LDAP for Drupal

1    What is LDAP?

The Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email and other programs use to look up information from a server. LDAP is defined in terms of Abstract Syntax Notation One and transmitted using BER encoding. Directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track Request for Comments (RFCs). The latest version is Version 3, published as RFC 4511.

2    Integrating LDAP with Drupal

This article examines how LDAP can be integrated into Drupal. Specific modules are available in Drupal 6 and Drupal 7 for LDAP integration. To name a few: Drupal 6 – ldapauth, ldapgroups, ldapdata, ldapsync, Drupal 7 – LDAP Servers, LDAP User, LDAP Query, LDAP Authentication, LDAP Views.

2.1       Prerequisites:

  • Server Domain or IP Address e.g. ad.nebraska.edu or
  • LDAP server requires ldaps (ssl) or start-tls
  • LDAP Server Port (usually 389 or 636)
  • Base DNs for LDAP user entries. This is the highest part of the LDAP directory that has user entries in it.  ou=students,dc=ad,dc=nebraska,dc=edu
  • UserName attribute. cn, uid, or sAMAccountName in the user’s LDAP entry should map to a drupal username
  • Email Attribute. Mail in the user’s LDAP entry has the user’s email address

2.2       Checking for Prerequisites with LDAP Help Module

  1. Enable LDAP Servers and LDAP Help modules
  2. Go to admin/config/people/ldap/help/status (Administration > Configuration > People > LDAP Configuration > Help and check on the following PHP extensions:
  • PHP LDAP extension data has LDAP Support enabled.
  • mcrypt extension is loaded if you are going to encrypt stored passwords.
  • Open ssl or other ssl extension is loaded.
  • For ldaps make sure cert on webserver.

2.3       Selected Values for Common LDAP Server Configurations:

  • LDAP server: ad.unm.edu (not ldaps://ad.unm.edu)
  • LDAP Port: 389
  • Use Start TLS checked
  • Use Service Account Bind
  • Username Attribute: sAMAccountName
  • Email Attribute: mail
  • Persistent and Unique User Attribute : objectsid

3         LDAP Authorization

LDAP Authorization is simply an API for “authorization consumers” such as Drupal roles or Organic Groups. Drupal roles are most commonly used. You must enable LDAP Authorization and one or more “authorization consumer” modules.

Each “authorization consumer” will have a single configuration entry at: admin/config/people/ldap/authorization that will need to be created, configured and enabled for authorization to work. After configuring an “authorization consumer”, use the “test” link to see the authorizations a given test user would be granted.

4         LDAP Authorization Organic Groups for Drupal 7

4.1       Requirements

  • Configuration that maps Drupal Users to LDAP Users (Implemented by LDAP Server Module).
  • Configuration that maps LDAP user entries to Organic Group membership (Implemented by LDAP Authorization Organic Groups).
  • LDAP Authorization modules do not require LDAP Authentication to be used. LDAP Authorization modules will work with CAS, Shib, and other authentication modules including Drupal authentication or Open ID. However, there must be a relationship established between the drupal user and an ldap entry; this relationship is usually the username or email. This relationship is implemented in the LDAP Server module.
  • This takes a little patience to setup and test.

4.2       Setup

  • Create the Organic Groups and Roles you need. If the default OG roles work (member and admin) you do not need to worry about creating roles.
  • Download LDAP project at http://drupal.org/project/ldap
  • Enable LDAP Servers and configure an LDAP Server. Only one server can be used with LDAP Authorization OG at a time.
  • At admin/config/people/ldap/authorization/add/og_group, create OG Group Configuration. After configuring this, a test page will be available.
  • Go to the test page: admin/config/people/ldap/authorization/test/og_group and try some usernames to see what OG roles the user would be granted.
  • When you are satisfied with this test with actual users logging in.

4.3       Debugging LDAP Authorization

  1. Go to the test form: admin/config/people/ldap/authorization/test/drupal_role
  2. Submit a username.
  3. In the response page to the form, examine the “Prefiltered and Final Mappings” section. It lists all the “raw authorizations” or the authorizations before filtering and mapping.
  4. There is some ability to see intermediary data in the authorization code. This can be helpful for debugging. Enable “detailed logging”. Then login as the user in question. There will be detailed logs in watchdog of theLDAP authorization steps.
  5. Authorizations are stored in the $user->data array. To see this array, do the “Picking through the Database” step for the user table. You should see authorization records there.

4.4       LDAP User Module

The actual creation of Drupal account can happen:

  • On user login via LDAP authentication: This is the most common use case. After the user successfully authenticates, a Drupal account is created. Fields in the Drupal account (username, mail, uid, last name etc.) are populated based on LDAP User mapping configurations.
  • On manual Drupal Account creation: For this use case, whenever a Drupal account is created a check is done for a corresponding LDAP entry. If one is found, the Drupal account fields are populated from the LDAP Entry. This is useful when you have few users and you want to create accounts by hand, or when you are using other modules to mass import users.
  • On any Drupal account creation. Regardless of how drupal account is created.
  • On cron runs. Not implemented yet.
  • On REST web service request. Partially implemented, ping maintainers if this is needed.

5           Important Configuration Points

Visit Administrator>Site Configuration>LDAP>Authentication>Settings

  • Under “Authentication mode” field set make sure that the below corresponding values are set:
    Choose authentication mode:  LDAP directory only
    Choose user conflict resolve procedure:  Associate local account with the LDAP entry
  • Under “Security Options” field set on the same page, make sure that the below corresponding values are set:
    Do not store users’ passwords during sessions: Checked
    Sync LDAP password with the Drupal password: Checked
  • Under “UI Options” field set on the same page, make sure that the below corresponding values are set:
    Remove password change fields from user edit form: Unchecked
    Alter email field on user edit form: Do nothing

Click “Save Configuration” if any of the above settings are changed or updated now.

Visit Administrator>Site Configuration>LDAP>Authentication>Add Server

  • Under “Server Settings”
    Name: # it can be any normal name.
    LDAP server: # eg., ec2-174-129-56-118.compute-1.amazonaws.com
    LDAP port: # eg., 2389
  • Under “Login procedure”
    Base DNs: # eg., “ou=People,dc=example,dc=net”
    Username attribute: # eg., uid
    Email attribute: # eg., mail
  • Under “Advanced configuration”
    DN for non-anonymous search: # eg., cn=Directory Manager
    Password for non-anonymous search: # eg., secret

Click “Save Configuration” if any of the above settings are changed or updated now.

Visit Administrator > Site Configuration > LDAP > Authentication > List

  • Under ”Server” click edit
  • Under ”Advanced configuration” click Test button

Visit Administrator > Site Configuration > LDAP > Data

  • Under “Synchronizing options”

Choose Synchronize LDAP data with Drupal profiles: Every time user object loaded in Drupal (May cause high LDAP traffic).

Click “Save Configuration” if any of the above settings are changed or updated now.

  • Under “Server” click Edit.
  • Under “Drupal-LDAP fields mapping”

        Choose Drupal user profile field mapping : Read/write: Drupal user profile fields have LDAP attributes. LDAP attributes updated upon Drupal profile change.

Specify mappings below if you selected the second or third option.

        profile_sa_firstname: # eg., givenName

        profile_sa_lastname: # eg., sn

        mail: # eg., mail

        pass: # eg., userPassword

        signature: # eg., signature

  • Under “Advanced configuration”

Give DN for reading/editing attributes and Password for reading/editing attributes
Click Test button

Click “Save Configuration” if any of the above settings are changed or updated now.

Visit Administrator > Site Configuration > LDAP > Provisioning

  • Under “General settings”

Choose Custom username: Yes

Username template: # eg., %f.%l

  • Under Registration form, Profile Integration

            Choose “Use profile fields in the registration form”.

            Profile first name: # eg., “profile_sa_firstname”

            Profile last name: # eg., “profile_sa_lastname”

  • Under “LDAP server”

Choose LDAP server name from the list.

Under LDAP authentication

Also Give Bind DN and Password Details

Click the “Test” button.

Click “Save Configuration” if any of the above settings are changed or updated now.

Leave a Reply