This sample email below is intended to be a rehash of http://drupal.org/node/1023900 directed at LDAP Administrators.
Dear [LDAP|Active Directory] Administrator,
We would like to leverage the [Campus|Corporate|Whatever] [LDAP|Active Directory] for authentication and authorization on our Drupal website. It will be used in the following way:
- Users will enter their credentials in the Drupal interface and Drupal will test them against the LDAP by binding with them.
- A mirrored Drupal Account will also be created with their email and a long random password; no LDAP credentials will be stored in Drupal
- LDAP Groups will be mirrored with Drupal roles and Drupal role memberships will be derived for LDAP Groups and OUs.
We have the following questions about configuration and best practices. Whatever you can tell us will be helpful. Once we get connected to the LDAP server, we can hopefully figure out any missing pieces.
LDAP Server Connection Properties:
- What type of LDAP is it (Active Directory, Open LDAP, Open Directory, eDirectory, etc)?
- Should we bind with a service account for querying user attributes and group memberships? Or use an anonymous bind? If so do we create the service account or can you? If you create it, what is the Distinguished Name (eg. cn=jdoe,ou=...) for it and password?
- What is the base Distinguished name that we should bind to? We suspect its the top level DN, but anything above the users and group OUs should work.
- What is the LDAP Server Hostname and Port (eg. ad.mycompany.com:386)?
- Should we connect with Start TLS or ldaps or neither?
- Are there any firewall issues we need to resolve to connect from our web server to the LDAP server
LDAP User Entries
- What attribute contains the users email address (e.g. mail)?
- Is there a unique attribute such as uid, guid, etc. that does not change over time?
- What attribute would make a good logon/username (e.g. "cn")?
Group Entries:
- Does the user's LDAP entry have an attribute such as memberOf that contains the user's group memberships?
- What attribute in the group ldap entries holds the users (e.g. uniquemember, memberUid)? And what is held in this attribute (DN, CN, uid, ..)?
- What is the object class of the group entries (e.g.groupOfNames, groupOfUniqueNames, group)?
Thanks
