You are here

Home » API reference » LDAP Single Sign On 7

README.txt in LDAP Single Sign On 7

Same filename and directory in other branches
  1. 6 README.txt
  2. 7.2 README.txt
=======================================
LDAP Single Sign-On
=======================================


To use the single sign-on feature, your web server must provide an authentication
mechanism for LDAP. The only authentication mechanism used in development
was mod_auth_sspi for Apache/Windows, but so long as the web server's LDAP
authentication mechanism is configured to provide the $_SERVER variable
$_SERVER['REMOTE_USER'] or $_SERVER['REDIRECT_REMOTE_USER'] corresponding
directly to a user's LDAP user name, this should work all the same. This
will require some sort of LDAP authentication mechanism; mod_auth_sspi is
available here: http://mod-auth-sspi.sourceforge.net/, while mod_ntlm is
available here: http://modntlm.sourceforge.net/, and mod_auth_ntlm_winbind is
available here: http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/.
If a Linux distribution is being used, Apache authentication modules are likely
available within the distro's package manager.

Unless an administrator wishes to require that all visitors be authenticated,
NTLM and/or basic authentication should be set up only on the path
user/login/sso, which will authentify the visitor but not deny access to view
the site if the visitor is not authenticated. An administrator may wish to
require LDAP authentication to view any portion of the site; this can be
achieved by changing the location directive below to "/". An administrator may
also wish to automatically log in visitors to Drupal; this can be achieved by
checking "Turn on automated single sign-on" in the modules' configuration page.

An example of an Apache configuration for a named virtualhost configuration
using mod_auth_sspi on Windows is as follows:


httpd.conf:
_______________________________________________________________________________
_______________________________________________________________________________




# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Pass NTLM authentication to Apache
LoadModule sspi_auth_module modules/mod_auth_sspi.so

<IfModule !mod_auth_sspi.c>
  LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>



_______________________________________________________________________________
_______________________________________________________________________________




httpd-vhosts.conf:
_______________________________________________________________________________
_______________________________________________________________________________




NameVirtualHost example.com

<VirtualHost example.com>
  DocumentRoot "D:/www/example.com/htdocs"
  ServerName example.com

  <directory "D:/www/example.com/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order Allow,Deny
    Allow from all
  </directory>

  <Location /user/login/sso>
    AuthType SSPI
    AuthName "Example.com - Login using your LDAP user name and password"
    SSPIAuth On
    SSPIAuthoritative On
    ### The domain used to authenticate with LDAP; this should match the domain
    ### configured in the LDAP integration configuration within Drupal
    SSPIDomain ad.example.com
    SSPIOmitDomain On
    SSPIOfferBasic On
    Require valid-user
    #SSPIBasicPreferred On
    #SSPIofferSSPI off
  </Location>
</VirtualHost>

_______________________________________________________________________________
_______________________________________________________________________________


After enabling and configuring an LDAP authentication module within Apache,
visit user/login/sso in the Drupal installation on example.com. With or without
the ldap sso feature enabled, the browser should prompt for a user name and
password if using Internet Explorer 8 or a non-Microsoft browser. Internet
Explorer 7 by default will pass NTLM authentication credentials to local
websites, and IE8 and Firefox can be configured to do this as well.

If prompted for credentials on that path, enter a valid LDAP user name,
omitting the domain if "SSPIOmitDomain On" is configured, as well as a password.
If the credentials are correct, or if NTLM credentials are passed automatically
by the browser and successfully authenticated, a Drupal 404 "Page not found"
message will be displayed if the module is not enabled; an "access is denied"
message will be displayed if the module is enabled and the browser is already
logged in; and if the ldap_sso module is fully configured and there is no
existing session, the browser will display the message "You have been
successfully authenticated" after redirecting to the sites' home page.

File

README.txt
View source 
  1. 

  2. =======================================

  3. LDAP Single Sign-On

  4. =======================================

  5. 

  6. 

  7. To use the single sign-on feature, your web server must provide an authentication

  8. mechanism for LDAP. The only authentication mechanism used in development

  9. was mod_auth_sspi for Apache/Windows, but so long as the web server's LDAP

  10. authentication mechanism is configured to provide the $_SERVER variable

  11. $_SERVER['REMOTE_USER'] or $_SERVER['REDIRECT_REMOTE_USER'] corresponding

  12. directly to a user's LDAP user name, this should work all the same. This

  13. will require some sort of LDAP authentication mechanism; mod_auth_sspi is

  14. available here: http://mod-auth-sspi.sourceforge.net/, while mod_ntlm is

  15. available here: http://modntlm.sourceforge.net/, and mod_auth_ntlm_winbind is

  16. available here: http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/.

  17. If a Linux distribution is being used, Apache authentication modules are likely

  18. available within the distro's package manager.

  19. 

  20. Unless an administrator wishes to require that all visitors be authenticated,

  21. NTLM and/or basic authentication should be set up only on the path

  22. user/login/sso, which will authentify the visitor but not deny access to view

  23. the site if the visitor is not authenticated. An administrator may wish to

  24. require LDAP authentication to view any portion of the site; this can be

  25. achieved by changing the location directive below to "/". An administrator may

  26. also wish to automatically log in visitors to Drupal; this can be achieved by

  27. checking "Turn on automated single sign-on" in the modules' configuration page.

  28. 

  29. An example of an Apache configuration for a named virtualhost configuration

  30. using mod_auth_sspi on Windows is as follows:

  31. 

  32. 

  33. httpd.conf:

  34. _______________________________________________________________________________

  35. _______________________________________________________________________________

  36. 

  37. 

  38. 

  39. 

  40. # Virtual hosts

  41. Include conf/extra/httpd-vhosts.conf

  42. 

  43. # Pass NTLM authentication to Apache

  44. LoadModule sspi_auth_module modules/mod_auth_sspi.so

  45. 

  46. 

  47.   LoadModule sspi_auth_module modules/mod_auth_sspi.so

  48. 

  49. 

  50. 

  51. 

  52. _______________________________________________________________________________

  53. _______________________________________________________________________________

  54. 

  55. 

  56. 

  57. 

  58. httpd-vhosts.conf:

  59. _______________________________________________________________________________

  60. _______________________________________________________________________________

  61. 

  62. 

  63. 

  64. 

  65. NameVirtualHost example.com

  66. 

  67. 

  68.   DocumentRoot "D:/www/example.com/htdocs"

  69.   ServerName example.com

  70. 

  71.   

  72.     Options Indexes FollowSymLinks MultiViews

  73.     AllowOverride All

  74.     Order Allow,Deny

  75.     Allow from all

  76.   

  77. 

  78.   

  79.     AuthType SSPI

  80.     AuthName "Example.com - Login using your LDAP user name and password"

  81.     SSPIAuth On

  82.     SSPIAuthoritative On

  83.     ### The domain used to authenticate with LDAP; this should match the domain

  84.     ### configured in the LDAP integration configuration within Drupal

  85.     SSPIDomain ad.example.com

  86.     SSPIOmitDomain On

  87.     SSPIOfferBasic On

  88.     Require valid-user

  89.     #SSPIBasicPreferred On

  90.     #SSPIofferSSPI off

  91.   

  92. 

  93. 

  94. _______________________________________________________________________________

  95. _______________________________________________________________________________

  96. 

  97. 

  98. After enabling and configuring an LDAP authentication module within Apache,

  99. visit user/login/sso in the Drupal installation on example.com. With or without

  100. the ldap sso feature enabled, the browser should prompt for a user name and

  101. password if using Internet Explorer 8 or a non-Microsoft browser. Internet

  102. Explorer 7 by default will pass NTLM authentication credentials to local

  103. websites, and IE8 and Firefox can be configured to do this as well.

  104. 

  105. If prompted for credentials on that path, enter a valid LDAP user name,

  106. omitting the domain if "SSPIOmitDomain On" is configured, as well as a password.

  107. If the credentials are correct, or if NTLM credentials are passed automatically

  108. by the browser and successfully authenticated, a Drupal 404 "Page not found"

  109. message will be displayed if the module is not enabled; an "access is denied"

  110. message will be displayed if the module is enabled and the browser is already

  111. logged in; and if the ldap_sso module is fully configured and there is no

  112. existing session, the browser will display the message "You have been

  113. successfully authenticated" after redirecting to the sites' home page.