You are here

INSTALL.txt in LDAP Single Sign On 6

To install this module, extract the module archive into the 
sites/all/modules directory, then activate the module. This module requires the 
LDAP integration module ( http://drupal.org/project/ldap_integration ), version
6.x-1.x-dev, published February 25, 2011 or newer.

This module also requires that your web server provides an authentication 
mechanism for LDAP. The only authentication mechanism used in development
was mod_auth_sspi for Apache/Windows, but so long as the web server's LDAP
authentication mechanism is configured to provide the $_SERVER variable
$_SERVER['REMOTE_USER'] or $_SERVER['REDIRECT_REMOTE_USER'] corresponding
directly to a user's LDAP user name, this should work all the same. This
will require some sort of LDAP authentication mechanism; mod_auth_sspi is 
available here: http://mod-auth-sspi.sourceforge.net/, while mod_ntlm is
available here: http://modntlm.sourceforge.net/, and mod_auth_ntlm_winbind is
available here: http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/.
If a Linux distribution is being used, Apache authentication modules are likely
available within the distro's package manager.

Unless an administrator wishes to require that all visitors be authenticated,
NTLM and/or basic authentication should be set up only on the path 
user/login/sso, which will authentify the visitor but not deny access to view
the site if the visitor is not authenticated. An administrator may wish to 
require LDAP authentication to view any portion of the site; this can be 
achieved by changing the location directive below to "/". An administrator may
also wish to automatically log in visitors to Drupal; this can be achieved by 
checking "Turn on automated single sign-on" in the modules' configuration page.

An example of an Apache configuration for a named virtualhost configuration
using mod_auth_sspi on Windows is as follows:


httpd.conf:
_______________________________________________________________________________
_______________________________________________________________________________




# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Pass NTLM authentication to Apache
LoadModule sspi_auth_module modules/mod_auth_sspi.so

<IfModule !mod_auth_sspi.c>
  LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>



_______________________________________________________________________________
_______________________________________________________________________________




httpd-vhosts.conf:
_______________________________________________________________________________
_______________________________________________________________________________




NameVirtualHost example.com

<VirtualHost example.com>
  DocumentRoot "D:/www/example.com/htdocs"
  ServerName example.com
  
  <directory "D:/www/example.com/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All 
    Order Allow,Deny
    Allow from all
  </directory>
    
  <Location /user/login/sso>
    AuthType SSPI
    AuthName "Example.com - Login using your LDAP user name and password"
    SSPIAuth On
    SSPIAuthoritative On
    ### The domain used to authenticate with LDAP; this should match the domain
    ### configured in the LDAP integration configuration within Drupal
    SSPIDomain ad.example.com
    SSPIOmitDomain On
    SSPIOfferBasic On
    Require valid-user      
    #SSPIBasicPreferred On
    #SSPIofferSSPI off          
  </Location>  
</VirtualHost>

_______________________________________________________________________________
_______________________________________________________________________________


After enabling and configuring an LDAP authentication module with Apache, 
visit user/login/sso in the Drupal installation on example.com. With or without 
the ldap sso Drupal module enabled, the browser should prompt for a user name 
and password if using Internet Explorer 8+ or a non-Microsoft browser. 
Internet Explorer 7 by default will pass NTLM authentication credentials to 
local websites, and IE8+ and Firefox can be configured to do this as well.

If prompted for credentials on that path, enter a valid LDAP user name, 
omitting the domain, as well as a password. If the credentials are correct,
or if NTLM credentials are passed automatically by the browser and successfully 
authenticated, a Drupal 404 "Page not found" message will be displayed if the
module is not enabled; an "access is denied" message will be displayed if the 
module is enabled and the browser is already logged in; and if the ldap_sso 
module is fully configured and there is no existing session, the browser will
display the message "You have been successfully authenticated" after 
redirecting to the sites' home page.

File

INSTALL.txt
View source
  1. To install this module, extract the module archive into the
  2. sites/all/modules directory, then activate the module. This module requires the
  3. LDAP integration module ( http://drupal.org/project/ldap_integration ), version
  4. 6.x-1.x-dev, published February 25, 2011 or newer.
  5. This module also requires that your web server provides an authentication
  6. mechanism for LDAP. The only authentication mechanism used in development
  7. was mod_auth_sspi for Apache/Windows, but so long as the web server's LDAP
  8. authentication mechanism is configured to provide the $_SERVER variable
  9. $_SERVER['REMOTE_USER'] or $_SERVER['REDIRECT_REMOTE_USER'] corresponding
  10. directly to a user's LDAP user name, this should work all the same. This
  11. will require some sort of LDAP authentication mechanism; mod_auth_sspi is
  12. available here: http://mod-auth-sspi.sourceforge.net/, while mod_ntlm is
  13. available here: http://modntlm.sourceforge.net/, and mod_auth_ntlm_winbind is
  14. available here: http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/.
  15. If a Linux distribution is being used, Apache authentication modules are likely
  16. available within the distro's package manager.
  17. Unless an administrator wishes to require that all visitors be authenticated,
  18. NTLM and/or basic authentication should be set up only on the path
  19. user/login/sso, which will authentify the visitor but not deny access to view
  20. the site if the visitor is not authenticated. An administrator may wish to
  21. require LDAP authentication to view any portion of the site; this can be
  22. achieved by changing the location directive below to "/". An administrator may
  23. also wish to automatically log in visitors to Drupal; this can be achieved by
  24. checking "Turn on automated single sign-on" in the modules' configuration page.
  25. An example of an Apache configuration for a named virtualhost configuration
  26. using mod_auth_sspi on Windows is as follows:
  27. httpd.conf:
  28. _______________________________________________________________________________
  29. _______________________________________________________________________________
  30. # Virtual hosts
  31. Include conf/extra/httpd-vhosts.conf
  32. # Pass NTLM authentication to Apache
  33. LoadModule sspi_auth_module modules/mod_auth_sspi.so
  34. LoadModule sspi_auth_module modules/mod_auth_sspi.so
  35. _______________________________________________________________________________
  36. _______________________________________________________________________________
  37. httpd-vhosts.conf:
  38. _______________________________________________________________________________
  39. _______________________________________________________________________________
  40. NameVirtualHost example.com
  41. DocumentRoot "D:/www/example.com/htdocs"
  42. ServerName example.com
  43. Options Indexes FollowSymLinks MultiViews
  44. AllowOverride All
  45. Order Allow,Deny
  46. Allow from all
  47. AuthType SSPI
  48. AuthName "Example.com - Login using your LDAP user name and password"
  49. SSPIAuth On
  50. SSPIAuthoritative On
  51. ### The domain used to authenticate with LDAP; this should match the domain
  52. ### configured in the LDAP integration configuration within Drupal
  53. SSPIDomain ad.example.com
  54. SSPIOmitDomain On
  55. SSPIOfferBasic On
  56. Require valid-user
  57. #SSPIBasicPreferred On
  58. #SSPIofferSSPI off
  59. _______________________________________________________________________________
  60. _______________________________________________________________________________
  61. After enabling and configuring an LDAP authentication module with Apache,
  62. visit user/login/sso in the Drupal installation on example.com. With or without
  63. the ldap sso Drupal module enabled, the browser should prompt for a user name
  64. and password if using Internet Explorer 8+ or a non-Microsoft browser.
  65. Internet Explorer 7 by default will pass NTLM authentication credentials to
  66. local websites, and IE8+ and Firefox can be configured to do this as well.
  67. If prompted for credentials on that path, enter a valid LDAP user name,
  68. omitting the domain, as well as a password. If the credentials are correct,
  69. or if NTLM credentials are passed automatically by the browser and successfully
  70. authenticated, a Drupal 404 "Page not found" message will be displayed if the
  71. module is not enabled; an "access is denied" message will be displayed if the
  72. module is enabled and the browser is already logged in; and if the ldap_sso
  73. module is fully configured and there is no existing session, the browser will
  74. display the message "You have been successfully authenticated" after
  75. redirecting to the sites' home page.