You are here

Home » API reference » LDAP Single Sign On 6

INSTALL.txt in LDAP Single Sign On 6 

To install this module, extract the module archive into the 
sites/all/modules directory, then activate the module. This module requires the 
LDAP integration module ( http://drupal.org/project/ldap_integration ), version
6.x-1.x-dev, published February 25, 2011 or newer.

This module also requires that your web server provides an authentication 
mechanism for LDAP. The only authentication mechanism used in development
was mod_auth_sspi for Apache/Windows, but so long as the web server's LDAP
authentication mechanism is configured to provide the $_SERVER variable
$_SERVER['REMOTE_USER'] or $_SERVER['REDIRECT_REMOTE_USER'] corresponding
directly to a user's LDAP user name, this should work all the same. This
will require some sort of LDAP authentication mechanism; mod_auth_sspi is 
available here: http://mod-auth-sspi.sourceforge.net/, while mod_ntlm is
available here: http://modntlm.sourceforge.net/, and mod_auth_ntlm_winbind is
available here: http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/.
If a Linux distribution is being used, Apache authentication modules are likely
available within the distro's package manager.

Unless an administrator wishes to require that all visitors be authenticated,
NTLM and/or basic authentication should be set up only on the path 
user/login/sso, which will authentify the visitor but not deny access to view
the site if the visitor is not authenticated. An administrator may wish to 
require LDAP authentication to view any portion of the site; this can be 
achieved by changing the location directive below to "/". An administrator may
also wish to automatically log in visitors to Drupal; this can be achieved by 
checking "Turn on automated single sign-on" in the modules' configuration page.

An example of an Apache configuration for a named virtualhost configuration
using mod_auth_sspi on Windows is as follows:


httpd.conf:
_______________________________________________________________________________
_______________________________________________________________________________




# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Pass NTLM authentication to Apache
LoadModule sspi_auth_module modules/mod_auth_sspi.so

<IfModule !mod_auth_sspi.c>
  LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>



_______________________________________________________________________________
_______________________________________________________________________________




httpd-vhosts.conf:
_______________________________________________________________________________
_______________________________________________________________________________




NameVirtualHost example.com

<VirtualHost example.com>
  DocumentRoot "D:/www/example.com/htdocs"
  ServerName example.com
  
  <directory "D:/www/example.com/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All 
    Order Allow,Deny
    Allow from all
  </directory>
    
  <Location /user/login/sso>
    AuthType SSPI
    AuthName "Example.com - Login using your LDAP user name and password"
    SSPIAuth On
    SSPIAuthoritative On
    ### The domain used to authenticate with LDAP; this should match the domain
    ### configured in the LDAP integration configuration within Drupal
    SSPIDomain ad.example.com
    SSPIOmitDomain On
    SSPIOfferBasic On
    Require valid-user      
    #SSPIBasicPreferred On
    #SSPIofferSSPI off          
  </Location>  
</VirtualHost>

_______________________________________________________________________________
_______________________________________________________________________________


After enabling and configuring an LDAP authentication module with Apache, 
visit user/login/sso in the Drupal installation on example.com. With or without 
the ldap sso Drupal module enabled, the browser should prompt for a user name 
and password if using Internet Explorer 8+ or a non-Microsoft browser. 
Internet Explorer 7 by default will pass NTLM authentication credentials to 
local websites, and IE8+ and Firefox can be configured to do this as well.

If prompted for credentials on that path, enter a valid LDAP user name, 
omitting the domain, as well as a password. If the credentials are correct,
or if NTLM credentials are passed automatically by the browser and successfully 
authenticated, a Drupal 404 "Page not found" message will be displayed if the
module is not enabled; an "access is denied" message will be displayed if the 
module is enabled and the browser is already logged in; and if the ldap_sso 
module is fully configured and there is no existing session, the browser will
display the message "You have been successfully authenticated" after 
redirecting to the sites' home page.

File

INSTALL.txt
View source 
  1. To install this module, extract the module archive into the 

  2. sites/all/modules directory, then activate the module. This module requires the 

  3. LDAP integration module ( http://drupal.org/project/ldap_integration ), version

  4. 6.x-1.x-dev, published February 25, 2011 or newer.

  5. 

  6. This module also requires that your web server provides an authentication 

  7. mechanism for LDAP. The only authentication mechanism used in development

  8. was mod_auth_sspi for Apache/Windows, but so long as the web server's LDAP

  9. authentication mechanism is configured to provide the $_SERVER variable

  10. $_SERVER['REMOTE_USER'] or $_SERVER['REDIRECT_REMOTE_USER'] corresponding

  11. directly to a user's LDAP user name, this should work all the same. This

  12. will require some sort of LDAP authentication mechanism; mod_auth_sspi is 

  13. available here: http://mod-auth-sspi.sourceforge.net/, while mod_ntlm is

  14. available here: http://modntlm.sourceforge.net/, and mod_auth_ntlm_winbind is

  15. available here: http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/.

  16. If a Linux distribution is being used, Apache authentication modules are likely

  17. available within the distro's package manager.

  18. 

  19. Unless an administrator wishes to require that all visitors be authenticated,

  20. NTLM and/or basic authentication should be set up only on the path 

  21. user/login/sso, which will authentify the visitor but not deny access to view

  22. the site if the visitor is not authenticated. An administrator may wish to 

  23. require LDAP authentication to view any portion of the site; this can be 

  24. achieved by changing the location directive below to "/". An administrator may

  25. also wish to automatically log in visitors to Drupal; this can be achieved by 

  26. checking "Turn on automated single sign-on" in the modules' configuration page.

  27. 

  28. An example of an Apache configuration for a named virtualhost configuration

  29. using mod_auth_sspi on Windows is as follows:

  30. 

  31. 

  32. httpd.conf:

  33. _______________________________________________________________________________

  34. _______________________________________________________________________________

  35. 

  36. 

  37. 

  38. 

  39. # Virtual hosts

  40. Include conf/extra/httpd-vhosts.conf

  41. 

  42. # Pass NTLM authentication to Apache

  43. LoadModule sspi_auth_module modules/mod_auth_sspi.so

  44. 

  45. 

  46.   LoadModule sspi_auth_module modules/mod_auth_sspi.so

  47. 

  48. 

  49. 

  50. 

  51. _______________________________________________________________________________

  52. _______________________________________________________________________________

  53. 

  54. 

  55. 

  56. 

  57. httpd-vhosts.conf:

  58. _______________________________________________________________________________

  59. _______________________________________________________________________________

  60. 

  61. 

  62. 

  63. 

  64. NameVirtualHost example.com

  65. 

  66. 

  67.   DocumentRoot "D:/www/example.com/htdocs"

  68.   ServerName example.com

  69.   

  70.   

  71.     Options Indexes FollowSymLinks MultiViews

  72.     AllowOverride All 

  73.     Order Allow,Deny

  74.     Allow from all

  75.   

  76.     

  77.   

  78.     AuthType SSPI

  79.     AuthName "Example.com - Login using your LDAP user name and password"

  80.     SSPIAuth On

  81.     SSPIAuthoritative On

  82.     ### The domain used to authenticate with LDAP; this should match the domain

  83.     ### configured in the LDAP integration configuration within Drupal

  84.     SSPIDomain ad.example.com

  85.     SSPIOmitDomain On

  86.     SSPIOfferBasic On

  87.     Require valid-user      

  88.     #SSPIBasicPreferred On

  89.     #SSPIofferSSPI off          

  90.     

  91. 

  92. 

  93. _______________________________________________________________________________

  94. _______________________________________________________________________________

  95. 

  96. 

  97. After enabling and configuring an LDAP authentication module with Apache, 

  98. visit user/login/sso in the Drupal installation on example.com. With or without 

  99. the ldap sso Drupal module enabled, the browser should prompt for a user name 

  100. and password if using Internet Explorer 8+ or a non-Microsoft browser. 

  101. Internet Explorer 7 by default will pass NTLM authentication credentials to 

  102. local websites, and IE8+ and Firefox can be configured to do this as well.

  103. 

  104. If prompted for credentials on that path, enter a valid LDAP user name, 

  105. omitting the domain, as well as a password. If the credentials are correct,

  106. or if NTLM credentials are passed automatically by the browser and successfully 

  107. authenticated, a Drupal 404 "Page not found" message will be displayed if the

  108. module is not enabled; an "access is denied" message will be displayed if the 

  109. module is enabled and the browser is already logged in; and if the ldap_sso 

  110. module is fully configured and there is no existing session, the browser will

  111. display the message "You have been successfully authenticated" after 

  112. redirecting to the sites' home page.

  113.