Webserver authentication + LDAP
I am working on a drupal site that will be used within a corporate intranet. One of the challenges I have been working through is automatic authentication with our Active Directory server.
The current configuration is that I am using the Webserver Authentication module which simply trusts any authentication done by the webserver. In Apache, I have the SSPI module (sspi_auth_module) that is making an NTLM request to the browser then authenticating with the Active Directory server. That configuration gives me the automatic authentication that I need (ie. the user loads any page on the drupal site, the user is automatically logged in using their domain credentials without typing a username and password.)
The problem is that the Apache SSPI module doesn't pass on any additional information about the user (ie. real name, email address, phone number...).
I am considering writing a module that would pull data from Active Directory (or any LDAP directory) after the authentication is completed by the webserver. I am pretty sure I can pull the relevant code out of the LDAP Integration module (actually the ldapdata submodule) to look up the LDAP record. I am not really sure yet how it should interface with the webserver_auth module. Maybe it should be a separate module that uses the username and authmap entry (for example: only lookup ldap data if authmap module is webserver_auth) to load the ldap data into the users profile.
Any thoughts and suggestions would be appreciated.
I did it
I made a separate module that uses the LDAP Interface class used by the LDAP_integration module. It checks the user's entry in the authmap table to see if the user was registered by the webserver_auth module. Then it pulls the users data from the LDAP server. If the site has any profile field names that begin with "profile_AD_", the LDAP data is searched for the remainder of the field name and it's value is automatically assigned to the profile field. For example if there is a profile field that is named "profile_AD_cn" the cn field in the directory is automatically assigned to the profile. Also, the drupal email field is automatically filled based on the LDAP server.
Since there hasn't been any comment on this post, I don't know if this module will be useful to anyone else. At this time I don't know how to create a project on d.o for this module and don't really plan to. It probably needs some more work to become an official contributed module. If you think this module needs to become a d.o project feel free to let me know.
I was going to attach the module to this comment, but that is not allowed. Feel free to contact me if you are interested in this module.
BTW, many thanks to the developers of the LDAP_integration module.
If anyone is interested,
If anyone is interested, this module is posted here http://drupal.org/node/292423#comment-1025792.
I have been trying to get
I have been trying to get this to work and I can't. I have setup one profile field and filled in the setup details for it. But nothing ever happens and nothing is logged.
Do you have more complete instructions?
I have just realised that
I have just realised that this module requires the php_ldap module installed on the web server. I'll start by trying to get that sorted and see where we go from there.
Si
php_ldap now installed
I have now installed the php_ldap module and still no data is pulled and nothing is recorded in watchdog. Any suggestions?
Si
I hacked ldap_integration instead
I hacked the ldap integration to use webserver auth
i have managed to get this working fine in my setup.
you can get my patches here http://drupal.org/node/324732
please see if it will help you too.
Some tips
I am not running on IIS, so I can't duplicate your setup, but the module I wrote shouldn't be too hard to troubleshoot.
Since you have both webserver_auth and ldap_integration installed, I suspect your problem is here:
<?php// Check if user account was created using the webserver_auth module
$authmap = user_get_authmaps($user->name);
if (!isset($authmap['webserver_auth'])) {
return;
}
?>
LDAP_integration tends to override the authmap entries. I would try editing the authmap table to change or add 'webserver_auth' for your uid. For troubleshooting, you could just comment the "return" line.
The next possibility is the name of your profile fields. The relevent piece of code related to that is:
<?phpwhile ($field = db_fetch_object($result)) {
// If profile field name begins with "profile_AD_" then look for an entry in the LDAP data
if (substr($field->name, 0, 11) == 'profile_AD_') {
$edit[$field->name] = $entry[substr($field->name, 11)][0];
}
?>
The profile field name is used to indicate which LDAP field is used. The profile name must begin with "profile_AD_" and that must be followed by the LDAP field name. For example in Activedirectory, to fill in the common name, the profile field name would be "profile_AD_cn"
I hope this helps.
Using LDAP_integration at the same time
Is it possible to use the LDAP integration module at the same time or is this something that, in conjunction with webserver_auth would replace it? I manage a school district's Web site. My ideal situation would be to allow employees to go to the site and automatically be logged in via LDAP. Right now they need to manually login and then are authenticated against our Active Directory.
Could you provide a bit more information on what you've put together and how it might possibly be used (examples)?
So far, I'd say good work - sounds really promising!
Currently webserver_auth
Currently webserver_auth doesn't work well with other authentication methods. There is an open issue that has potential to improve this situation (http://drupal.org/node/295783).
It sounds like your setup is very similar to mine. I am using this on a corporate intranet and the users are automatically logged in when they visit any page (Apache authenticates the user to the Active Directory server using NTLM then webserver_auth logs the user into drupal). I am not using ldap_integration. I have webserver_auth + the module mentioned above.
Webserver_auth module simply trusts the webserver's authentication and logs in any user that the webserver identifies. The module that I wrote just requests ldap/activedirectory information about the user that just logged in.
The main issue to determine if this configuration will work for you is whether your webserver can be configured to do the authentication you need. I have Apache running on Windows with the SSPI apache module. I also have no access from outside the intranet. I believe Apache can handle that as well, but I don't have any experience with that.
The main weakness of this setup is that there is no possibility of anonymous users (this issue http://drupal.org/node/295783 might resolve this also).
this is almost perfect!!
Hi!
I have been using webserver_auth for long time now, and I started looking at ldap integration last year or so, and also on how to incorporate this together with webserver_auth.
Now, you have done a great job!!
I just want two more features and I am all ready to go to production with it.
is this doable?