Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
Im using Apache, SSPI, LDAP and webauth. Logging in works (seamless), but for some reason, when users log in to my webserver their LDAP Data (email etc) is not retreived. While, when using LDAP only (manual login on website) it does fetch the data from the ldap server.
Why is it not retreived, and is there a way for me to still fetch it from the server (after the user has logged in for the first time)?
Comment | File | Size | Author |
---|---|---|---|
#11 | webserver_ldap.tar_.gz | 4.08 KB | kswan |
#7 | webserver_auth.module.txt | 5.26 KB | erikkramer |
#5 | iis.JPG | 129.21 KB | erikkramer |
Comments
Comment #1
Paul Natsuo Kishimoto CreditAttribution: Paul Natsuo Kishimoto commentedThis actually isn't one of the features of this module. I'm not sure how you have Drupal configured to retrieve LDAP information on a normal login, but all this module does is trust Apache authentication, and do automatic login and user creation when it exists. It doesn't automatically identify LDAP authentication or do any further processing.
However, I have had success retrieving LDAP data for users created by webserver_auth... see http://drupal.org/node/206223#comment-911611
Please mark this 'fixed' if that sort of solution solves your problem.
Comment #2
erikkramer CreditAttribution: erikkramer commentedI've installed the latest modules for ldap integration and webserver auth.
When ldap is enabled and webserver auth is disabled, I can login with a user that does exist in my win2k domain and does not yet exist in drupal. The user is created with it's corresponding emailaddress.
When I enable webserver auth and do the same thing this is what I get:
The user does login, and everything works, except his corresponding emailaddress is missing (it's blank).
Am I at the right place for this issue?
Comment #3
mecvo1984 CreditAttribution: mecvo1984 commentedErik,
I get the exact same errors as you've noted above. As you say, the user does login and everything works. I finally settled on suppressing the error reporting to the screen instead of logging to both screen and logfile. Not ideal, but these are warnings and at least the user doesn't see them now. I would be interested in the correct solution to this as well.
Regards.
Comment #4
Paul Natsuo Kishimoto CreditAttribution: Paul Natsuo Kishimoto commented@#2: Please see this #165642: error in SQL syntax in user.module on line 368 (or 378), which has just been fixed by the core developers (i.e. will be in the 6.4 release). The error messages seem to be the same, and comment #2 on that issue is from someone also running LDAP Integration + Webserver Auth.
I don't have any way to test the LDAP Integration module, so I can't theorize what's going on there. However, webserver_auth calls the
user_external_login_register()
function that was patched, it may also need updating.Comment #5
erikkramer CreditAttribution: erikkramer commentedThe latest version of the modules discussed didn't solve the problem for me.
I took some drastic measures and now have a new little problem.
I moved the drupal server from apache to IIS6.0 on another server. All worked out great, updated to D6.4.
So now the config is:
IIS60
D6.4
PHP
MySQL
I've enabled Integrated authentication in IIS (see attachment) and this works perfectly. But, eventhough "Strip Prefix" and "Strip domain" is checked in Webserver auth, it actually doesn't strip the prefix.
Any ideas?
Comment #6
erikkramer CreditAttribution: erikkramer commentedSo it doesn't strip, and on the first login I get:
PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\dblog\dblog.module on line 135 (about 5 times)
When proceeding the user is created, but with the prefix.
When disabling webserver auth and logging in manually it does work as it should.
What can I try next, to get rid of the prefix?
Comment #7
erikkramer CreditAttribution: erikkramer commentedI worked it out. Turns out, the strip prefix thing only works for creating users, not for logging in. So IIS or some plugin (like sspi for apache) should already have cut off the prefix.
Couldn't find anything like that, so I updated the webserver auth module to work for me. I'll attach it here, I'm kind of new to drupal so I don't know if and how I should post a patch.
Basically it strips off the prefix right at the start of the login procedure.
Comment #8
Paul Natsuo Kishimoto CreditAttribution: Paul Natsuo Kishimoto commentedI've never coded to IIS, so I'm not too familiar with it, but I'm trying to figure out what's going on here. I downloaded this LDAP integration module and had a look at the code—that's the one you were referring to, right?
When you say "Turns out, the strip prefix thing only works for creating users, not for logging in." that's precisely the intended behaviour. The users are logged in by matching
$_SERVER['REMOTE_USER']
with{authmap}.authname
; the strip prefix only affects the value of{users}.name
. Because{users}.name
is only used for display, it can contain absolutely anything (the user can even change it) and webserver_auth should still work.As far as I can tell from reading the code, ldap_authentication connects to the LDAP server and tries to get an LDAP distinguished name (dn) that matches
{users}.name
, as entered on the login form. Then it tries to connect to the LDAP server a second time, using that dn. If this works, the user is considered authenticated, and logged into Drupal. Perhaps some other processing for user details is done; I haven't read the code too closely;So ldap_integration and webserver_auth do different things. ldap_integration handles both authentication and login. webserver_auth only handles login; it assumes the web server has already authenticated (against LDAP or something else) the user—hence the name.
Does this seem correct, and make sense? If so, then I think maybe you are trying to do the same thing (LDAP-based login) two ways. If you can get IIS to do HTTP authentication (the user's browser shows a login prompt or dialog, e.g. https://engsci.utoronto.ca/orientation) against the LDAP server, why do you also need the Drupal login form? You could use webserver_auth only; optionally you can use the extra processing setting of webserver_auth to connect to the LDAP server and get or process any extra information (like a full name). This is exactly what I do in http://drupal.org/node/206223#comment-911611 (already linked in #1 above).
If I've misunderstood what you're trying to do, please clarify!
Comment #9
erikkramer CreditAttribution: erikkramer commentedYes I'm talking about the LDAP authentication module, and yes it seems to be redundant in my situation. I see now that I can just let the webserver do the authentication and webserver auth do the login part.
That leaves me with 2 issues.
1. When a user exists in AD and not in drupal, it is created but without email address (and I'm using the subscriptions module so I kinda need it).
2. When a user logs in he has the domain name prefix in his username (I would be WIN2K-KRAMER01\Erik) which is just ugly. I'd like to strip it off. With my "patch" it's stripped, but I have a feeling that this is not the way it should be.
I've tried to apply the patch you pointed out with both "eclipse" and "Patch for Win32" but get rejection errors (the one on http://drupal.org/node/206223#comment-911611).
Comment #10
erikkramer CreditAttribution: erikkramer commentedIn addition to issue 1 of my previous post, when I login with a user existing in AD but not yet in drupal I get the following errors:
PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\dblog\dblog.module on line 135 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\syslog\syslog.module on line 104 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\dblog\dblog.module on line 135 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\syslog\syslog.module on line 104 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\dblog\dblog.module on line 135 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\syslog\syslog.module on line 104 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\dblog\dblog.module on line 135 PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\Drupal\modules\syslog\syslog.module on line 104
With these corresponding log entries in the drupal report section:
Refreshing the page then shows the user is created, without emailaddress.
Drupal is configured to allow users to create an account without permission of the administrator.
Comment #11
kswan CreditAttribution: kswan commentedFrom my experience webserver_auth and ldap_integration don't work well together. I haven't nailed down exactly why, but I think it has to do with the entries in the authmap table.
I had the same problem that the original poster had and I thought that the ldap_integration module had a lot of overlap with the webserver_auth.
I made a module that is a trimmed down version of the ldap_integration module that works well with the webserver_auth module. There is a little more detail about this module in this post http://groups.drupal.org/node/14614.
Since this is a specialized case of webserver_auth, I didn't write this as a patch to webserver_auth. I am not sure if this should be a "sub-module" of webserver_auth (similar to text module of CCK) or a separate module with webserver_auth as a dependency (similar to the link_field module for CCK).
The module is attached.
Comment #12
cybertron1 CreditAttribution: cybertron1 commentedgreat module!!
do you wanna continue working on it? and perhaps add the ability to have 2 or more ad servers?
Comment #13
kswan CreditAttribution: kswan commented@cybertron1: Thank you for the comment.
This version is a good starting point, but the module needs some work. I have made additional changes that are specialized to my use case. Please feel free to do what you want with the code.
I don't have time to maintain this as a d.o project, but if someone wants to maintain it I would love to contribute.
I haven't figured out a good method to trigger profile updates. The code above uses hook_user($op == load) which seems to be fired on every page load. For my implementation I changed it to hook_user($op == view). Probably the best case would be to use a hook that is fired only when webserver_auth creates a new user plus a cron task.
Your suggestion to support multiple AD servers is good, but adds quite a bit of complexity.
Comment #14
cybertron1 CreditAttribution: cybertron1 commentedactually implementing multiple ad servers shoudl be too hard, unfortunatly I am not good enought at coding (yet) but my idea is like this:..
Create a db-table with all the values stored, add ad servers one after another, when a user logs in check in the first ad-server, if no match continue to the next and so on until it reaches the end of the table. if no match is found then create a user.
but I have been trying to make the module to create the db but don't quite gotten there yet.
if anyone in here, wanna give me a hand in implementing the above I would be very grateful....
Comment #15
kswan CreditAttribution: kswan commentedcybertron1: Take a look at the code in http://drupal.org/project/ldap_integration. That module has setup you are describing.
Comment #16
cybertron1 CreditAttribution: cybertron1 commentedthanks, will take a look
Comment #17
quindio CreditAttribution: quindio commentedIs there documentation on how to use this module?
Tnx - Nestor
Comment #18
boilermaker.jb1 CreditAttribution: boilermaker.jb1 commentedIf you are looking on documentation on how to install modules that is available here:
http://drupal.org/getting-started/install-contrib
If you are looking on how this module works you need to have some sort of authentication occurring on your web server. I personally am using mod_auth_kerb ( http://modauthkerb.sourceforge.net/ ). Once the module is installed and the webserver is authenticating users it will automatically add a drupal user for each user the web server authenticates.
Hope this helps,
boilermaker.jb1
Comment #19
gaards CreditAttribution: gaards commentedClosed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.