First, thank you to everyone who has put in their blood sweat and tears into this module.

I am testing Drupal 7 on Ubuntu Linux. I am using Apache HTTP server with mod_auth_ntlm to handle authentication with MS Active Directory. I have the LDAP module working with Active Directory, so users can sign on Drupal with their Active Directory accounts. My issue is I can not seem to get SSO working. I don't receive any error messages it just redirects to login page /user/login when going to /user/login/sso with message authentication unsuccessful. I can access NTLM protected directories seamlessly outside Drupal, so I am stumped. Any ideas?

Comments

johnbarclay’s picture

johnbarclay commented

First, I would try the 7.x-1.x-dev version. It has had some LDAP SSO patches applied.

Second, I'm very interested in getting this working in the NTLM on linux/apache scenario, but don't have a good testing environment for that. I'm writing some unit tests for the ldap sso module for regression testing also that will be available down the line.

Having LDAP working on Drupal means you have the server and authentication configured correctly.

In the Single Sign On section of "admin/config/people/ldap/authentication," what are your settings?

buddym’s picture

buddym commented

Thank you for your fast response. Per your direction, I am now using the 7.x-1.x-dev version. Unfortunately, I am still unable to get LDAP SSO working. Under the Single Sign On section, the only thing I did was check "turn on automated single sign-on."

Since this is a test system with a fresh Drupal 7 installation, I simply dropped all my tables and started the installation over. Once Drupal 7 was installed, I enabled all the modules needed to run the LDAP Module (-advanced_help,-ctools, -entity, -features, -feeds, -job_scheduler, -og, -panels, -strongarm, and -views). After enabling the modules, the system returned the following notice:

Notice: Undefined index: seamlessLogin in ldap_sso_boot() (line 62 of .../sites/all/modules/ldap/ldap_sso/ldap_sso.module).

I proceeded to configure my ldap server settings and tested it, and was successful. Turned on automated single sign on and went to /user/login/sso but got redirected to /user/login with a message:

You were not authenticated by the server. You may log in with your credentials below.

I proceeded to manually log in with an AD user, and that worked fine. The user account was created on the fly and authenticated. At this point, I started scouring the logs and here are some entries:

Type: php, Location: user/logout Notice: Undefined index: seamless_login in ldap_sso_user_logout() (line 38 …/sites/all/modules/ldap/ldap_sso/ldap_sso.module).

Type: ldap_auth, User: Anonymous(not verified), Location: user/login/sso, message: $_SERVER['REMOTE_USER'] not found

Undefined variable: auth_conf in ldap_sso_boot() (line 63 of …/sites/all/modules/ldap/ldap_sso/ldap_sso.module).

The middle message seemed like it could be the issue, so following one of your old posts, I ran the following php script in a NTLM protected directory where seamless authentication works:

if (isset($_SERVER['REMOTE_USER'])) {
print "

"; print_r($_SERVER); die;
}

First I tried it without the isset wrapper, then with, and to my chagrin both ways returned my Active Directory User Name for [REMOTE_USER] and [PHP_AUTH_USER].  I am not sure why ldap_auth is reporting the User as Anonymous(not verified) and $_SERVER['REMOTE_USER'] not found.  Any ideas?  

I will keep working on it on my end.  Thanks for your help, much appreciated.  Addendum, the apache module I am using is mod_auth_ntlm_winbind, I had previously stated I was using mod_auth_ntlm.
buddym’s picture

buddym commented

Today, I changed the Apache Directory configuration from ../user/login/sso to just the Drupal root directory. 

#NTLM OLD
<Directory "../drupal/user/login/sso">
  AuthName "NTLM Authentication"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
</Directory>

#NTLM NEW
<Directory "../drupal">
  AuthName "NTLM Authentication"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
</Directory>

Now, when I go to ../user/login/sso in my browser the SSO works (kind of). It logs me in with my AD account, but the page reports the following error:

Sorry, your LDAP credentials were not found, or the LDAP server is not available. You may log in with other credentials on the user login form.

buddym’s picture

buddym commented

Did some more testing yesterday, and this is the final configuration which is working on Ubuntu Linux running Apache2 with mod_auth_ntlm_winbind.

Added the following at the end of httpd.conf

#NTLM Drupal SSO
<Location /drupal/user/login/sso>
  AuthName "NTLM Authentication"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
</Location>

I originally was using directory directives instead of location directives in my httpd.conf, which I am assuming does make a difference with drupal's .htaccess file using mod_rewrites. I could be totally off but that is what I am attributing to my original issues.

I also reverted back to the 7.x-1.0-beta5 distribution package, the dev package was working but throwing a lot of errors in the authentication process. Under the SSO section, I checked Enable Single Sign-On and Turn on automated single sign-on and it is working great.

Thank you!

johnbarclay’s picture

johnbarclay commented

Thanks. This is very helpful. If you can add anything to the documentation at: http://drupal.org/node/1371478 that would be great.

buddym’s picture

buddym commented
Status: Active » Closed (works as designed)