Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • project/ldap
  • issue/ldap-3162406
  • issue/ldap-3079200
  • issue/ldap-3179314
  • issue/ldap-3174960
  • issue/ldap-3151284
  • issue/ldap-3097854
  • issue/ldap-3185954
  • issue/ldap-3186330
  • issue/ldap-3186630
  • issue/ldap-3186519
  • issue/ldap-3187614
  • issue/ldap-3187788
  • issue/ldap-3107815
  • issue/ldap-3188810
  • issue/ldap-3190852
  • issue/ldap-3009613
  • issue/ldap-2861783
  • issue/ldap-2883852
  • issue/ldap-3206174
  • issue/ldap-3208594
  • issue/ldap-3211434
  • issue/ldap-2928091
  • issue/ldap-3210293
  • issue/ldap-2698159
  • issue/ldap-3227025
  • issue/ldap-3227813
  • issue/ldap-3230051
  • issue/ldap-3236222
  • issue/ldap-3250404
  • issue/ldap-3251947
  • issue/ldap-3269111
  • issue/ldap-3274854
  • issue/ldap-3303828
  • issue/ldap-3302242
  • issue/ldap-3281567
  • issue/ldap-3258620
  • issue/ldap-3334675
  • issue/ldap-3297516
  • issue/ldap-3243668
  • issue/ldap-3295552
  • issue/ldap-3192905
  • issue/ldap-3355498
  • issue/ldap-3358276
  • issue/ldap-3368890
  • issue/ldap-3403713
  • issue/ldap-3357811
  • issue/ldap-3400728
  • issue/ldap-3373783
  • issue/ldap-3374357
  • issue/ldap-3196170
  • issue/ldap-3377190
  • issue/ldap-3380653
  • issue/ldap-3390713
  • issue/ldap-3308789
  • issue/ldap-3375563
  • issue/ldap-3246681
  • issue/ldap-3315754
  • issue/ldap-3391645
  • issue/ldap-2994481
  • issue/ldap-3391721
  • issue/ldap-3373347
  • issue/ldap-3395638
  • issue/ldap-3324476
  • issue/ldap-3264757
  • issue/ldap-3396781
  • issue/ldap-3399148
  • issue/ldap-3410070
  • issue/ldap-3410610
  • issue/ldap-2991181
  • issue/ldap-3276204
  • issue/ldap-3413319
  • issue/ldap-3413313
  • issue/ldap-3346199
  • issue/ldap-3390649
  • issue/ldap-3413810
  • issue/ldap-3413809
  • issue/ldap-3417326
  • issue/ldap-3419311
  • issue/ldap-3420809
  • issue/ldap-3425557
  • issue/ldap-3427694
  • issue/ldap-3274935
  • issue/ldap-3260525
  • issue/ldap-3295284
  • issue/ldap-3445810
  • issue/ldap-3437015
  • issue/ldap-3432543
  • issue/ldap-3432809
  • issue/ldap-3451160
  • issue/ldap-2831113
  • issue/ldap-3461932
  • issue/ldap-3470733
  • issue/ldap-3473879
  • issue/ldap-3279539
  • issue/ldap-3500125
  • issue/ldap-3500577
97 results
Show changes
Commits on Source (900)
Showing
with 1194 additions and 566 deletions
hpotter
hgranger
ssnape
rweasley
fweasley
gweasley
dmalfoy
ggoyle
adumbledore
mmcgonagall
spomana
rhagrid
goyle
snape
gryffindor
slytherin
ravenclaw
triddle
hermione
weasley
malfoy
albus
ponoma
mcgonagall
jdoe
externalauth
osixia
ldif
basedn
binddn
bindpw
groupofnames
ldapauth
authmap
puid
groupid
ldaps
ldapsearch
ldapadd
ldapmodify
authname
authmaps
samaccountname
msguid
objectsid
userpw
memb
starttls
securelogin
objectclass
memberof
groupfrom
jbarclay
accountname
allowuser
changetype
ldapi
informação
tecnologia
informa
secretaria
zażółćgęśląjaźń
givenname
userdn
guids
regrant
uiuc
edir
sdafsdfsdf
requerying
openLdap
*.patch
*.zip
Thumbs.db
Desktop.ini
.DS_Store
sonar*
.sonar
.idea
vendor/*
web/*
.ddev/*
\ No newline at end of file
################
# DrupalCI GitLabCI template
#
# Gitlab-ci.yml to replicate DrupalCI testing for Contrib
#
# With thanks to:
# * The GitLab Acceleration Initiative participants
# * DrupalSpoons
################
################
# Guidelines
#
# This template is designed to give any Contrib maintainer everything they need to test, without requiring modification. It is also designed to keep up to date with Core Development automatically through the use of include files that can be centrally maintained.
#
# However, you can modify this template if you have additional needs for your project.
################
################
# Includes
#
# Additional configuration can be provided through includes.
# One advantage of include files is that if they are updated upstream, the changes affect all pipelines using that include.
#
# Includes can be overridden by re-declaring anything provided in an include, here in gitlab-ci.yml
# https://docs.gitlab.com/ee/ci/yaml/includes.html#override-included-configuration-values
################
include:
################
# DrupalCI includes:
# As long as you include this, any future includes added by the Drupal Association will be accessible to your pipelines automatically.
# View these include files at https://git.drupalcode.org/project/gitlab_templates/
################
- project: $_GITLAB_TEMPLATES_REPO
ref: $_GITLAB_TEMPLATES_REF
file:
- '/includes/include.drupalci.main.yml'
- '/includes/include.drupalci.variables.yml'
- '/includes/include.drupalci.workflows.yml'
################
# Pipeline configuration variables
#
# These are the variables provided to the Run Pipeline form that a user may want to override.
#
# Docs at https://git.drupalcode.org/project/gitlab_templates/-/blob/1.0.x/includes/include.drupalci.variables.yml
################
variables:
_PHPUNIT_EXTRA: --verbose
OPT_IN_TEST_PREVIOUS_MAJOR: 1
OPT_IN_TEST_PREVIOUS_MINOR: 1
OPT_IN_TEST_NEXT_MINOR: 1
OPT_IN_TEST_NEXT_MAJOR: 1
OPT_IN_TEST_CURRENT: 1
# OPT_IN_TEST_MAX_PHP: 1 php8.3-ldap is not avaliable in debian bookworm.
composer (authorization dev):
extends: .composer-base
stage: build
after_script:
- composer require 'drupal/authorization:1.x-dev@dev'
phpunit (authorization dev):
extends: phpunit
rules:
- when: on_success
needs:
- "composer (authorization dev)"
composer (externalauth dev):
extends: .composer-base
stage: build
after_script:
- composer require 'drupal/externalauth:2.0.x-dev@dev'
phpunit (externalauth dev):
extends: phpunit
rules:
- when: on_success
needs:
- "composer (externalauth dev)"
phpunit:
rules:
- when: on_success
needs:
- "composer"
before_script:
- apt-get update
- apt-get install -y --no-install-recommends $PHPIZE_DEPS
- apt-get install -y libldap2-dev
- rm -rf /var/lib/apt/lists/*
- docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/
- docker-php-ext-install ldap
- docker-php-ext-enable ldap
phpunit (next minor):
extends: phpunit
rules:
- when: on_success
needs:
- "composer (next minor)"
phpunit (previous minor):
extends: phpunit
rules:
- when: on_success
needs:
- "composer (previous minor)"
phpunit (previous major):
extends: phpunit
rules:
- when: on_success
needs:
- "composer (previous major)"
###################################################################################
#
# *
# /(
# ((((,
# /(((((((
# ((((((((((*
# ,(((((((((((((((
# ,(((((((((((((((((((
# ((((((((((((((((((((((((*
# *(((((((((((((((((((((((((((((
# ((((((((((((((((((((((((((((((((((*
# *(((((((((((((((((( .((((((((((((((((((
# ((((((((((((((((((. /(((((((((((((((((*
# /((((((((((((((((( .(((((((((((((((((,
# ,(((((((((((((((((( ((((((((((((((((((
# .(((((((((((((((((((( .(((((((((((((((((
# ((((((((((((((((((((((( ((((((((((((((((/
# (((((((((((((((((((((((((((/ ,(((((((((((((((*
# .((((((((((((((/ /(((((((((((((. ,(((((((((((((((
# *(((((((((((((( ,(((((((((((((/ *((((((((((((((.
# ((((((((((((((, /(((((((((((((. ((((((((((((((,
# (((((((((((((/ ,(((((((((((((* ,(((((((((((((,
# *((((((((((((( .((((((((((((((( ,(((((((((((((
# ((((((((((((/ /((((((((((((((((((. ,((((((((((((/
# ((((((((((((( *(((((((((((((((((((((((* *((((((((((((
# ((((((((((((( ,(((((((((((((..((((((((((((( *((((((((((((
# ((((((((((((, /((((((((((((* /((((((((((((/ ((((((((((((
# ((((((((((((( /((((((((((((/ (((((((((((((* ((((((((((((
# (((((((((((((/ /(((((((((((( ,((((((((((((, *((((((((((((
# (((((((((((((( *(((((((((((/ *((((((((((((. ((((((((((((/
# *((((((((((((((((((((((((((, /(((((((((((((((((((((((((
# ((((((((((((((((((((((((( ((((((((((((((((((((((((,
# .(((((((((((((((((((((((/ ,(((((((((((((((((((((((
# ((((((((((((((((((((((/ ,(((((((((((((((((((((/
# *((((((((((((((((((((( (((((((((((((((((((((,
# ,(((((((((((((((((((((, ((((((((((((((((((((/
# ,(((((((((((((((((((((* /((((((((((((((((((((
# ((((((((((((((((((((((, ,/((((((((((((((((((((,
# ,(((((((((((((((((((((((((((((((((((((((((((((((((((
# .(((((((((((((((((((((((((((((((((((((((((((((
# .((((((((((((((((((((((((((((((((((((,.
# .,(((((((((((((((((((((((((.
#
###################################################################################
services:
php:
# Specify the version of Drupal you wish to use for Tugboat below.
image: q0rban/tugboat-drupal:10
default: true
http: false
depends: mysql
commands:
init:
apt-get update &&
apt-get install libldap2-dev -y &&
docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu &&
docker-php-ext-install ldap
update: |
set -eux
# apachectl -t
# service apache2 restart --verbose
# systemctl status apache2.service
# Check out a branch using the unique Tugboat ID for this repository, to
# ensure we don't clobber an existing branch.
git checkout -b $TUGBOAT_REPO_ID
# Composer is hungry. You need a Tugboat project with a pretty sizeable
# chunk of memory.
export COMPOSER_MEMORY_LIMIT=-1
# This is an environment variable we added in the Dockerfile that
# provides the path to Drupal composer root (not the web root).
cd $DRUPAL_COMPOSER_ROOT
# We configure the Drupal project to use the checkout of the module as a
# Composer package repository.
composer config repositories.tugboat vcs $TUGBOAT_ROOT
# Now we can require this module, specifing the branch name we created
# above that uses the $TUGBOAT_REPO_ID environment variable.
composer require drupal/ldap:dev-$TUGBOAT_REPO_ID
# Install Drupal on the site.
vendor/bin/drush \
--yes \
--db-url=mysql://tugboat:tugboat@mysql:3306/tugboat \
--site-name="Live preview for ${TUGBOAT_PREVIEW_NAME}" \
--account-pass=admin \
site:install standard
# Set up the files directory permissions.
mkdir -p $DRUPAL_DOCROOT/sites/default/files
chgrp -R www-data $DRUPAL_DOCROOT/sites/default/files
chmod 2775 $DRUPAL_DOCROOT/sites/default/files
chmod -R g+w $DRUPAL_DOCROOT/sites/default/files
# Enable the module.
vendor/bin/drush --yes pm:enable ldap_servers ldap_authentication ldap_user ldap_query
build: |
set -eux
# Delete and re-check out this branch in case this is built from a Base Preview.
git branch -D $TUGBOAT_REPO_ID && git checkout -b $TUGBOAT_REPO_ID || true
export COMPOSER_MEMORY_LIMIT=-1
cd $DRUPAL_COMPOSER_ROOT
composer install --optimize-autoloader
# Update this module, including all dependencies.
composer update drupal/ldap --with-all-dependencies
vendor/bin/drush --yes updb
vendor/bin/drush cache:rebuild
vendor/bin/drush config-set system.theme default claro
vendor/bin/drush role:perm:add anonymous 'administer ldap,access administration pages'
vendor/bin/drush config:set system.site page.front /admin/config/people/ldap/server
mysql:
image: tugboatqa/mariadb
# Connecting Drupal to a directory service via LDAP
## Prerequisites
To set up LDAP efficiently, you need to acquire the relevant information for the
domain you are authenticating against.
Contact your organization's staff to receive the necessary information. This
should include:
* The servers available to you (hostname, port, encryption preference)
* The binding method (service account including credentials, if necessary)
* If applicable, the structure of the data you are trying to sync, e.g.
sAMAccountName is the unique name attribute for your Active Directory.
### Requirements
The following requirements need to be met for you to work with any of the LDAP
modules.
* PHP version 7.1
* PHP LDAP extension.
* Drupal Core >=8.8.0.
For SSO please see ldap_sso/README.md.
## Installation
### Enabling communication
Enable the relevant modules and add your environment under the relevant tabs.
See README.md for an overview of the modules to figure out which you will need.
You should see "Server available" in the list of servers, if the base
configuration is correct. If not, you likely have misconfigured binding
settings, incorrect ports or certificate issues. Please note that the Linux LDAP
libraries do not work well with self-signed certificates, avoid them wherever
possible.
### Logging in via LDAP
You should review all tabs (Settings, Authentication, Users) to determine the
correct configuration for your use-case and configure them as needed. We
recommend that you configure authorization profiles after you have successfully
authenticated users.
If you are able to connect to the server but logging in fails, please see the
general instructions under Debugging for recommended steps.
## Debugging
We recommend you follow these steps to solve your issue:
1. Review the recent log messages for errors.
1. Enable detailed watchdog logging under LDAP settings to receive additional
debugging information.
1. Isolate a test-case that ideally is proven to work with at least one other
LDAP consumer other than your Drupal site.
1. If all else fails consider
[filing a support request](https://www.drupal.org/node/add/project-issue/ldap).
Please note that you will need to provide detailed information on your
environment and usage scenario. The more complex this is the less likely it is
that the maintainers will be able to recreate your conditions.
## Tip: Exclude the service account credentials from your configuration
If you want to avoid adding your service account credentials to the database and
thus it being also synced with configuration export, you have the option of
entering a dummy password and providing the real password as a configuration
override via settings.php, e.g.:
```
$config['ldap_servers.server.YOUR_SERVER']['bindpw'] = 'actual-password';
```
Furthermore, you have the option of adding this password to a file outside the
webroot and only including that file.
==================================================================================
LDAP Installation instructions:
==================================================================================
Note: This does not automatically upgrade for Drupal 6 LDAP Integration Modules.
This functionality may be developed. Some notes are below.
1) Download the whole package of files from
http://drupal.org/project/ldap
2) Upload the LDAP files to the modules directory.
3) Go to admin/build/modules and enable the needed modules from the
Lightweight Directory Access Protocal group.
4) Enable and configure ldap servers and configure at least one server.
5) Enable and configure ldap authentication and/or ldap authorization
6) LDAP Help is just for debugging and administrator help. Use it if you have problems.
Disable it in production; it adds no functionality or end user help.
==================================================================================
Older PHP versions
==================================================================================
These modules will NOT work If you are using PHP 4 or any other version less
than 5.1.
==================================================================================
More documentation is available at:
http://drupal.org/project/ldap -- project homepage
http://drupal.org/node/997082 - project documentation
==================================================================================
Crossgrading:
Drupal 6 ldapauth -> ldap_authentication
- get rid of authmap records associated with ldapauth with the following sql:
DELETE FROM authmap WHERE module = 'ldapauth'
This diff is collapsed.
# Overview of the LDAP suite
The LDAP suite of modules is modular to allow you to pick and choose the
elements your use-case requires. The current structure is not necessarily ideal
but rather keeps with the existing framework to avoid additional migration work.
The architecture in Drupal 8 differs significantly from Drupal 7 and will need
to evolve further to become better testable. The currently present (non-working)
integration tests relied on a highly complex configuration and setup based on
SimpleTest. The goal of the current branch is to improve test coverage wherever
possible through unit tests and this testing architecture is being phased out
step by step.
## Setting up a development environment
To quickly get up and running without using a production system to query against
you can make use of Docker.
An example configuration is provided in the docs directory based on the Harry
Potter schools. That script - based on a script by
[Laudanum](https://github.com/Laudanum) - populates a Docker instance with users
and groups. A matching server template for LDAP is provided as well.
Note that in group configuration you could use businessCategory to derive user
groups from attributes but this is disabled so that group DNs are queried.
Working with LDAP and the various elements of OpenLDAP, such as slapd, are
not easy to work with. See also some examples on the
[track hacks](http://trac-hacks.org/wiki/LdapPluginTests) page.
## Testing LDAP behavior
Since problems often occur with the interpretation of a directory server's
output it's important that we test against expected results and not just
test our functions in isolation.
Whenever you are trying to debug a complex dance between the Drupal integration
modules and a directory, consider mocking the LDAP connector with the Fake
classes provided by ldap_servers. For example:
\Drupal\Tests\ldap_authentication\LoginTest
## Case-handling
LDAP is a case-aware but not case-sensitive protocol, which means that what
we get back in Symfony\Component\Ldap\Entry objects, or LDAP data in general,
may contain differences in case. For example the property "memberOf".
We need to keep the following in mind when making changes to these modules:
* Comparisons against LDAP data must ignore case. Examples:
* A query for ldap authorization specified as "memberof=..." in
the configuration must also catch data returned as "memberOf=...".
* Token processing on records returned by LDAP must do the same.
* Data sent to LDAP can ignore case-formatting (we do not need to normalize it).
Note that attributes returned from LDAP via the LdapBaseManager are lowercased
through `::sanitizeUserDataResponse` so we need to
`get('businesscategory')` not `get('businessCategory')`.
## Manual retesting
When changing behavior of this module it's not always easy to anticipate the
impact due to the multiple possible configurations and setups. The tests
are often only able to look at functionality in isolation, not the interaction
of different (mis-)configurations. When in doubt, try to manually retest the
core cases, such as:
- User login with existing user (user already synced from LDAP)
- User creation upon login (user present in LDAP)
- Denial of registration in exclusive mode when user does not in LDAP
- Drupal user sync data from LDAP upon login
- Drupal user sync data from LDAP upon Drupal user save
- LDAP user creation on user registration
- LDAP user update on Drupal user update
- Combined configuration of sync from LDAP when used in conjunction with
sync to LDAP.
## Misc
### User binding
If you want to bind with user credentials, you only need to modify the
grants.ldif to allow for it. Here is an example which simply allows anyone:
```
11,12c11,13
< by dn="cn=admin,dc=hogwarts,dc=edu" write
< by * read
\ No newline at end of file
---
> by anonymous auth
> by dn="cn=admin,dc=hogwarts,dc=edu" write
> by * read
```
--------------------------------------------------------
Case Sensitivity and Character Escaping in LDAP Modules
--------------------------------------------------------
The function ldap_server_massage_text() should be used for dealing with case sensitivity
and character escaping consistently.
The general rule is codified in ldap_server_massage_text() which is:
- escape filter values and attribute values when querying ldap
- use unescaped, lower case attribute names when storing attribute names in arrays (as keys or values), databases, or object properties.
- use unescaped, mixed case attribute values when storing attribute values in arrays (as keys or values), databases, or object properties.
So a filter might be built as follows:
$username = ldap_server_massage_text($username, 'attr_value', LDAP_SERVER_MASSAGE_QUERY_LDAP)
$objectclass = ldap_server_massage_text($objectclass, 'attr_value', LDAP_SERVER_MASSAGE_QUERY_LDAP)
$filter = "(&(cn=$username)(objectClass=$objectclass))";
The following functions are also available:
ldap_pear_escape_dn_value()
ldap_pear_unescape_dn_value()
ldap_pear_unescape_filter_value()
ldap_pear_unescape_filter_value()
--------------------------------------------------------
common variables used in ldap_* and their structures
--------------------------------------------------------
!Structure of $ldap_user and $ldap_entry are different!
-----------
$ldap_user
-----------
@see LdapServer::userUserNameToExistingLdapEntry() return
-----------
$ldap_entry and $ldap_*_entry.
-----------
@see LdapServer::ldap_search() return array
-----------
$ldap_entries and $ldap_*_entries
-----------
multiple ldap entries result array as returned by ldap_search()
--------------
$user_attr_key
key of form <attr_type>.<attr_name>[:<instance>] such as field.lname, property.mail, field.aliases:2
--------------
======================
configuration objects
======================
$ldap_user_conf
$ldap_user_conf_admin
$ldap_server [should be renamed to ldap_server_conf and ldap_server_conf_admin]
$ldap_servers [should be renamed to ldap_servers_conf and ldap_servers_conf_admin]
==========================================
Structure of "*_attribute_maps" variables
==========================================
Purpose: track which attributes (and their datatype) are needed for provisioning.
These may be ldap entry or drupal user attributes mappings. Array is keyed on "source" attribute.
structure of "*_attribute_map" variables:
$attributes[<attribute_name>]['values'][<ordinal>] = $value | NULL if not populated;
$attributes[<attribute_name>]['source_data_type'] = NULL|ldap_dn|string|binary|ldap_attr_name|ldap_attr_value| ...NULL when data type is not known.
$attributes[<attribute_name>]['target_data_type'] = NULL|ldap_dn|string|binary|ldap_attr_name|ldap_attr_value| ...NULL when data type is not known.
$attributes[<attribute_name>]['values'][0] = NULL when value needed, but not known. 0th value in array always exists
$attributes['dn'] = array(
'source_data_type' => 'ldap_dn',
'target_data_type' => 'ldap_dn',
'values' => array(0 => NULL),
);
$attributes['objectclass'] = array(
'source_data_type' => NULL,
'target_data_type' => NULL,
'values' => array(
0 => NULL,
1 => NULL,
2 => NULL,
3 => NULL,
)
);
// in this case 'top', 'person', 'organizationalPerson', 'user'),
$attributes['mail'] = array(
'source_data_type' => NULL,
'target_data_type' => NULL,
'values' => array(0 => NULL),
);
Functions using "*_attribute_maps" variables:
- ldap_servers_token_extract_attributes(): $attribute_maps
- hook_ldap_attributes_needed_alter(): $attribute_maps
- LdapUserConf->getLdapUserRequiredAttributes(): $attributes_map
- $ldap_attr_in_token in ldapUserConfAdmin:validate(): $ldap_attribute_maps_in_token
- LdapServer->userUserNameToExistingLdapEntry: $attribute_maps
- LdapServer->search: $attribute_maps
Please see INSTALL.md for specific information on setting up the Drupal LDAP
suite.
For more information review the following resources:
* [Project page](https://www.drupal.org/project/ldap)
## Module overview
| Module | Description |
| ------ | ----------- |
| ldap_authentication | This module provides a overall authentication functionality closely tied to ldap_user and ties in with several other modules, such as ldap_sso. |
| ldap_authorization | The module to grant roles to users based on directory criteria, relies on the externalauth module. |
| ldap_query | A module to allow you to execute custom queries, which can be display in Views or used in custom solutions. |
| ldap_servers | The base module for communicating with a directory. |
| ldap_user | A base module with low-level user functionality as well as mechanisms to sync user data. |
A common scenario for logging in users via LDAP, assigning groups to them and
syncing user fields thus consists of ldap_authentication, ldap_authorization,
ldap_servers, ldap_user.
## Additional information
If you are not yet familiar with how LDAP operates or how directory services
work in general, the following links can be helpful resources.
However, we recommend in any case that you contact your organization's directory
maintainer, since their help can often save you a significant amount of time in
debugging.
## Extending this module and custom development
If your use-case isn't quite covered by this module, you might require some
custom development. Most of these customizations should be able to be done by
hooks, see for example ldap_user.api.php or ldap_servers.api.php for ways
to integrate with provisioning users, or adjusting mappings on more complex
data structures.
If your site uses a custom login form, the LDAP module will likely always return
that credentials are incorrect, have a look at ldap_user.module for what you
need or help us in making that integration independent of the specific form.
## General LDAP resources
* Documentation from the PHP project on its
[LDAP implementation](https://secure.php.net/manual/en/book.ldap.php)
* Microsoft's Active Directory
[documentation overview](http://msdn.microsoft.com/en-us/library/aa705886(VS.85).aspx)
* Moodle's
[LDAP module documentation](http://docs.moodle.org/20/en/LDAP_authentication) is
detailed and provides insight into LDAP in a PHP environment.
* [Apache Directory Studio](http://directory.apache.org/studio/)
LDAP Browser and Directory Client.
* [Novell Edirectory](http://www.novell.com/documentation/edir873/index.html?page=/documentation/edir873/edir873/data/h0000007.html)
### Example documentations from public universities
* [Northwestern University](http://www.it.northwestern.edu/bin/docs/CentralAuthenticationServicesThroughLDAP.pdf)
* [University of Washington](https://itconnect.uw.edu/wares/msinf/authn/ldap/)
* [UIOWA](https://wiki.uiowa.edu/display/ICTSit/Drupal+LDAP+Integration+Against+Active+Directory)
LDAP_* Module Breakdown (Long Term Direction after 7.x-2.x)
LDAP API
--------
- general function
============
LDAP Servers
============
- General LDAP preferences
-- https
-- encyption
-- detailed logging
-- ldap server connection and binding information
---- LdapServer::status
---- LdapServer::ldap_type
---- LdapServer::address
---- LdapServer::port
---- LdapServer::tls
---- LdapServer::bind_method
---- LdapServer::basedn
---- LdapServer::binddn
---- LdapServer::bindpw
-- pagination
---- LdapServer::paginationEnabled
---- LdapServer::searchPagination
---- LdapServer::searchPageSize
---- LdapServer::searchPageStart
---- LdapServer::searchPageEnd
-- relationship between ldap user and drupal user (could belong in ldap_user)
---- LdapServer::userUsernameToLdapNameTransform()
---- LdapServer::userUserNameToExistingLdapEntry()
---- LdapServer::userUsernameFromLdapEntry()
---- LdapServer::userUsernameFromDn()
---- LdapServer::userEmailFromLdapEntry()
---- LdapServer::userPuidFromLdapEntry()
---- LdapServer::user_dn_expression
---- LdapServer::user_attr
---- LdapServer::account_name_attr
---- LdapServer::mail_attr
---- LdapServer::mail_template
---- LdapServer::unique_persistent_attr
---- LdapServer::unique_persistent_attr_binary
---- LdapServer::ldapToDrupalUserPhp
---- LdapServer::testingDrupalUsername
-- relationship between ldap groups and drupal role (could belong in ldap_groups)
---- LdapServer::groupUserMembershipsFromUserAttr()
---- LdapServer::groupUserMembershipsFromUserAttrResursive()
---- LdapServer::deriveFromEntryGroups()
---- LdapServer::groupsByEntryIsMember()
---- LdapServer::groupObjectClass
- LDAP Types
-- objects containing common defaults Active Directory, OpenLdap, etc.
- LDAP Utility Functions
-- search()
-- modifyLdapEntry()
-- createLdapEntry()
-- delete()
-- countEntries()
-- dnExists()
-- connectAndBindIfNotAlready()
-- bind()
-- connect()
-- pagedLdapQuery()
-- ldapQuery()
============
Object Related Modules
- provisioning between drupal object and ldap entry
- configuration related to said provisioning
- configuration
============
LDAP Groups Integration (ldap_groups)
LDAP User Integration (ldap_user)
LDAP OG Integration (ldap_op)
============
Function Related Modules
============
LDAP Authorization
LDAP Authorization Drupal Roles
LDAP Authorization OG Groups
LDAP Authentication
============
Module Integation Modules
============
LDAP Views
LDAP Feeds
need to change basedn in server definition to say base dn for users and group queries; or create a separate one.
- create fields in $user for all data previously in $user->data
- add to installs and uninstalls
- add test to make sure fields are added on install
- change queries using $user->data
- add puid set of fields
- finish puid work and add tests
-- check on logon for puid when username changes
---- change username, keep existing user account
resolve uninstall, disable issues created by field dependencies, locked fields
-- perhaps separate ldap_user_fields module to provide fields and allow other ldap modules to be disabled and uninstalled.
-- uninstalling that module will delete all the fields. disabling it will do nothing.
-- uninstalling ldap_user or ldap_authorization will
-- OR PERHAPS admin checkbox for deleting and running cron for ldap_user and ldap_authorization disable and unistall, with custom message
{
"name": "drupal/ldap",
"description": "Lightweight Directory Access Protocol (LDAP)",
"type": "drupal-module",
"license": "GPL-2.0-or-later",
"minimum-stability": "dev",
"require": {
"symfony/ldap": "^5.4 || ^6.0",
"drupal/authorization": "^1.0",
"drupal/externalauth": "^2.0"
},
"provide": {
"ext-ldap": "*"
},
"repositories": {
"drupal": {
"type": "composer",
"url": "https://packages.drupal.org/8"
}
}
}
#!/bin/bash
LDAP_DOMAIN=hogwarts.edu
LDAP_DN=dc=hogwarts,dc=edu
LDIF_FILE=hogwarts.people.ldif
SLAPD=slapd
DOCKER_PORT=9389
DOCKER_NAME=hogwarts_ldap
DOCKER_IP=127.0.0.1
read -p "Bind method ([service_account], user, anon_user): " METHOD
METHOD=${METHOD:-service_account}
echo "Stopping all LDAP docker instances"
array=( service_account user anon_user )
for i in "${array[@]}"
do
CID_SERVICE=`docker ps --filter "name=${DOCKER_NAME}.${i}" --format "{{.ID}}"`
if [ $CID_SERVICE ]
then
docker stop $CID_SERVICE
fi
done
LDAP_CID=`docker ps -a --filter "name=${DOCKER_NAME}.${METHOD}" --format "{{.ID}}"`
if [ $LDAP_CID ]
then
echo "Removing existing $DOCKER_NAME with $METHOD"
docker rm $LDAP_CID
fi
echo "Starting $DOCKER_NAME with $METHOD"
LDAP_CID=$(docker run -e LDAP_TLS=false -e LDAP_DOMAIN="$LDAP_DOMAIN" -p $DOCKER_PORT:389 --name="${DOCKER_NAME}.${METHOD}" -d osixia/openldap)
if [ -z "$LDAP_CID" ]
then
echo "No LDAP CID. Exiting."
exit
fi
docker cp $LDIF_FILE $LDAP_CID:/$LDIF_FILE
docker cp grants.${METHOD}.ldif $LDAP_CID:/grants.ldif
sleep 3
echo "Importing user and group structure"
# The admin user is provided by the docker container.
ldapadd -h $DOCKER_IP -p $DOCKER_PORT -x -D "cn=admin,$LDAP_DN" -w admin -f $LDIF_FILE
echo "Adding permissions for chosen binding method"
docker exec -it $LDAP_CID ldapmodify -Y EXTERNAL -H ldapi:/// -f /grants.ldif
echo "==================="
echo "Querying directory:"
echo "==================="
if [ "$METHOD" == "service_account" ]
then
echo "Searching LDAP (service account credentials)"
ldapsearch -x -h $DOCKER_IP -p $DOCKER_PORT -b $LDAP_DN -D "cn=admin,$LDAP_DN" -w admin "(cn=hgranger)" dn
elif [ "$METHOD" == "user" ]
then
echo "Searching LDAP (user credentials)"
ldapsearch -x -h $DOCKER_IP -p $DOCKER_PORT -b $LDAP_DN -D "cn=hpotter,ou=people,$LDAP_DN" -w pass "(cn=hgranger)" dn
elif [ "$METHOD" == "anon_user" ]
then
echo "Searching LDAP (user credentials)"
ldapsearch -x -h $DOCKER_IP -p $DOCKER_PORT -b $LDAP_DN "(cn=hgranger)" dn
fi
\ No newline at end of file
langcode: en
status: true
dependencies: { }
id: ldap_roles
label: 'LDAP Roles'
provider: ldap_provider
provider_config:
status:
server: hogwarts
only_ldap_authenticated: 1
filter_and_mappings:
use_first_attr_as_groupid: 0
provider_mappings:
-
query: 'cn=users,ou=groups,dc=hogwarts,dc=edu'
is_regex: 0
-
query: 'cn=gryffindor,ou=groups,dc=example,dc=org'
is_regex: 0
-
query: ''
is_regex: 0
-
query: ''
is_regex: 0
-
query: ''
is_regex: 0
consumer: authorization_drupal_roles
consumer_config: { }
consumer_mappings:
-
role: student
-
role: wizard
-
role: none
-
role: none
-
role: none
synchronization_modes:
user_logon: user_logon
synchronization_actions:
revoke_provider_provisioned: revoke_provider_provisioned
regrant_provider_provisioned: regrant_provider_provisioned
create_consumers: 0
sids:
hogwarts: hogwarts
authenticationMode: 1
loginUIUsernameTxt: 'Username LDAP notice text'
loginUIPasswordTxt: 'Password LDAP notice text'
ldapUserHelpLinkUrl: 'http://www.example.com/'
ldapUserHelpLinkText: 'LDAP help link description text'
emailOption: 3
emailUpdate: 1
passwordOption: 2
allowOnlyIfTextInDn: { }
excludeIfTextInDn: { }
excludeIfNoAuthorizations: 0
emailTemplateHandling: if_empty
emailTemplate: '@username@example.com'
emailTemplateUsageResolveConflict: true
emailTemplateUsageNeverUpdate: true
emailTemplateUsagePromptUser: true
emailTemplateUsageRedirectOnLogin: false
emailTemplateUsagePromptRegex: '.*@hogwarts\.edu'
langcode: en
status: true
dependencies: { }
id: example_query
label: 'Example query'
server_id: hogwarts
base_dn: 'ou=people,dc=hogwarts,dc=edu'
filter: (objectClass=person)
attributes: ''
size_limit: 0
time_limit: 0
dereference: 0
scope: 3
langcode: en
status: true
dependencies: { }
id: hogwarts
label: 'Hogwarts Example'
type: openldap
address: localhost
port: 9389
timeout: 30
tls: false
weight: null
bind_method: service_account
binddn: 'cn=admin,dc=hogwarts,dc=edu'
bindpw: admin
basedn: "ou=people,dc=hogwarts,dc=edu\r\nou=groups,dc=hogwarts,dc=edu"
user_attr: cn
account_name_attr: ''
mail_attr: mail
mail_template: ''
picture_attr: jpegPhoto
unique_persistent_attr: uid
unique_persistent_attr_binary: false
user_dn_expression: ''
testing_drupal_username: hpotter
testing_drupal_user_dn: 'cn=hpotter,ou=people,dc=hogwarts,dc=edu'
grp_unused: false
grp_object_cat: groupofnames
grp_nested: true
grp_user_memb_attr_exists: false
grp_user_memb_attr: ''
grp_memb_attr: member
grp_memb_attr_match_user_attr: dn
grp_derive_from_dn: '0'
grp_derive_from_dn_attr: ''
grp_test_grp_dn: ''
grp_test_grp_dn_writeable: ''
drupalAcctProvisionServer: hogwarts
ldapEntryProvisionServer: hogwarts
drupalAcctProvisionTriggers:
drupal_on_login: drupal_on_login
drupal_on_update_create: drupal_on_update_create
ldapEntryProvisionTriggers:
ldap_on_update_create: ldap_on_update_create
ldap_on_login: ldap_on_login
ldap_on_delete: ldap_on_delete
drupal_on_manual_creation: drupal_on_manual_creation
orphanedDrupalAcctBehavior: ldap_user_orphan_email
orphanedCheckQty: 100
userConflictResolve: resolve
manualAccountConflict: conflict_show_option
acctCreation: ldap_behavior
ldapUserSyncMappings:
drupal:
field-mail:
ldap_attr: '[mail]'
user_attr: '[field.mail]'
convert: false
direction: drupal
user_tokens: ''
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_drupal_user
- sync_to_drupal_user
ldap:
cn:
ldap_attr: '[cn]'
user_attr: '[property.name]'
convert: false
direction: ldap
user_tokens: ''
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_ldap_entry
- sync_to_ldap_entry
mail:
ldap_attr: '[mail]'
user_attr: '[property.mail]'
convert: false
direction: ldap
user_tokens: ''
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_ldap_entry
- sync_to_ldap_entry
dn:
ldap_attr: '[dn]'
user_attr: user_tokens
convert: false
direction: ldap
user_tokens: 'cn=[property.name],ou=people,dc=hogwarts,dc=edu '
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_ldap_entry
- sync_to_ldap_entry
'objectClass:0':
ldap_attr: '[objectClass:0]'
user_attr: user_tokens
convert: false
direction: ldap
user_tokens: organizationalPerson
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_ldap_entry
'objectClass:1':
ldap_attr: '[objectClass:1]'
user_attr: user_tokens
convert: false
direction: ldap
user_tokens: person
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_ldap_entry
'objectClass:2':
ldap_attr: '[objectClass:2]'
user_attr: user_tokens
convert: false
direction: ldap
user_tokens: inetOrgPerson
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- create_ldap_entry
'userPassword':
ldap_attr: '[userPassword]'
user_attr: '[password.user-only]'
convert: false
direction: ldap
user_tokens: ''
config_module: ldap_user
prov_module: ldap_user
enabled: true
prov_events:
- sync_to_ldap_entry
orphanedAccountCheckInterval: always
userUpdateCronQuery: example_query
userUpdateCronInterval: always
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by * none
olcAccess: to *
by self write
by * read
\ No newline at end of file