Can Drupal Commons integrate with my corporate LDAP or Active Directory server?
Groups:
Terms:
Yes. Drupal can use the LDAP Integration project for this purpose. This project is actually a package containing three modules performing separate tasks:
- ldapauth - allows users to authenticate against multiple LDAP or AD servers
- ldapgroups - use LDAP groups as Drupal roles
- ldapdata - provides read or read/write access to LDAP data from within Drupal
The manner Drupal uses LDAP is as follows:
- Drupal performs user authentication using LDAP by consulting the LDAP (or AD) server during user login.
- Drupal itself performs the function of showing content to (or hiding content from) a user based on whether the roles assigned to the user in the Drupal site.
- ldapgroups is used to map Drupal roles to LDAP groups. Therefore, in order to perform user authentication using LDAP, set up Drupal roles and set the role permissions for various functions to conform with your desired accessibility, then place users in appropriate LDAP groups that map to those permissions.
Poll
Would you migrate your Commons site to Drupal 7
Yes: definitely it is important
76%
Maybe: would evaluate
20%
No: it is not very imporant
4%
Total votes: 299
Latest wiki posts
-
31 Aug 2010 - 18:03 by jay
6 comment(s)
Latest wiki comments
-
zmather
-
zmather
-
jay
-
kwarwick
-
zmather
- 1 of 2
- ››
Group members (336)
Managers:
|
|
Recent members:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Comments
But will this "break" our DC?
We are just getting ready to create our first production DC site... and would like to integrate with our Active Directory but does this mean we'll break DC any time we update the version? We really want the integration but not "breaking things" and keeping maintenance simple is a higher priority as a non-profit with a small IT department ;-) Thanks.
It shouldn't
In theory it shouldn't break your DC or anything within AD. Essentially all it is supposed to do is lookup an account to verify it is valid, then check the password. I've successfully gotten authentication to happen using Drupal Commons. It's not in production yet but am in the process of developing it.
I am however having difficulties getting some other peices of the AD part to work, specificially mapping LDAP attributes to Organic Groups.
/zach
Thanks... I'll pass that on to our IT guys!
Thanks Zach!
Ken
This sounds right
Setting up Drupal LDAP modules isn't for the faint of heart, but it does work. The way it works (as I understand) is:
The trick (from what I've heard) is to get the roles in LDAP & the roles in Drupal to mirror each other in a proper way, such that the role / permissions in Drupal properly reflect what you want. (Organic Groups will just use whatever the user's role/permission data is from Drupal.) Getting these to match is likely to take some new attribute / role / .. definition in the LDAP/AD end - or some role/permission creation on the Drupal end.
We do have people at Acquia who have done this; we don't provide this level of advice / service for free, but are happy to do it as a paid service.
Thanks.
We actually just did recently sign up for some support through Acquia. I'm starting to think this is something that I need to get that level of support on.
I usually am hesitent to go this route since a lot of stuff is documented and there are people out there that can help. However, the AD and Organic Groups seems to be A) more complicated and B) less used out there.
/zach
Is this something that has been done?
I am curious if Acquia has in fact set this up before? I would hate to waste a support call on something that hasn't been done and isn't within the realm of usual configuration and support. That is something that worries me a little bit given that DC has only been operational for a relatively short time.
Thanks.
/zach