I am installing Drupal on Apache 1.3.* under Windows 2000 for our intranet. I have a module installed to give me NTLM authentication to authenticate accesses to the site when they connect with Internet Explorer.

I would also like users to be automagically logged in using their NT domain credentials (domain\user). Is there a way to do this currently?

Thanks,
Mike

Comments

Kjartan’s picture

If you are able to find some example code for PHP on how to accomplish this I'm sure someone could make a quick module for it.

--
Kjartan

--
Kjartan
http://natrak.net/

Anonymous’s picture

I have used the following code to authenticate against an Exchange server.
I'm sure AD can't be much different.

$dn="cn=TestUser ,cn=Recipients,ou=xxxx,o=xxx";
$password = "654321";

if (!($ldap = ldap_connect("mail.xxx.xxx.xxx", 389))) {
die ("Could not connect to LDAP server");
}

if (!($res = @ldap_bind($ldap, $dn, $password))) {
die ("Could not bind to $dn");
}

Sadly I do not have the skills to code a module.
I wish there was a small working ldap authentication module, I don;t much care for the directory searching and whatnot, I just want people to be able to use their usual login ids and password.

moshe weitzman’s picture

if you look in the Contrib repository, under /modules/authentication/LDAP, you will find a generic LDAP authentication module. this module enables authentication against an external LDAP server, and has been tested against the Windows Active Directory (AD supports LDAP nicely). The module doesn't do NTLM; users must type in their username/password on the drupal login page (or box) and they will be authenticated by Active Directory. This shouldn't be too big a hassle, since passwords may be remembered via cookie.

The module also lets you search the LDAP Directory via a Search block, it displays and allows editing of LDAP data on the user profile pages, and generally kicks ass. Thanks to Pixelworks for donating the source for that module.

The module requires a few changes to the user module. See the README file.

FYI, Drupal runs perfectly under IIS if you prefer that to Windows Apache.

Anonymous’s picture

Hi,

I've just tried out installing the ldap.module together with the update user.module (89KB) this does not work since the drupal-powered website does no longer show a log-in screen.

Could you pleas supply me with the correct information on this ? I'm not familiar with the way a CVS is supposed to be operated so i'm kind of lost for the good code. Though i believe i've downloaded the correct files allready anyhow.

mailto:joris.lambrecht@transoceanlogistics.com

moshe weitzman’s picture

i will be releasing a user.module and an ldap_integration.module which are compatible with 4.2 release.

Anonymous’s picture

You need testers ?

Anonymous’s picture

Well, i will then. The oddest i've seen so far is the original user.module lets the Drupal scripts run fine while the newer user.module (89kb) shows blank pages, no error output found.

Anonymous’s picture

Can't get it to work.
I'm authenticating on AC.
This is the Ldap Bind DN
cn=ldapuser,cn=users,dc=net,dc=minkema,dc=nl

ldapuser is authenticated correctly. But it is the only user I get authenticated. This is the user who has authority to query.
Bu where do I put it's password?

Every other user gets the next message:
warning: LDAP: Unable to bind to server: Invalid credentials in /drupal/html/modules/ldap_integration.module on line 459.

Anonymous’s picture

Anyone has any clue on this ? I'm expecting (by guess) the RC's to be over within 3 months or so, will we have to wait that long for the ldap-module to be released ? Would be a great extra to this release i figure by now ...

Regards,

Joris

(the anonymous poster)

moshe weitzman’s picture

please send me feedback on today's commit of a new user.module and ldap_integration.module which work on drupal 4.2.

bsimser’s picture

I'm just looking at using Drupal on IIS for a departmental intranet. However, with all the userid/passwords that people have I would like to let them into the site automatically as IIS knows who they are (from their domain\user). Will one of the ldap modules listed do this automatically? I don't want to have the user even see a login screen or have to type a userid/password (even if it is their NT one). Thanks.

moshe weitzman’s picture

the current ldap_integration module does not speak NTLM. It will probably take a corporate sponsor to pay for this enhancement as it is non-trivial. i have not yet looked at this closely though. PHP examples of grabbing username/password from IIS would be very helpful.

- moshe

moshe weitzman’s picture

i just found this page which shows that the username is easily obtained from the $_SERVER array. I tested and it is indeed true. It should be straightforward to get Drupal to load the proper user account based on this variable.

The plan is ...

create a new ntlm.module with this code

** module is untested
**
** you must turn 'windows integrated authentication' for the drupal directory in IIS
** or use Apache ntlm module (really untested)
**
** you will want to disable the registration and login blocks in Drupal
**
**
** TODO:
** - strip domain name before saving the user
** - confirm that we can trust the $AUTH_USER element
** - optionally grab elements from Active Directory using LDAP during user login. this will auto populate
** fields like phone number, birthday, etc.
/*

function ntlm_init() {
  global $user 
 
  if ($user) {
    //do nothing because user is already logged in
  }
  else {
    if ($auser = $SERVER["AUTH_USER"]) {
      // user is logged into NT. try to log into Drupal. if unsuccessful, reg the user
      $user = user_load(array ("name" => $auser) );
      if (!$user) {
        if (variable_get("user_register", 1) == 1) {
          $user = user_save("", array("name" => $auser, "pass" => user_password(), "init" => $auser, "status" => 1, "rid" => _user_authenticated_id()));
          watchdog("user", "new user: $auser (NTLM)", l(t("edit user"), "admin/user/edit/$user->uid"));
        }
      }
    }
    else {
      // do nothing. user isn't logged into NT or web server has NTLM disabled
    }
  }
}

jsloan’s picture

I used a similar approach to the example you give (your example is better so I am going to use it) but I need to take it a step further... I want to be able to log in as a different user. So I need to prompt for login & password, authenticate against the ADS/LDAP, maintain my new session, and then login as the local authenticated user when I log out!

Question - does the cvs ldap_integration.module work with the 4.3.0RC? I had trouble with it and wanted to make sure it is suppose to work before digging in.

also; here is the code I use to strip the domain name from the NT user string - I hope it helps:


$NTLMuser = preg_replace("/^.+\\\\/", "", $_SERVER["AUTH_USER"]);
degerrit’s picture

I've adapted the above script to work on Apache 1.3 with mod_ntlm. It seems to work, but I haven't tested intensively.

Mozilla may need some tweaking to work: http://plone.org/documentation/how-to/singlesignonwindowsdomains . The note regarding network.automatic-ntlm-auth.trusted-uris is important.

<?php
/**
** module is slightly tested on Apache 1.3 with unofficial mod_ntlm (http://modntlm.jamiekerwick.co.uk/)
**
** you must turn 'windows integrated authentication' for the drupal directory in IIS
** or use Apache ntlm module (really untested)
**
** you will want to disable the registration and login blocks in Drupal
**
**
** TODO:
** - strip domain name before saving the user
** - confirm that we can trust the $AUTH_USER element
** - optionally grab elements from Active Directory using LDAP during user login. this will auto populate
** fields like phone number, birthday, etc.
*/

function ntlm_init() {
  global
$user;

  if (
$user->name) {
   
//do nothing because user is already logged in
 
}
  else {
    if (
$auser = $_SERVER["REMOTE_USER"]) {
     
// user is logged into NT. try to log into Drupal. if unsuccessful, reg the user
     
$user = user_load(array ("name" => $auser) );
      if (!
$user->name) {
        if (
variable_get("user_register", 1) == 1) {
         
$user = user_save("", array("name" => $auser, "pass" => user_password(), "init" => $auser, "status" => 1, "rid" => _user_authenticated_id()));
         
watchdog("user", "new user: $auser (NTLM)", l(t("edit user"), "admin/user/edit/$user->uid"));
        }
      }
    }
    else {
     
// do nothing. user isn't logged into NT or web server has NTLM disabled
   
}
  }
}
?>
degerrit’s picture

In case anyone is interested - there seems to be a module which uses Samba's winbind rather than implementing NTLM auth iteself:

http://cvs.samba.org/cgi-bin/cvsweb/mod_ntlm_winbind/

I haven't gotten it working yet, but I assume this is the way to go (based on Samba being tried-and-tested...). Last update is Aug 2004, though.