Using CruzID Blue Passwords in Drupal

Tim Gustafson has developed a Drupal module that allows for authentication using CruzID Blue credentials. This article is intended to capture the basic facts, configuration options and use cases campus developers might need.

Configuring SmartOS for Drupal and LDAP

Steps needed to configure a SmartOS running Drupal 7, SOE’s soe_blue_auth module. Our intent is to use CruzID Blue authentication to allow “authenticated access” to drupal pages.

These instructions assume you’ve installed the basic LAMP software on your SmartOS VM. See this page for background on configuring SmartOS VM’s. https://groups.google.com/a/ucsc.edu/forum/?hl=en#!topic/cruz-cloud-group/mJ_bfBu9ybQ

OpenLDAP Config

SmartOS has 2 ldap.conf files that need to be configued.

/etc/openldap/ldap.conf
/opt/local/etc/openldap/ldap.conf

We’ll symlink them and make edits to /etc/openldap/ldap.conf. In the /opt/local/etc/openldap directory:

ln -s ldap.conf /etc/openldap/ldap.conf

Here’s the contents of our ldap.conf file:

host ldap.soe.ucsc.edu
ssl on
base dc=crm,dc=ucsc,dc=edu
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 20
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
pam_password ssha
pam_login_attribute uid

OpenLDAP Certs

We need to gather the certs for the SOE ldap.soe.ucsc.edu server and install them in /etc/openldap/cacerts. Note the tls_cacertdir directive in the ldap.conf that points to these certs.

You can ssh to beastie.soe.ucsc.edu using your CruzID Blue and navigate to:
/usr/local/etc/openldap/cacerts

Copy all the certs to your /etc/openldap/cacerts directory.

Apache and SSL

The server needs a valid SSL certificate. This is done via the InCommon SSL request process. See, http://its.ucsc.edu/certificates/request-service.html for more info on that process.

The apache.conf file needs to inlcude the httpd-ssl.conf file. The httpd-ssl.conf file needs to be configured for the SSL certificate you’ve generated via InCommon.

PHP

The php.ini file at /opt/local/etc/php.ini needs to have the ldap.so extension added.

Testing LDAP from SmartOS

Here are a few commands to test from your SmartOS command line.

ldapsearch -x uid=<your CruzID Blue>

If things aren't working, here's a command to get more debugging informaiton.

ldapsearch -x -d 7 -H ldaps://ldap.soe.ucsc.edu -b ou=People,dc=crm,dc=ucsc,dc=edu uid=peterm

Getting the Module

The current version of the module is located in the SoE SVN repository. You'll need a CruzID Blue credential to connect up to:

https://svn.soe.ucsc.edu/svn/drupal7/sites/all/modules/soe_blue_auth/

To check the module out into your Drupal 7 site, you would use a terminal and navigate to <your drupal root>/sites/all/modules. Then type:

svn co https://svn.soe.ucsc.edu/svn/drupal7/sites/all/modules/soe_blue_auth/

You will be prompted for your CruzID Blue credentials and then the module files will be copied to your directory. You can turn the module on via the Drupal module UI.

Configuring the Module

Install it and enable it as you would with other modules.

Using the Module

Here's a short list of things you can do with the module.

  • Create basic authentication to your content
  • Add users to groups
  • Create a custom module to access the LDAP information, auto-populate form fields

LDAP Data

The LDAP data comes from the data stored in the campus directory. When a user authenticates using this module, LDAP data is stored in a table in serialized format. What this means is that we can pull out information such as: Full Name, Title, Department, Division, Phone Number. Other pieces of data include (givenname, homedirectory, loginshell, sambasid, ucscpersonguid, uid, uidnumber, sn, cn, gidnumber, ucscpersonofficialcn, ucscpersonmail, postalcode, ucscpersonpubdivision, etc. See full mapping (tbd).

Custom Module Example

Here's a snippet of how you could use hook_form_alter() in a custom module to populate the First, Last, Department fields in a form. 

/**
  * Implements custom_module_form_alter().
  */
  function custom_module_form_alter(&$form, &$form_state, $form_id) {  
   global $user;
   $account = $user;
   $uid = $account->uid;
 
  // Load the account and LDAP info we have on this user
  $this_user = user_load($uid);

  if($form_id == 'custom_module_node_form') {   
    $form['field_first']['und'][0]['value']['#default_value'] = $this_user->blue['givenname'][0];
    $form['field_last']['und'][0]['value']['#default_value']  = $this_user->blue['sn'][0];
    $form['field_department']['und'][0]['value']['#default_value'] = $this_user->blue['ucscpersonpubdivision'][0];
  }

  return $form;
}