Download / Installing

• Download the LDAP Integration module.
• Enable the module on the modules page.
• Enable the “administer ldap modules” permission for yourself on the permissions page.

The module is now installed and ready to be authenticated against the AD server.

Configuring LDAP Authentication

The LDAP Authentication module is the secret sauce to the rest of the modules. Without it, nothing else will work very well (actually not at all).

• Go to admin/settings/ldap/ldapauth on your site
• Click “Add Server” tab
• Add a unique name for this server
• Add the domain or IP, in the format “ldap://yourdomain.com”
• Add your base DNs in the field, 1 per line
• Add the userName Attribute. This is usually sAMAccountName for AD servers

The most important step is down at the bottom of the page. Active Directory does not allow anonymous bindings or searches, so you need to configure an account specifically for that purpose. Enter that account’s name and password in the fields provided. Once you save the page, you can then test that account to make sure it can bind ok.

Configuring LDAP Data

The LDAP Data module can be used to pull information from your Active Directory/LDAP server into Drupal’s Profile module.

• Go to admin/settings/ldap/ldapdata
• Click “Edit” on the server config we set up earlier
• Configure your mapping preferences (None, Read Only, Read/Write)

From there, simply map the corresponding LDAP/AD Attribute to your desired Drupal Profile field. These can be like displayName, sn, or mail. That’s pretty much it for this module, as it is pretty simple and straightforward with its directions

Configuring LDAP Groups

This part was probably the most difficult, and the one I spent the most time with. I ran into problems mostly with how our department’s AD server had its tree structure laid out.

• Go to admin/settings/ldap/ldapgroups
• Click “Edit” on the server config we set up earlier

From here, it gets a little complicated. There are 3 fieldsets, Group by DN, Group by attribute, and Group by entry. You can actually mix-and-match any of these 3. Our department uses Group by DN and Group by attribute.

For the Group by attribute in AD, you want to put memberOf in the field, since that’s what is recorded in the LDAP record.

The “LDAP group to Drupal role limits” field can be useful if you only have 1 or 2 groups from AD that need brought into Drupal. If you have many groups in AD, I recommend using the “LDAP group to Drupal role filtering” fieldset. You can put any of the following into that fieldset, and it will still work:

• Faculty|Faculty
• Staff|Staff
• CN=dudes,OU=SecurityGroups,DC=w2k,DC=cis,DC=ksu,DC=edu|dudes
• CN=advisor_users,CN=Users,DC=w2k,DC=cis,DC=ksu,DC=edu|advisor

Then check the box that reads “Use LDAP group to Drupal roles filtering” to only allow the filtering rules you stated earlier to allow account creation. If you just want to pull every account from AD into Drupal, then neither of those fields mean anything, and you can ignore. If you want to get really fancy, you can even supply PHP code to filter and process AD groups to Drupal groups.

If you have any further questions about how to do any of this, please leave a comment and I will get back to you.