Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Prerequisites
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
This article covers making sure your web server, PHP, and LDAP server are setup to support Drupal's LDAP modules.
Useful LDAP guides
Many problems in setting up LDAP for Drupal stem from issues outside of Drupal and are much easier to debug outside of it, you might find these guides helpful:
- Moodle LDAP: http://docs.moodle.org/en/LDAP_authentication
- Enabling LDAPS in Windows: http://jaredjennings.org/2007/12/28/php-ldaps-on-windows/
- OpenLDAP TLS/LDAPS setup: http://www.openldap.org/faq/data/cache/185.html
Getting the relevant information
You need to get the relevant information of your environment from your directory administrator before you can continue.
We have prepared the following sample letter you can send to the responsible party to receive the relevant data:
Dear [LDAP|Active Directory] Administrator,
We would like to leverage the [Campus|Corporate|etc] [LDAP|Active Directory] for authentication and authorization on our Drupal website. It will be used in the following way:
- Users will enter their credentials in the Drupal interface and Drupal will test them against the LDAP by binding with them.
- A mirrored Drupal Account will also be created with their email and a long random password; no LDAP credentials will be stored in Drupal
- LDAP Groups will be mirrored with Drupal roles and Drupal role memberships will be derived for LDAP Groups and OUs.
We have the following questions about configuration and best practices. Whatever you can tell us will be helpful. Once we get connected to the LDAP server, we can hopefully figure out any missing pieces.
LDAP Server Connection Properties:
- What type of LDAP is it (Active Directory, Open LDAP, Open Directory, eDirectory, etc)?
- Should we bind with a service account for querying user attributes and group memberships? Or use an anonymous bind?
- If so do we create the service account or can you?
- If you create it, what is the Distinguished Name (eg. cn=jdoe,ou=...) for it and password?
- What is the base distinguished name that we should bind to? We suspect it's the top-level DN, but anything above the users and group OUs should work.
- What is the LDAP server host name and port (e.g. ad.mycompany.com:386)?
- Should we connect with StartTLS, or ldaps, or neither?
- Are there any firewall issues we need to resolve to connect from our web server to the LDAP server?
LDAP User Entries
- What attribute contains the users email address (e.g. mail)?
- Is there a unique attribute such as uid, guid, etc. that does not change over time?
- What attribute would make a good logon/username (e.g. "cn")?
Group Entries:
- Does the user's LDAP entry have an attribute such as memberOf that contains the user's group memberships?
- What attribute in the group ldap entries holds the users (e.g. uniquemember, memberUid)? And what is held in this attribute (DN, CN, uid, ..)?
- What is the object class of the group entries (e.g.groupOfNames, groupOfUniqueNames, group)?
Thanks
Getting started
- Enable LDAP servers
- Enable ldap_help temporarily to aid in debugging
- Go to admin/config/people/ldap/help/status (Administration > Configuration > People > LDAP Configuration > Help)
- Verify the following:
- PHP LDAP extension data has LDAP support enabled.
- mcrypt extension is loaded if you are going to encrypt stored passwords.
- OpenSSL or other SSL extension is loaded.
- For ldaps make sure certificate is valid on webserver.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
