Drupal 7 ad.unlv.EDU ldap

2013UNLVDarren Paulson

[Drupal 7 ad.unlv.EDU ldap Configuration]Configuration guide for getting Drupal 7 connected to LDAP

Table of ContentsContentsTable of Contents1Environment2Intended audience2Install Server Prerequisites3Server Prerequisites3SSL Certificate Installation3Update PHP LDAP Configuration4Install Drupal Modules5Install Drupal Modules5Enable Modules5Configure LDAP Settings7General Settings:7Servers7User12Authentication14Authorization16Testing18Server Test18User Test18Authorization Test19

EnvironmentIntended audienceThis guide assumes the following:1. You already have a functioning Drupal 7 site that allows logging in and account creation.2. You have administrator access within Drupal.3. You are running Ubuntu Server 10.04 and up.4. You have OITs permission to use the LDAP.5. You have a service account to use for LDAP lookups.6. You have root/sudo privileges and terminal access.

Optional:7. You have groups setup in AD that will be tied to Drupal roles.8. You have access to user 1 (the Drupal super admin).

Install Server PrerequisitesBefore you can get the LDAP module for Drupal up and functioning, you have to have certain prerequisites already installed and setup on the server.Server PrerequisitesServer packages required to support the Drupal LDAP module.1. sudo apt-get install php5-ldap2. sudo apt-get install php5-mcrypt (Optional for encrypting stored passwords)SSL Certificate InstallationConvert and import required domain SSL certificates.1. Copy certificates onto the server (SFTP).2. Convert DER certificates to PEM (Only if provided certificates are in DER format)a. sudo openssl x509 -in AD_ROOTCA_DER.cer -inform der -outform pem -out AD_ROOTCA_PEM.crtb. sudo openssl x509 -in AD_SUBCA_DER.cer -inform der -outform pem -out AD_SUBCA_PEM.crt3. Copy converted certificates to the public certificate store (/usr/share/ca-certificates)4. Update the trusted certificate storea. sudo dpkg-reconfigure ca-certificatesb. Select either Yes (to automatically accept) or ask. Use ask if youd like to select exactly which certificates to add to the trust.c. Select certificates (if set to ask)

Update PHP LDAP ConfigurationUpdate the ldap.conf file to tell it to never require certificates.1. Update ldap.conf to never require certificates (this was necessary to get it to bind to our secure LDAP)a. sudo vi /etc/ldap/ldap.confb. Add TLS_REQCERT neverc. Save (ESC > : > x > ENTER)

2. Restart apache (sudo /etc/init.d/apache2 restart).

Install Drupal ModulesInstall Drupal ModulesInstallation of the following modules is required for proper LDAP functionality.Entity API: http://drupal.org/project/entityLDAP: http://drupal.org/project/ldapDevel: http://drupal.org/project/devel (Optional for testing user functionality)

1. Login as an administrator to the Drupal site.2. Navigate to Modules.3. Click Install new module.4. Locate the tar.gz download for the module you are installing (ex: http://ftp.drupal.org/files/projects/entity-7.x-1.0.tar.gz for the Entity API module).5. Place URL into the Install from a URL textbox (can manually install as well if youve downloaded the module locally).6. Click Install.7. Repeat for each module listed above.

Enable ModulesThe modules will need to be enabled (usually in a specific order due to module requirements).1. Enable the Entity API module first (under Other) and Save Configuration.2. Enable Devel and Save Configuration (Optional to test user functionality).3. Enable LDAP Servers and Save Configuration.4. Enable LDAP User Module and Save Configuration.5. Enable the following and Save Configuration:a. LDAP Authenticationb. LDAP Authorizationc. LDAP Help (optional)d. LDAP Test (optional)6. Enable LDAP Authorization Drupal Roles and Save Configuration.

Configure LDAP SettingsGeneral Settings:1. Set Encrypt Stored LDAP Passwords to Blowfish:

Servers1. Click Add LDAP Server Configuration.2. Give an unique name for the Machine name and name (ex: ad.unlv.edu)3. Select Enabled4. Select Active Directory for the LDAP Type5. Use ldaps://ad.unlv.edu as the LDAP Server6. Use 636 as the LDAP Port7. If checked, uncheck Use Start-TLS

8. Select Service Account Bind as the Binding Method.9. Enter the DN for the Service Account to be used.10. Enter the account password.

11. Setup the Base DNs.12. Enter samaccountname as the AuthName attribute13. Enter mail as the Email attribute14. Enter a testing username and DN (Optional to test the connection)

15. Enter group as the Name of Group Object Class.16. Select Nested groups are used in my LDAP (Optional if you have nested groups and you want to treat them as nested).17. Select A user LDAP attribute such as memberOf exists18. Enter memberof as Attribute in User Entry Containing Groups.19. Enter memberuid as the LDAP Group Entry Attribute Holding Users DN20. Enter dn as the User attribute held in LDAP Group Entry Attribute Holding21. Enter test DN for a test group (Optional for testing groups).

22. Uncheck Use LDAP Pagination if checked.23. Click Update.UserSome settings are dependent on how you want accounts to function.1. Select Associate manually created Drupal for How to resolve LDAP conflicts

2. Select ad.unlv.edu (or whatever it was named above) for LDAP Servers Providing Provisioning Data.3. Check both Create or Sync options and uncheck Provide option to create corresponding LDAP entry under Drupal Account Provisioning Events.4. Select Associate Drupal account with LDAP entry under Existing Drupal User Account Conflict.5. Select Account creation settings do not affect LDAP Associated Drupal Accounts under Application of Drupal Account settings6. Select Perform no action under Action to perform on Drupal account that no longer have a corresponding LDAP entry.

7. Select None under LDAP Servers to Provision LDAP Entries on.

8. Click Save.AuthenticationSome settings are based on how you want authentication to function.1. Select Only LDAP Authentication is allowed under Allowable Authentications. NOTE: Only select this if you want to force login using AD, otherwise select Mixed mode.2. Check ad.unlv.edu (of whatever it was named above) under the Authentication LDAP Server Configurations.

3. Setup your login interface text.

4. Setup your Allow Only Whitelist.5. Select Deny access to users without mappings (Optional to deny any LDAP users that have not been expressly permitted in authorization rules)

6. Setup Email.

7. Click Save.AuthorizationSome settings are based on how you want users to be mapped to roles.1. Click add under OPERATIONS2. Select ad.unlv.edu under LDAP Server used in drupal role configuration.3. Select Enable this configuration.4. Select Only apply the following LDAP

5. Enter your DN to Drupal Role mappings.6. Select Only grant drupal roles to match a filter above.

7. Select When a user logs on under When should drupal roles be granted8. Select Revoke drupal roles previously granted9. Select Re grant drupal roles previously granted10. Uncheck if checked Create drupal roles if they do not exist.

11. Click Add (or save, if updating).

TestingServer Test1. Navigate to the SERVERS tab.2. Under OPERATIONS for your server, click test.3. Make sure a test username is entered and test DN set if testing a user.4. Make sure a test group DN is set if testing a group.5. Click Test.

Sample results of test:

If you get no results, there was most likely a failure to bind to the LDAP.User Test1. Navigate to the USER tab.2. Click Test LDAP User Functionality for a given user.3. Enter the username.4. Select Test Query.5. Click test.

Authorization Test1. Navigate to the AUTHORIZATION tab.2. Click Test under OPERATIONS.3. Enter username(s).4. Click test.

You can also see the full mapping by expanding the additional sections.1 | PageDrupal 7 AD.UNLV.EDU Configuration Guide