hi - brand new to drupal, apologies for any infractions.

i'm trying to use the LDAP module to authenticate users against MS AD.

outside of drupal i can bind using the ldapsearch command, using the credentials "domain\username", as in -

ldapsearch -h TUS1ADSDIRPIN08.xxx.yyy.com -l 10 -P 3 -x -d 255 -D "DDD\Lois_Mulcahy" -w 'goodpass''

i can also bind (or not) using a test php script:
$br = @ldap_bind( $ds, 'DDD\Lois_Mulcahy', 'goodpass');
$br = @ldap_bind( $ds, 'DDD\Lois_Mulcahy', 'badpass');

on the ldap server configuration page, i have selected "bind with user credentials" and have specified
DDD\%username as the expression for user DN. When I run the test script,
'LDAP bind failure for user Lois_Mulcahy. Error 49: Invalid credentials' is logged.

what am i missing? what is the next step to debug?
thanks for your help,
lmm

CommentFileSizeAuthor
#5 Edit LDAP Server Configuration.png27.59 KBjohnbarclay
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

johnbarclay’s picture

a dn is something like cn-jdoe,ou=people,dc=ad,dc=mycampus,dc=edu so the expression should be similar.

lmmulcahy’s picture

thanks for responding ...
yes, i do understand the DN format. however, the "domain\name" format seems to be the only one that works for authentication with this particular instance of AD. there are other ruby and php implementations in house that use the "domain\name" format as well. I think that the "domain\name" format is particular to AD, at least according to http://stackoverflow.com/questions/8300814/php-bind-ldap-to-active-direc...

i guess my real question is, if i have a working "DN" (according to ldapsearch and php ldap_bind()), how do i configure the LDAP Servers DN expression to implement it?

poking around, the pertinent code appears to be in ldap_authentication.inc:

elseif ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER && $sso_login == FALSE) {
// with sso enabled this method of binding isn't valid
foreach ($ldap_server->basedn as $basedn) {
$search = array('%basedn', '%username');
$transformname = $ldap_server->drupalToLdapNameTransform($authname, $watchdog_tokens);
$replace = array($basedn, $transformname);
$userdn = str_replace($search, $replace, $ldap_server->user_dn_expression);
$bind_success = ($ldap_server->bind($userdn, $pass) == LDAP_SUCCESS);
if ($bind_success) {
break;
}
}

does it look to you that the module will not support anything other than a basedn and username?

thanks!

johnbarclay’s picture

Title: Authentication failure - Invalid credentials » LDAP Authentication: Need to prepend cn with domain Authentication failure - Invalid credentials

That function drupalToLdapNameTransform will deal with the transformation. You will need to enable the php module and put the code for the transformation in the "PHP to transform Drupal login username to LDAP UserName attribute." box.

I don't know of another way to do this. I've worked with lots of ADs over the years and have never had this come up.

Does putting "domain\%username" in the "Expression for user DN" get you what you want?

lmmulcahy’s picture

Thanks for responding - I now understand that I have an unusual situation (swell ...).
The first thing that i tried was to set the DN expression to "domain\%username" - doing so resulted in the "Invalid Credentials" error - and my original post.

On other fronts, my local IT has suggested an alternate DN in the "cn=%username,dc=..." format that works from neither ldpasearch, php, nor Drupal - I am simultaneously working through this issue with them (another "swell")
I think that I'll have better luck with Drupal!

I would be much obliged if you could answer a couple of questions -

Am I correct in identifying ldap_authentication.inc as the pertinent code?

Looking at the ldap_servers table, I see that the server entry basedn column has the value "a:0{}". From where did that originate? Is there a configuration file that I I need to customize? In my situation, there really is no base DN ...

much appreciated,
lmm

johnbarclay’s picture

Am I correct in identifying ldap_authentication.inc as the pertinent code? Yes. In the 7.x-2.x branch its in the ldap_server module.

Looking at the ldap_servers table, I see that the server entry basedn column has the value "a:0{}". From where did that originate? Is there a configuration file that I I need to customize? In my situation, there really is no base DN ...
"a:0{}". is simply an empty serialized php array. Its in the server configuration. If you aren't limited to a particular part of your ldap, use the top level as the basedn. Attached is a screenshot. This is needed to know where to start searches.

larowlan’s picture

Issue summary: View changes
Status: Needs review » Closed (outdated)

no update for > 12 months - closing