs, but I have bigger issues to conquer at the moment.
Update: By the way, this secures the transmission of the password from the Drupal web server to the domain controller, but it does nothing for securing the password between the client and the Drupal web server. I'm going to work on that next.
I hope this helps,
Mike Hays
Mikes instructions were pretty much spot on.
I decided to see if I could get LDAP Integration working on a fresh Drupal install (running on Debian and Apache) and a fresh 2003 Active Directory running in a VMware test environment (not a live production environment).
My instructions are as follows:
1. Base install of Debian with Apache, PHP, MySQL (make sure the PHP-LDAP library is installed).
2. Ensured DNS and network settings were correctly configured on the Linux box (very, very important).
3. Installed a clean install of Drupal.
4. Installed the ldap_integration module.
5. Configured the ldap_integration module (refer below).
6. Modified /etc/ldap/ldap.conf (refer below).
7. Selected LDAP directory only under the Choose authentication mode (Settings page).
LDAP INTEGRATION MODULE.
Name: myroom.local
LDAP server: ldaps://server.myroom.local
LDAP port: 636
Use Start-TLS: unticked
Store passwords: unticked
Base DNs: cn=Users, dc=myroom, dc=local
UserName atrib: sAMAccountName
Email attrib: mail
PHP to transform: left blank
PHP to filter: left blank
DN for non-anon: drupal@myroom.local
Password: password
/etc/ldap/ldap.conf
HOST server.myroom.local
TLS_REQCERT never
I wanted to be sure that this configuration was working and that data sent between Drupal and Active Directory was encrypted, so I installed and ran Wireshark on the Active Directory server.
The data was encrypted as was expected.
NOTE:
Data sent between Drupal and the AD Server is encrypted - data sent between the clients web browser and Drupal is NOT encrypted.
To avoid sending login information in plain text, you should look at configuring and using SSL (https) on your web server, particularly during logon.
NOTE:
I also managed to get "Use Start-TLS" working properly (no errors) but I would need to retrace my steps to find out exactly what it was that made it work (at one stage I exported the Certificate from Active Directory and enabled /etc/ldap/ldap.conf to use it but whether or not that was the kickstart it needed I don't know).
I'll leave that to another day when I feel like documenting the steps. :-)
So far, I'm quite impressed with LDAP Integration - it works an absolute treat.
do you feel like it yet?
Thanks for your documentation (and to Mike too) - these were also key for me in getting Drupal 6 running on Server 2008/IIS7. However, I don't like leaving TLS_REQCERT never there as it does not protect against man in the middle attacks. I understand that the AD certificate must be installed on the webserver to be able to do without that command.
Does anyone know where the certificate must be placed on a Windows box? And does anything need to be specified in php.ini in order to tell PhP where the certs are located?
mcdazz, is that what you did? Or did you ultimately leave TLS_REQCERT never in place?
Active Directory LDAP over SSL (ldaps)
It is important to note that by default Active Directory LDAP is not configured for LDAPS.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Appendix A: Configuring LDAP over SSL Requirements for AD LDS
http://technet.microsoft.com/en-us/library/cc725767%28WS.10%29.aspx
LDAP over SSL - Modifying Active Directory with PHP
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl#install_cer...
How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663
Help in enabling TLS
Hi Mike,
I am using Drupal 6 on IIS.
My LDAP authentication is working fine.
If I tried to check the start-TLS check-box and tried to login, it wouldn't allow me.
There are several web-application running on my server. So i wont be able to restart the server. Please can you suggest me any other alternatives ??
It would be of great help if you can guide in in right direction.
regards,
kratie
Worked for me
Hey, the above worked for me (for Active Directory). A couple things I wasn't sure about that I'll share:
LDAP Server: I too needed the protocol prefix, so it ended up looking like, ldaps://10.10.0.9. In my setup, my Drupal was hosted on my local box, and my AD server is at 10.10.0.9.
DN for non-anonymous search: I just put the username, not foo@domain.com, just the foo part. No other prefix like foo\\username either, just foo!
C:\openldap\sysconf\ldap.conf <-- That file goes on the server where the Drupal site is hosted. On OS X 10.6, the location of that file is:
/private/etc/openldap/ldap.conf
ldap.conf already there
My web server already has a ldap.conf file at etc/openldap/ldap.conf. It read "TLS-REQCERT allow" but I changed it to "TLS_REQCERT never". This did not change anything as far as not letting me authenticate using Active Directory with the "Start-TLS" checked.
Linux web server
Active Directory
Apache
PHP5
Errors I am getting are:
# warning: ldap_start_tls(): Unable to start TLS: Server is unavailable in /srv/www/htdocs/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 155.
# warning: ldap_errno(): supplied argument is not a valid ldap link resource in /srv/www/htdocs/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 168.
# warning: ldap_error(): supplied argument is not a valid ldap link resource in /srv/www/htdocs/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 168.
I am authenticating just fine when I don't check the "Start-TLS" box, but I am setting up an intranet site for a government office and want to protect the credentials as much as possible. I've been working on this for four days now. Someone please help!!!
After much problems I got it working on server 2008 (non-TLS)
Spending about two days to get it working. Yes yes, I didn't know anything about LDAP :-)
This are the creditals what I have used:
For debugging and testing I used Wireshark and later the free LDAP Browser from LDAPSoft
And for searching the domain tree, at Logon procedure:
dc=domain,dc=local
UserName Attribute:
sAMAccountName
For binding at Advanced Configuration:
cn=Administrator,cn=Users,dc=domain,dc=local
And a password.
Hope that this is helpfull for someone!
Active Directory
For anyone who is banging their head against the wall with Active Directory BS, in the advanced configuration section, do not follow these directions... JUST PUT THE USERNAME AND PASSWORD. I was banging my head against the wall putting in CN this, DC that trying to get it to authenticate, and then finally just put the username and BINGO, it worked...GRRRR
thanks JetNet
That worked for me! Wow I thought I was going crazy. Thanks a bunch.
What did you put in for Base
What did you put in for Base DNs under login procedure?
Also, are you logging in with username@domain.com or just username?
your mileage may vary
I have read a number of different configs for this when querying ActiveDirectory (username/password, username@domain.com, CN=username,DC=domain,DC=com). In my case I had to use the CN this and DC that under advanced configuration in order to get it to work properly with Drupal 6 on IIS7. With the Drupal 5 version of the module, querying the same AD server, I only had to use the username and password.
I also had to add an ldap.conf file to the web server with TLS_REQCERT never command, but would like to figure out how to get the appropriate AD certificate installed on the web server so this can be eliminated, as TLS_REQCERT never does not protect the process from man-in-the-middle attacks. If anyone has documentation on how to do that on a Windows box, please add a comment so it can be rolled into the documentation.
"Drupal's own database" does not work when LDAP is active
Although I have configured the option
"When logging in, Drupal will look up for the user in:
* Drupal's own database. If it fails, look in LDAP"
my website is behaving as if I had chosen "LDAP Directory only" :
Except for the admin account (uid=1), authentication does not work any more for non-LDAP accounts. If I create a "local" account (I uncheck "use LDAP..." in the "edit user" tab), the login is impossible ; the only way to connect is to use the "lost password" mechanism and to use the temporary login link sent by e-mail. Whether the user or the admin puts a (new) password, a normal login will never work.
Does anyone know this problem and it's solution? Thanks in advance!
LDAP not seeming to work
Here is what I have set up:
server settings:
ldaps://(IP ADDRESS of server or server name)
LDAP Port: 636 (and I've attempted to use 389)
Login Procedure:
dc=(domain),dc=com
UserName: sAMAccountName
Email Attribute: mail
Advanced configuration:
DN for non-anonymous search: administrator
password is my password
I always get username password now found, when running Wireshark on the DC, i'm seeing a bunch of checksum errors and a TLSv1 Alert (Level: Fatal, Description: Unknown CA)
I'm not sure what is going on with it, I've checked and tried about 100 different methods... anyone have any ideas?
ldap.conf file
mikebrewer,
Do you follow the procedure I give above for creating an ldap.conf file? I think that will solve your issue.
Mike Hays
ldap auth fails after check Start TLS
ldap runs fine ...
both (users and groups) are in drupal after login ...
now i tested "Start TLS" by just activating the checkbox ...
saved config ...
clicked on "Test" ... auth successful ...
logged out ...
log in with ldap-user ... failed ...
so i unchecked the Start-TLS box and saved config ...
test : successfull ...
logged out ...
log in with ldap user ... failed ...
LDAP-Auth not working anymore ...
any ideas, what is broken now ?
Any luck? I am in the same
Any luck? I am in the same position as elmuchacho.
html tag in the Login procedure
I have the fckeditor enabled.
so when I entered ou=xxx,o=xxx in the Login procedure > Base DNs: ... I was really getting
<p>ou=xxx,o=xxx</p>
and no login.went to the plain text editor added the same ... test ... save..
logged in fine..
cannot find option " LDAP Integration "
Hi,
I have downloaded ldap_integration-6.x-1.x-dev.tar for my Drupal 6.
I have enabled the LDAP module .
I could not find -> Administer >> Site Configuration >> LDAP Integration
instead I have,
Administer >> Site Configuration >> Authentication (Configure LDAP authentication settings.) with options
1. Authentication mode
2. Security Option
3. LDAP UI optionss
I am a newbie, can someone throw some light on this issue.
I had the same problem. I
I had the same problem. I think the handbook needs to be updated. Look for "Add Server":
Administer >> Site Configuration >> LDAP >> Authentication >> Add Server
My way (it worked for me)
I'm using this module in combination with Active Directory
These are my settings, just follow these steps:
1. admin>site settings>LDAP
Server Settings
---------------
2. add server
3. Name: AD (Pick any name you want, but be sure it's unique)
4. LDAP server: IP or Hostname of the server
5. port: 389! (Am using Active Directory)
6. Use Start-TLS: UNCHECKED
7. Store passwords in encrypted form: UNCHECKED
Login Procedure
---------------
8. Base DNs: cn=Users, dc="yourdomain", dc="yourdomain" (Basically, this forms the "path" where your wanted users will be found. It may contain more DCs, depending on your DC settings)
9. UserName attribute: sAMAccountName
10. Email attribute: mail
11. PHP to transform login name: EMPTY
12. PHP to filter users based on their LDAP data: EMPTY
Advanced Configuration
------------------
13. DN for non-anonymous search: "username" (As far as I know, this user must have administrator rights, e.g. Administrator)
14. Password for non-anonymous search: "the user's password"
15. Save settings
Thats about it.
At the moment I'm trying to figure out the Groups configuration.
When I got this section working I'll post my settings.
works, but insecure
This configuration will work where non-SSL lookups are enabled, but is considered insecure as it sends the search user/pass information in cleartext. So, it would not be considered a best practice in a production environment.
LDAP Integration error
Getting thios error when attempting to log in:
Fatal error: Call to undefined function ldap_connect() in C:\xampp\htdocs\drupal\sites\all\modules\ldap_integration\includes\LDAPInterface.inc on line 132
Environment:
Windows Server 2003 with Drupal Core Version 6.17 installed using XAMP (PHP, MySQL, Apache)
Active Directory 2008
ldap_integration-6.x-1.0-beta2.tar.gz Module installed
Server setting same as yours except unique names and IP addr,
I ran the Test button on server setup and it verified connection to server.
When I go to log a user id, I got the error above. I looked at hte LDAPinterface.inc and did not find the function ldap_connect().
Can you help? or do you know who I can refer this too? This seems so straight forward, yet I can't get pass this.. Am I missing something?
Thanks
Ron
filter gidNumber
Hi people!
I need to filter the access of my drupal only for a gidNumber LDAP
them I write in "PHP to filter users based on their LDAP data":
return $ldap['gidNumber']==1000;
but it don't work, what's the problem? Without this line the logging works fine but all LDAP users can log and I need that only the users with gidNumber=1000 log.
Help please! Thank you!
create user account with email as username
I really appreciate the ldap integration suite but I have been going around and around trying to figure out how to let users register with their email address as their username. We are using openldap which has no problem writing an email address to the cn and I've set the drupal side to allow special characters (@ and .); from what I've seen the provisioning module restricts the username to be some combination of %f and %l - is there anyway around this?
thanks!
Error LDAP Integration - HELP HELP
Getting this error when attempting to log in:
Fatal error: Call to undefined function ldap_connect() in C:\xampp\htdocs\drupal\sites\all\modules\ldap_integration\includes\LDAPInterface.inc on line 132
Environment:
Windows Server 2003 with Drupal Core Version 6.17 installed using XAMP (PHP, MySQL, Apache)
Active Directory 2008
ldap_integration-6.x-1.0-beta2.tar.gz Module installed
Server settings:
Name: sfmclan
LDAP server: 10.38.6.29 (How should this be entered?)
port: 389
Use Start-TLS: UNCHECKED
Store passwords in encrypted form: UNCHECKED
Login Procedure
Base DNs: cn=Users,dc=sftc,dc=org
UserName attribute: sAMAccountName
Email attribute: mail
PHP to transform login name: EMPTY
PHP to filter users based on their LDAP data: EMPTY
Advanced Configuration
DN for non-anonymous search: cn_Administrator,cn=Users,dc=sftc,dc=org
Password for non-anonymous search: (password)
I ran the Test button on server setup and it verified connection to server.
Configuration Settings:
Authentication Mode is Mixed
Disallow loginand log conflict is CHECKED
Do Not Store users' passwords during session is CHECKED
Remove password change fields from user edit form is CHECKED
Do Nothing is CHECKED for After Email on user edit form.
When I go to log a user id, I got the error above. I looked at the LDAPinterface.inc and did not find the function ldap_connect().
Can anyone help? or do you know who I can refer this too? This seems so straight forward, yet I can't get pass this.. Am I missing something?
Thanks
Ron - I have the EXACT same
Ron -
I have the EXACT same error too. If you find a fix, please post it here and I will do the same.
Regards -
Jim
Disallow Registration?
I have LDAP auth up and working just fine AND have the users settings set to allow account creation only by Administrators. However if a user hits a restricted page or tries to access the admin and logs in using LDAP creds, the check passes and they get added into my users list with no roles.
Any way to disable that?
Same here.
I have the same problem too. Take a look at the Site Configuration -> LDAP -> Groups, it may help you by restricting which user belonging in a Group get to be created automatically and others doesn't. For me it doesn't help much as I have no access to group creation and adding/removing a user to a specific group/ou in LDAP Server .
Another way I found that might be of use (I would welcome feedback from the gurus). Before you proceed, I warn you it comes with no guarantee or warranty what so ever. You will need to have access to at least the user1 account or backend database (in the event you need to remove the snippet from admin/database).
http 500 error and non-functional test button solved
So, in hopes to save time for others here is what I found:
I followed the above instructions to configure the ldap auth but kept running into two issues:
1 - The "Test" button on the configuration page did nothing
2 - Attempting to authenticate with LDAp credentials returned an HTTP 500 server error
I solved both of these issues by installing php5-ldap (sudo apt-get install php5-ldap) on my server then restarting apache. This was on an Ubuntu LAMP server running PHP5 and Drupal 6.
multiple AD servers
I have multiple Active Directory servers configured with this module. Doing a TEST connection on either one from the Admin interface produces a "successful connection" message.
Now my question is: How can you specify which Active Directory you want to authenticate from on the Login Screen?
Let's say I have 2 people with the name "John Doh". 1 is on the "Finance" Active Directory server, the other on "Marketing" AD Server.
Since they are on separate domains/sites/location they can have the same username. (dohjo)
Active Servers:
Finance\dohjo
Marketing\dohjo
Is there a way a drop-down can show up so they can select which AD server to authenticate of? or somehow let them allow them to enter "adservername\dohjo" in the login field?
thanks!
A Day In The Life
An ldapauth_add_user() function?
It could be my ignorance, but it seems that the ldapauth module does not have a way to put a user into Drupal's user system. The problem is that, if I want to grant access permission to a user who is in the LDAP directory but has not yet logged in on the Drupal site, I can't.
So I have located the code in ldapauth.module, which I think could be pulled out and made into an ldapauth_add_user() function, which will take a $name, look the user up and save the result in Drupal using user_save() if the user is found in a directory.
Understanding that there is an LDAP API coming in Drupal 7, I think the LDAP Integration module will still be used for a while. I would like to do this if it is possible to submit a patch.
I would also like to know if there is a way to do what I would like to do.
Thanks and regards,
--
Wei
Multi Based DNs with Restriction
I wanted ldap to search based on a certain path only. Other path should not be search or authenticated via the ldap as the drupal install are for a specific group of users (well due to my restriction to the AD server). So I tried with the following with the 6.x-1.0-beta2 installed on my drupal. I tried configuring the Base DNs (the below is not my real DNs path)
Base DNs
OU=IT,OU=Staff,OU=Branch1,OU=MY,DC=example,DC=com
OU=IT,OU=Staff,OU=Branch2,OU=MY,DC=example,DC=com
OU=IT,OU=Staff,OU=Branch5,OU=UK,DC=example,DC=com
It turns out that only the last OU was validated successfully. For instance if the user is locatied in the first DN entry(OU=IT,OU=Staff,OU=Branch1,OU=MY,DC=example,DC=com), with proper authentication is provided, it will still return as fail. I wonder if this is a bug or I misunderstood the usage of multi Based DNs.
After several attempts, I found a work around. I created 3 separate ldap server entry with similar information except for the Based DNs. And the authentication worked like a charm though not the best way I hope to use.
I hope anyone having similar situation or scenario will benefit from it.
LDAP Module not recognizing second AD server
I have had the LDAP Authentication Module (Drupal 6.x) working against an AD server for a couple of years, no problem. (note: I use a DN//password pair with an LDAP account with stripped down permissions).
So... our sysadmin people just added a second AD server to our network for redundancy (or whatever). They wanted me to test to see if Drupal's LDAP would work with both servers. I added the server and configured it, and it passed the "Test" button. So when both AD servers are running, they both work fine. I can de-activate either one and it still works. However, if the first AD server fails (simulated by our sysadmin by simply disconnecting it), Drupal's LDAP does not find the second server. The only way I can make it work is to go in to the LDAP settings and deactivate the first server. According to documentation on http://drupal.org/node/118123, "the LDAP Servers will be consulted in the order they are listed. They are listed in the order they are created. Future releases will include an option to re-order them for authentication." This doesn't seem to be happening, and I'm not sure where to go from here. Searched the issue queue but did not find this one.
Not being a sysadmin myself, I don't know if the our test is valid, but this is where I'm at with the process. Any enlightenment is welcome.
Multiple AD Servers without "TLS_REQCERT never"
For those that don't like using the "TLS_REQCERT never" option, here's what I did:
I have multiple Active Directory servers and wanted to use a DNS alias to access them in a round robin fashion, so I used a SAN certificate. I issued the certificate using the server name of my first DC in the Common Name field (dc1.example.com) and listed the DNS alias (ldap.example.com) and the FQDNs of the other two DCs in the Subject Alternative field. I then reissued the SAN certificate for the other two DCs, changing the Common Name field to the FQDN of the DC that the certificate would be installed to each time.
I then added the entire certificate chain, the three server certificates, the intermediate certificates, and the Root certificate, into a pem file. I created C:\openldap\sysconf\ldap.conf and used the TLS_CACERT parameter to point to the .pem file. After restarting Apache, I could then configure the LDAP Authentication module to utilize LDAPS via my DNS alias.
I had to enter the ldap server as "ldaps://ldap.example.com" and specify port 636. TLS remained unchecked.
I hope this helps someone.
drupal 7 integrate with active directory server 2008
I got part of it right. I test it and it said Successfully bound to server, but how would I get it prompt to verify active directory username and password when I http://localhost? Anyone?
Here's my setting:
Server Properties
sid = dc1
name = dc1
status = 1
ldap_type = ad
address = 192.168.101.10
port = 389
tls = 0
bind_method = 1
basedn = Array
binddn = CN=Administrator,CN=Users,DC=horizon,DC=local
user_dn_expression =
user_attr = sAMAccountName
mail_attr = mail
mail_template =
unique_persistent_attr = dn
allow_conflicting_drupal_accts = 0
ldap_to_drupal_user =
testing_drupal_username =
Need to set the LDAP_OPT_PROTOCOL_VERSION
Is there a way to set the LDAP_OPT_PROTOCOL_VERSION? I need to set it to version 3.