EE LDAP/kerberos/AD/Active Directory authentication
Development and Programming
Hi folks,
Newbie post: I’m hoping I’m in the right place, please be gentle 😊
I’m looking for a module (or any information on the best place to start to write one) to permit EE to authenticate against an AD service (well, any external vector would probably be fine, I could shim something up between that vector and AD if needed).
Posts on the subject seem to crop up from time to time:
http://ellislab.com/forums/viewthread/44500/ http://ellislab.com/forums/viewthread/66111/ http://ellislab.com/forums/viewthread/61930/ http://ellislab.com/forums/viewthread/53205/
and responses from EllisLab seem to be along the lines of “it doesn’t exist, and we’re not doing it… yet”
This is kind of worrying for me because it indicates there’s some kind of mammoth effort involved in supporting LDAP auth within EE. I don’t know enough about the internals of EE (yet) to say.
Does anybody know whether a plugin or module or extension exists that can do this? I don’t really want to reinvent the wheel unless it’s a square wheel.
Would anyone be interested in collaborating on the development of such a module if it doesn’t exist? Can anybody add useful information like “start looking here” or “I’d be interested in such a module if it did this”?
Regards,
Saliya
I too am very interested in this, especially with the push for sso and identity management coming to the forefront in many organizations.
I have done this before with other systems. From what I can initially tell EE sets a bunch of cookies/sessions upon login.
It shouldn’t be too hard to look into their authentication scripts and see what needs to be set.
Converting it into a working module is another story. First things first.
I wish the EE folks would realize that this would take them into the realm of enterprise cms with active directory authentication making EE attractive to larger organizations.
I’ll keep you posted on what I discover.
Jim
I wish the EE folks would realize that this would take them into the realm of enterprise cms with active directory authentication making EE attractive to larger organizations.
Of this we are very well aware.
Hi Paul,
saw your reply in my thread; hope I’m not out of line asking this:
If EllisLab is well aware that people want this type of auth available; but hasn’t done it yet, doesn’t that mean that the costs of implementation outweigh the benefits?
Is there an ‘official’ answer as to why this might be the case? For example, is there some major obstacle preventing this from being done?
I’m only asking because I don’t want to bite off more than I can chew. Re-architecting EE internals would fit into that basket 😊
Regards,
Saliya
No, I would not interpret our lack of integration of LDAP into ExpressionEngine in that light.
A fairly tight integration of LDAP into ExpressionEngine is possible and there are extension hooks (or a module, if you wish to go a slightly different route) that would allow it. It is not not a perfect fit though and I would not say it would be easy or even close to being seamless. There are CodeIgniter libraries (or you could look at Drupal as well) that could be used as a foundation for any coding that would need to be done to connect to an LDAP server and interact with it.
Hi Paul,
thanks for the response; PHP5 looks like it has LDAP support built-in and I’m intending to use something like
http://adldap.sourceforge.net/
to do a proof-of-concept.
Any suggestions as to where to begin within EE? I was thinking that login_authenticate_start would be the appropriate place; but I’m not finding a huge amount of documentation regarding getting started with this. Is there a document somewhere that describes the internal processes of EE with respect to how it does authentication now?
If I’m allowed to I’ll post what I find
Regards,
Saliya
LDAP has been in PHP for a number of years, including in PHP 4. Only recently did more hosts start compiling PHP with it enabled though.
No, there is no detailed documentation for the Session class or any of the authentication code. Typically anyone who starts modifying such things will need a firm understanding of the PHP code, and anyone who could do that would be able to understand it themselves. Personally, I would probably start building a core.ldap.php class and testing it yourself first either separately or in a template with PHP on Input turned on.
Yes, you can post any changes or code, if you wish. We would not be able to support any hacks, obviously.
I’d be interested to know if any further progress has been made in this area? We have a large corporate client that has just asked us to look at providing integration with LDAP in order to provide their clients with single sign on to all their services.
Update, just stumbled across this… seems to do everything we will require!
http://code.google.com/p/ee-ldap-extension/
Dang- I have wanted this for years. Thanks Nathan.