Integrating Drupal with Active Directory with LDAP Integration Module

drupal in we make it simple
I haven’t found a lot of tutorials online about this, so here’s how you integrate Drupal 6 with Active Directory using the LDAP Integration modules. I will show you how to configure the Auth, Data, and Groups modules. I had to do a lot of experimentation to get this working how I wanted it, so your experience may vary.

Download / Installing

  • Download the LDAP Integration module.
  • Enable the module on the modules page.
  • Enable the “administer ldap modules” permission for yourself on the permissions page.
The module is now installed and ready to be authenticated against the AD server.

Configuring LDAP Authentication

The LDAP Authentication module is the secret sauce to the rest of the modules. Without it, nothing else will work very well (actually not at all).
  • Go to admin/settings/ldap/ldapauth on your site
  • Click “Add Server” tab
  • Add a unique name for this server
  • Add the domain or IP, in the format “ldap://yourdomain.com
  • Add your base DNs in the field, 1 per line
  • Add the userName Attribute. This is usually sAMAccountName for AD servers
The most important step is down at the bottom of the page. Active Directory does not allow anonymous bindings or searches, so you need to configure an account specifically for that purpose. Enter that account’s name and password in the fields provided. Once you save the page, you can then test that account to make sure it can bind ok.

Configuring LDAP Data

The LDAP Data module can be used to pull information from your Active Directory/LDAP server into Drupal’s Profile module.
  • Go to admin/settings/ldap/ldapdata
  • Click “Edit” on the server config we set up earlier
  • Configure your mapping preferences (None, Read Only, Read/Write)
From there, simply map the corresponding LDAP/AD Attribute to your desired Drupal Profile field. These can be like displayName, sn, or mail. That’s pretty much it for this module, as it is pretty simple and straightforward with its directions

Configuring LDAP Groups

This part was probably the most difficult, and the one I spent the most time with. I ran into problems mostly with how our department’s AD server had its tree structure laid out.
  • Go to admin/settings/ldap/ldapgroups
  • Click “Edit” on the server config we set up earlier
From here, it gets a little complicated. There are 3 fieldsets, Group by DN, Group by attribute, and Group by entry. You can actually mix-and-match any of these 3. Our department uses Group by DN and Group by attribute.
For the Group by attribute in AD, you want to put memberOf in the field, since that’s what is recorded in the LDAP record.
The “LDAP group to Drupal role limits” field can be useful if you only have 1 or 2 groups from AD that need brought into Drupal. If you have many groups in AD, I recommend using the “LDAP group to Drupal role filtering” fieldset. You can put any of the following into that fieldset, and it will still work:
  • Faculty|Faculty
  • Staff|Staff
  • CN=dudes,OU=SecurityGroups,DC=w2k,DC=cis,DC=ksu,DC=edu|dudes
  • CN=advisor_users,CN=Users,DC=w2k,DC=cis,DC=ksu,DC=edu|advisor
Then check the box that reads “Use LDAP group to Drupal roles filtering” to only allow the filtering rules you stated earlier to allow account creation. If you just want to pull every account from AD into Drupal, then neither of those fields mean anything, and you can ignore. If you want to get really fancy, you can even supply PHP code to filter and process AD groups to Drupal groups.
If you have any further questions about how to do any of this, please leave a comment and I will get back to you.


4 thoughts on “Integrating Drupal with Active Directory with LDAP Integration Module”

  1. Ley
    Hi,
    Please recommend and help drupal 6.22 integrate with openldap
    This is sample information:
    Ldap structure
    ————————
    |rootdn:o=unixlife,c=JP|
    ————————
    |
    ————————-
    |ou=Mail,o=unixlife,c=JP|
    ————————-
    | |
    —————————————- —————————————–
    |dc=unixlife.jp,ou=Mail,o=unixlife,c=JP| |dc=examples.com,ou=Mail,o=unixlife,c=JP|
    —————————————- —————————————–
    | |
    ————————————————- —————————————————
    |uid=user1@unixlife.jp,dc=unixlife.jp,ou=Mail・・| |uid=user1@examples.com,dc=examples.com,ou=Mail・・|
    ————————————————- —————————————————
    |uid=user2@unixlife.jp,・・・・・・・・ |uid=user2@examples.com,・・・・・・・・・
    ————————————– —————————————
    |uid=user3@unixlife.jp,・・・・・・・ |uid=user3@examples.com,・・・・・・・・
    ————————————- ————————————-
    ============
    Users
    dn: uid=user1@unixlife.jp,dc=unixlife.jp,ou=Mail,o=unixlife,c=JP
    objectClass: mailUser
    cn:sakurai
    sn:tomoya
    uid: user1@unixlife.jp
    userPassword: {MD5}kJ.HtIols6ks=
    homeDirectory: /home/vmail/unixlife.jp/user1
    mail: user1@unixlife.jp
    mailAlias: webmaster@unixlife.jp
    accountActive: TRUE
    domainName: unixlife.jp
    mailQuota: 20480
    transport: dovecot
    dn: uid=user2@unixlife.jp,dc=unixlife.jp,ou=Mail,o=unixlife,c=JP
    objectClass: mailUser
    cn:yamada
    sn:taro
    uid: user2@unixlife.jp
    userPassword: {MD5}Jrtd.LouyTrf=
    homeDirectory: /home/vmail/unixlife.jp/user2
    mail: user2@unixlife.jp
    accountActive: TRUE
    domainName: unixlife.jp
    mailQuota: 20480
    transport: dovecot
    dn: uid=user1@examples.com,dc=examples.com,ou=Mail,o=unixlife,c=JP
    objectClass: mailUser
    cn:ito
    sn:jiro
    uid: user1@examples.com
    userPassword: {MD5}JROlkJ.Sdjk=
    homeDirectory: /home/vmail/examples.com/user1
    mail: user1@examples.com
    accountActive: TRUE
    domainName: examples.jp
    mailQuota: 10240
    transport: dovecot
    =======
    Group
    dn: uid=info@unixlife.jp, dc=unixlife.jp,ou=Mail,o=unixlife,c=JP
    objectClass: mailGroup
    mail: info@unixlife.jp
    uid: info@unixlife.jp
    cn: ml-group
    sn: ml-group
    domainName: unixlife.jp
    accountActive: TRUE
    mailDrop: user1@unixlife.jp
    mailDrop: user2@unixlife.jp
    Thank you
    Ley
  2. mobcdi
    Can you provide a bit more detail how you mapped the ldap user data to drupal profiles? maybe give an example of a simple mapping you made for example mapping AD’s givenName to a drupal profile field.
    Were you able to sync all ldap records with drupal so it bulk created the users?
  3. Enrique
    un favor ya efectue todo lo que me dice este instructivo, que por cierto me sirvio muchicimo gracias, hice le TEST, y me indica que la conexion es satisfactoria, lo que no se es que debo hacer, ya que hago pruebas reiniciando mi pc, entro en windows con lo que me logeeo a AD ingreso en mi intranet hecha en drupal y configurado como Usted indica pero me sigue piediendio clave y del drupal, que hago ?????

Artikel Terkait


EmoticonEmoticon