Monday, June 18, 2007

Dreamhost Drupal with LDAP

When we tried to connect we got an error message:
Fatal error: Call to undefined function ldap_connect() in D:\Program Files\wamp\www\drupal\modules\ldap_integration\ldap_integration\LDAPInterface.php

We needed to modify our php.ini to uncomment

In order to customize the php.ini we had to do some hacking:

The php.ini file is working, but the dll list in it is for windows machines, not linux. need to find out how to configure php to load modules on linux. of course, you don't - you recompile php with the modules you need - which means this direction will orphan our php installation from future updates from dh.

Background/not followed: This gives details on how to do this from scratch:

This provides pre-compiled versions for use on a select group of linux distro's

To test the configuration you attempt to login as an account found in the ldap directory, but not in the drupal system.


Note from (

Chasing referrals in Active Directory (ie: searching across domains), can be slow. You can look up the object instead in the GC (Global Catalog) as follows:

Remove any reference to ldap:// when you use ldap_connect, ie: use "" NOT "ldap://"

Connect to port 3268 (not 389, the default)

Set the Base DN for the search to null ie: "" (empty quotes).

AD will then run the search against the GC which holds a copy of all objects in the Forest. You can also retrieve a subset of attributes (including group membership, except local groups).

You will still need to follow referals for a full set of attributes.


following the script from dh:

used openldap source code and did a test run on the prep script with only ldap to ensure it worked properly. to do this i simply added:
LDAP="openldap-stable" to the version information list. this is a symbolic link maintained by openldap to get you the most recent stable version

then in the get section i added (don't be alarmed that the suffix is different from the other packages):
wget -c${LDAP}.tgz

then to extract it i added this at the end (again needing to focus on the suffix to match openldap convention):
echo Extracting ${LDAP}...
tar xzf ${DISTDIR}/${LDAP}.tgz > /dev/null
echo Done.

I looked in the source directory via my ftp client and found that openldap had given me v2.3.32.
I used this as my LDAP variable in the install sh file:

I modified the PHPFEATURES list to include:
note that you need to add a \ to the line above, and move the closing quote to after with-ldap

The openldap doc/install/configure file said generic installs run ok with just ./configure.

This approach bombed out on the script prior to getting to ldap - failed on cclient.

Started process over with the script at

This script ran ok on its own. When i modified to include ldap, it said:

checking Berkeley DB version for BDB/HDB backends... no
configure: error: BDB/HDB: BerkeleyDB version incompatible

This link explains more:

Same error message during ldap ./configure...
The berkeleydb and openssl installed without any error messages.
Many people posting this question to the openldap forum with rtfm responses...
Trying with env CPPFLAGS=-I${INSTALLDIR}/include LDFLAGS=-L${INSTALLDIR}/lib ./configure --prefix=${INSTALLDIR}

The flags are supposed to tell the openldap configure where to look... same result.

At this point, I'm wondering if the berkeleydb install didn't put things where i intended...
The first attempt at making the db i forgot the prefix, then ran the process again, i received an odd message about not replacing a .h file, which made me wonder how the file could be in two places from two runs. The berkeley docs state if you want to change anything, you need to run make realclean first - which removes everything...
Nope, now berkeley configures but crashes on make install, attempting to re-create the install subdirectory and getting a permission denied. ??

Trying again with the same env flags used above on openldap configure....ok, i got an install.

This is insane.

The openldap configure can see db.h, and it knows the version, why does it still say there is a version mismatch? Ehem. nosing up the tree, it looks like dh has db.h installed in the usr directory, indeed, the lib folder contains all the way up to 4.3. Given the openldap is telling me it has version 4.5, i imagine that means it does know about my version. Do i need to exclude all the prior versions in my configure statement? Argh! And why won't it run with the versions already installed? maybe the same reason - since so many are installed, maybe this step is lazy and stops with the first one it finds?

Analyzing the configuration.log - the conftest file has a strict test for DB_VERSION_MAJOR among others down to the patch level, but its not clear where these get defined. Also, the configuration.log shows an actual error message that does not make sense - this file exists in my lib folder:
./conftest: error while loading shared libraries: cannot open shared object file: No such file or directory

grep DB_VERSION_STRING db.h from within usr/local/include returns 3.2.9.

At a complete loss - need to find out what file contains the DB_VERSION_MAJOR check and put a print line to see what version it thinks it found. This code does not exist in the openldap directory!!! Somehow, when i searched all the files in the source directory, i could not find the source code file that contained the version check - i wanted to echo what version it found in order to understand who its finding and whether its stopping at the lowest or highest or what. unreal?

This makes it sound like i can hack the configure script in openldap to remove the hardcoded usr/lib searches...

Found this interesting discussion about the intricacies of library paths:

Colleague suggested using LD_CONFIG which will tell gcc where to get libraries from. Is this the same as LDFLAGS? Do we need to compile bdb with this flag or openldap?...

OMG I found it:
the flag you need is: export LD_LIBRARY_PATH="/build_unix/.libs"

Onward to make...

Got clean install of openldap...

php5 configure got:
configure: error: Cannot find ldap.h
needed to modify the following to include =path

got clean install of php...

now on to the drupal integration challenges
warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Can't contact LDAP server ...

later on will need this regarding sasl:
supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
ok, when all security is turned off, and the ad accounts for reading and writing are domain admins, everything works!! and we wonder why systems are so vulnerable - the first thing to work is the least secure, shouldn't it be the other way around?
Current issues:
- retrieve password does not find the user
- new users do not appear in LDAP

to run the sh script:
chmod +x

1 comment:

Marc said...

Wow, awesome.

You don't happen to have the compiled version available for download somewhere?
Otherwise, that REALLY seems to be a lot of work

Thanks in Advance,