Like many before me I have travelled the paths of this issue through Ubuntu, linux, LDAP and Drupal forums.

I want to be able to update my ADS passwords from Drupal.

I have not been able to establish TSL or SSL sessions with ADS. I have installed a certificate, but I have not been able to get an SSL ot TLS session authenticated through ldapsearch, and i have never seen anthing ask for for a certificate. i have found where the ldap.conf file lives and I have been able to make configuration changes in this that affect the execution of ldapsearch (eg putting the server details in the file.

I am able to update other LDAP data, but when I try the passwords, a message comes back telling me the:

"The data was not written to LDAP."

Can you suggest anything I could do. Do I really need to establish an SSL or TLS session. Are there any patches i could apply to my code to get this to work. I have noticed references to a few, but they were so old, I thought they may have been integrated into the package.

It would be really nice if sonmeone could point me in the direction to solve this problem. Beleive me I have done the time.

Comments

cgmonroe’s picture

I think this is a chicken and egg problem.... I seem to remember that AD will not let you modify its password attribute via LDAP unless it's an SSL or TLS connection but PhP's LDAP / OpenSSL combination does not like Self Signed or Untrusted CA certificates.

Unfortunately, this is not something that can be handled at the Drupal level because it's part of PhP's core extensions. So there is no magic patch.

In theory (but I haven't gotten it to work in practice), you should be able to get the certificate from your AD or LDAP server and convert it into PEM format and then put it in the cert directory with the file name set to the certificate hash plus .0.

See: http://gagravarr.org/writing/openssl-certs/others.shtml#selfsigned-openssl

The directory it goes into should be defined in your ldap.conf file which can be located different places depending on the server OS/Distro.

The TLS_CACERTDIR setting will control where certificates are looked for.

There is also a TLS_REQCERT setting 'never' that is supposed to disable certificate checking but does not seem to be consistent.

Good luck.

michael.p.mckenzie’s picture

Thanks for the3 direction.

I managed to get the TLS connection working by pointing to the directory only, and not the file.

So now I can change active directory passwords in Drupal which is great.

However, one of the aims for this was to provide a recovery mechanism for passwords, but the majority of my users do not have a drupal profile until they log in. For many of them this will be the first time they log on to the web site. I have tried using the user import module to generate the users, but this does not generate them as an LDAP authorised logon. I looked at LDAP provisioning which claimed it had a bulk load facility, but it is not apparent.

Can you suggest the most likely path for me to chase so I can bulk load all my active directory userids into drupal

Thank you

Michael

cgmonroe’s picture

If I understand correctly, you want to create the drupal users from the AD server. To do this, use the new ldapsync module that is part of the dev. This will create the matching Drupal LDAP authenticated users from the ldap information.

michael.p.mckenzie’s picture

Thanks,

I upgraded to dev and these was ldapsynch. I synched the users, everything was fine.

However, now when I go to get a new password via email I get a message

"This is an LDAP account, to change or retrieve the password, please, contact your LDAP administrator"

Without entering the code, is there anyway to turn this off and allow a password reset entry. I understand this is not normally done, but in this case there is a second level of security once the user gets access, and they can only reset it if they can access thier own email.

cgmonroe’s picture

Currently there is no way to turn this off. I think you can override this setting with a module that modifies the changes made by the ldapauth_form_user_pass_alter function. E.g., a module who's weight makes it run after ldapauth which replaces ldapauth's validate function with it's own. This would allow ldap authenticated users to get the reset password e-mail.

Note that this may cause problems if your site isn't configured with password recovery in mind. I haven't tested it but I think the conditions needed for this to work with ldap integration would be:

  • ldapdata has to be set up to allow LDAP passwords to be set via Drupal. I.e., the Drupal pass field mapped to LDAP password attribute.
  • ldapdata has to have the advanced setup defined with an account that can modify all user's attributes. This is because the user session created via the e-mail password reset URL will not have the user's LDAP password stored in $SESSION. So the only way to bind to the LDAP server and be able to change the password is via a configured dn / password with the rights.

Note that there may be some "edge conditions" (e.g. initial login, user info changed externally after reset link sent) that could cause problems with this. Your module would probably need to modify the user_pass_reset form to make sure that LDAP authenticated users have the same code executed that the ldapauth module does when there is a valid account (in ldapauth_authenticate method about line 472 - // Login existing user. comment section of code).

This is all theory based on a quick review of the password recovery code.... YMMV.

John Franklin’s picture

Issue summary: View changes
Status: Active » Closed (duplicate)