DRUPAL

CAS/LDAP Authentication of Drupal at BYU

Roy Shuldberg's picture

I have added the CAS module for drupal and I have been able to get drupal to authenticate with the CAS server at BYU. All works well, except when it goes to create the user account. The account is created just fine, but it can’t seem to pull the email address over. (I understand that the CAS server doesn’t have this information, but that you have to access the LDAP server to retrieve the email based upon the user ID, which I guess makes this more of an LDAP issue that a CAS one.)

I’m not getting any error messages anywhere, and I have configured the LDAP settings according to what I have seen.

Here are my ldap settings:
Name: BYU LDAP Server
LDAP Server: ldap.byu.edu
LDAP Port: 389
Base DN’s: ou=People;o=byu.edu
username attribute: uid
email attribute: mail

under the LDAP-Data part of module:
Mapped to LDAP Attributes: Same, but read-only mode.
then I have for the drupal ‘mail’ attribute the corresponding ldap attribute of ‘mail’

I was told that the LDAP server allows anonymous searches. Is this true? Can I pull an email from the LDAP server with only having their netID?
Has anyone done this before or have any input that could help?

Thanks

8 comments

If you are on campus, then the LDAP should be open. But there was talk of securing off-campus access. Have you used an LDAP client to test your settings and queries? There are several free ones (like Apache Directory Studio) which can be helpful to figure out what you're doing. -- JeffreyD http://Jeffrey.theDunsters.net/
Thanks for the thoughts. I am on campus, and I have made sure the LDAP connection module works. It authenticates and creates the user with all the information needed. The CAS module also authenticates, but there appears to be a problem with the CAS module acquiring the email when it creates the user (CAS module apparently uses the LDAP module to retrieve information from the LDAP server according to documentation). So it appears now that there is a problem with the two modules playing nicely together. Any thoughts?
Two other things. On island, we use the ldap integration module: http://drupal.org/project/ldap_integration You might have better luck with that. Second, make sure your using a username/password with proper privileges. My login privileges won't work -- a Dr. Albrecht had to set ldap up here so things would work right. -- Kyle Mathews
Thanks for the information. I have gotten the LDAP module to work and it populates all the information when it creates a new user. I may have to stick with that for now. The website that I am replacing with drupal uses CAS login and so the hope is to be able to stick with the CAS login. The CAS module requires the LDAP module in order to retrieve information (so it obviously gets it from the LDAP server). Since both modules authenticate separately for me, there appears to be a problem with the two communicating together and sharing information. I'll keep playing and check all settings. Thanks again for the help, and if you have any other insight or ideas, please send them my way!
Roy -- Have you seen this -- OIT's CAS Single Sign-On service? https://it.byu.edu/index.cfm?child_id=1113& Is this a new service? Or have I just been in the dark? -- Kyle Mathews
I believe CAS has been around for several months on campus, but OIT just sent out an email last week that they are officially supporting it now. Hopefully that means they have all the bugs worked out and fixed. My problem still isn't fixed, but I think it might be with the modules.
Were you ever able to get this to work? I am running into a similar issue with my Drupal installation. The authentication through CAS works and even pulls the appropriate email address into the new profile, but I can not get any of the other LDAP attributes to populate. It also is not applying the default role when it creates a new profile. It seems like an issue with the LDAP module, but I am not 100% sure. Please let me know if you were able to work it out. Thanks, Jared

I'm trying to do something similar to this kind of stuff - I'm trying to authorize with LDAP - to get the attributes and if they have the right ones, assign a drupal role when the account is created.

Has anyone done that before?

Please register or login to post a comment.
Syndicate content