What the heck is pasāda?
Pasāda is an ancient Pāli word that means "clearness; brightness; joy; faith; the faculty of senses."
पसाद
Pasāda is an ancient Pāli word that means "clearness; brightness; joy; faith; the faculty of senses."
पसाद
Integrating Drupal with Active Directory
For Drupal to be truly effective in the enterprise, it must integrate with existing enterprise authentication and identity management systems. Microsoft's Active Directory is one such system in very wide distribution. Here's a method for integrating Drupal users, roles and profiles with an existing AD environment.
Requirements
- ldap_integration module (http://www.drupal.org/project/ldap_integration)
- ADpassword.patch (http://drupal.org/files/issues/ADpassword.patch)
- AD Domain Controller
- Server certificate or AD Certificate Services to enable LDAPS
Background
Active Directory allows you to set a password only over LDAPS, so if you want to allow users to change passwords you need to install a certificate on your domain controller. The easiest way to do that is to install AD Certificate Services. After a CA is in place you will need to reboot your domain controller to start using a self-signed certificate. If you choose to use a self-signed certificate you will also need to tell your web server to trust it. You can do that by exporting the certificate from the server in base 64 format and placing it under /etc/openldap/cacerts (or at least that is where my ldap.conf file told me to put it). In ldap_integration version 6.x-1.0-beta2, ADPassword.patch is required to submit a password value in proper format.
Configuration
Configuring Authentication
Administer -> Site configuration -> LDAP -> Authentication (admin/settings/ldap/ldapauth)
- Authentication mode
- Choose authentication mode: Mixed mode.
- Choose user conflict resolve procedure: Dissallow login and log the conflict.
- Security Options
- Do not store users' passwords during sessions: Enabled
- Sync LDAP password with the Drupal password: Disabled
- LDAP UI Options
- Remove password change fields from user edit form: Disabled
- Alter email field on user edit form: Do nothing
- Add Server
- Server settings
- Name: SRVDC1
- LDAP server: ldaps://srvdc1.domain.local/
- LDAP port: 636
- Use Start-TLS: Disabled
- Store passwords in encrypted form: Disabled
- Login procedure
- Base DNs: ou=Users,ou=Drupal,dc=domain,dc=local
- UserName attribute: sAMAccountName
- Email attribute: mail
- PHP to transform login name:
- PHP to filter users based on their LDAP data:
- Advanced configuration
- DN for non-anonymous search: cn=adread,ou=Drupal,dc=domain,dc=local
- Password for non-anonymous search: password
- Server settings
Configuring Data
Administer -> Site configuration -> LDAP -> Data (admin/settings/ldap/ldapdata)
- Synchronizing options
- Synchronize LDAP data with Drupal profiles: Every time user object loaded in Drupal.
- Server - edit
- Drupal-LDAP fields mapping
- Drupal user profile field mapping: Read/write
- Drupal field mail: mail
- Drupal field pass: unicodePwd
- Drupal field signature:
- Attribute visibility & access control
- Attributes:
givenName|text|textfield|Given Name|64|64
sn|text|textfield|Sur Name|64|64
displayName|text|textfield|Display Name|64|64
physicalDeliveryOfficeName|text|textfield|Office|64|64
telephoneNumber|text|textfield|Phone|64|64
wWWHomePage|text|textfield|Web Page|64|64
title|text|textfield|Title|64|64
company|text|textfield|Company|64|64
department|text|textfield|Department|64|64
cn|text|textfield|Common Name|64|64
manager|text|textfield|Manager|64|64 - PHP to filter attributes:
- Attributes:
- Advanced configuration
- DN for reading/editing attributes: cn=adwrite,ou=Drupal,dc=domain,dc=local
- Password for reading/editing attributes: password
- Drupal-LDAP fields mapping
Configuring Groups
Administer -> Site configuration -> LDAP -> Groups (admin/settings/ldap/ldapgroups)
- Server - edit
- Group by DN
- Group by Attribute
- Group by entry
- Groups exist as LDAP entries where a multivalued attribute contains the members' CNs: Enabled
-
LDAP DNs containing groups:
cn=content group 1,ou=Drupal,dc=domain,dc=local
cn=content group 2,ou=Drupal,dc=domain,dc=local - Attribute holding group members: member
- LDAP group to Drupal role limits
- LDAP group to Drupal role filtering
Tags: