[prev in list] [next in list] [prev in thread] [next in thread]
List: drupal-support
Subject: [support] Drupal + IIS + windows
From: metzlerd () evergreen ! edu (Metzler, David)
Date: 2009-01-30 16:49:34
Message-ID: 52177C930FA90F4D9888B0343FDB79FB10ECA2 () birch ! evergreen ! edu
[Download RAW message or body]
I get it. It might help to understand a bit about what the CAS module does.
The CAS module is a single sign on module that does automatically log people in but \
only after checking with a centralized authentication server to verify that they've \
logged in elsewhere. The idea behind the cas server is that it's a centralized place \
to login, and we don't want to expose the usernames and passwords to drupal. Rather \
if the user needs to log in, we redirect the client to another location for login, \
and then when they come back do a quick check to make sure that they have \
authenticated. If the have, establish a drupal user session.
In our environment, we actually use this to authenticate against our MS Active \
Directory, but drupal never sees the user name and password. That's handled by the \
CAS server which does Kerberos auth against active directory. You do have to specify \
your username and password, but that's authed by the CAS server against our active \
directory.
Here's what the CAS module does:
1. At the beginning of the page load check to see if there's already a drupal \
session? If so no need to interfere. 2. Since we're not logged in, Check and see \
if we "need to be", it may be ok to display a drupal page as anonymous user.( this is \
reg expression based on the path), but if we need to be authenticated. 3. If we \
need to be and we haven't logged in use the phpCAS library to ask the centralized \
server what user we're logged in as. The phpCAS client does this via a curl request \
to the CAS server. This is the part I think you can replace with a simple \
environment variable check. 4. Given the username try and load the drupal user. If \
the user exists then great we have a session established. 5. If the user doesn't \
exist, and the cas module is configured to automatically create accounts, create a \
local drupal account and establish a session as that user.
There are some tricks of course, and the module exposes some configuration options, \
not all of which are relavent, but this is darn close to what you need. If you have \
any specific questions, don't hesitate to contact me off list.
Dave
metzlerd at evergreen.edu
________________________________
From: support-bounces@drupal.org [mailto:support-bounces at drupal.org] On Behalf Of \
N?stor
Sent: Friday, January 30, 2009 8:08 AM
To: support at drupal.org
Subject: Re: [support] Drupal + IIS + windows
I work for a goverment agency and they tend to be MS shops but the reasons why we \
want Drupal is because we do not have the money in the budget and I like to bring in \
some open source to help change the IT mind that MS is not the only way to go and \
that there are other choices. We do have an intranet and was build in 2001 and I \
want to implement somthing more current..
All the stuff you mentioned sounds so easy but it went over my head. I will download \
the CAS and look at the code to see if it means anything to me.
I am actually surprise that more people do not have the need for a module that \
automagically los users in.
Thanks all for your replies.
Nestor :-)
On Thu, Jan 29, 2009 at 8:24 AM, Metzler, David <metzlerd at evergreen.edu> wrote:
In such an environment using drupal would be an uphill battle for sure, but if \
you've got drupal working, and you've got IIS to do NTLM, it would seem to me that \
you COULD write a drupal module to do what you're asking.
Much of the code is the same as what is in the CAS module (which I maintain) at \
http://drupal.org/project/cas. The primary difference is where drupal would get the \
username. If you got a copy of the cas module, and replaced the cas client code with \
a " get the logged in user from an IIS provided environment php environment" chunk of \
code, enabled the drupal is cas user repository checkbox set it up to require cas \
auth for all pages, you would have the starting point of a module that would, (I \
believe) do what you ask.
Again, I don't know if its worth it. If you're reaching for integration with \
Microsoft products then you might be better off with sharepoint, but if you're \
looking for all the kinds of things that drupal provides (modular extendibility, rich \
media integeration, etc) then this might be worth your effort. Feel free to ask me \
any questions about the code if you're interested.
Dave
________________________________
From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On Behalf \
Of N?stor
Sent: Thursday, January 29, 2009 8:07 AM
To: support at drupal.org
Subject: Re: [support] Drupal + IIS + windows
Fletch,
I few days left to help the cause for using Drupal but as long as I am unable to
set up the NLTM so that users do not have to log into drupal then we probably go \
with Sharepoint. I have tried several of the solutions that I found when I googled \
but they have not work for me so far.
:-)
On Tue, Jan 27, 2009 at 1:04 AM, John Fletcher <net at twoedged.org> wrote:
Please let us know whether you end up going for SharePoint or Drupal, and why.
Regards,
Fletch.
From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On \
Behalf Of N?stor Sent: Tuesday, 27 January 2009 3:44 AM
To: support at drupal.org
Subject: Re: [support] Drupal + IIS + windows
Gordon,
Yes, I am interested. I am planning on using IIS and IE in a windows environment.
Any information you can provide would be helpful.
We are making the decision between Drupal and Sharepoint and so far that is the one \
thing that Sharepoint has over drupal in our requirements.
Thanks,
Rotsen
On Mon, Jan 26, 2009 at 5:19 PM, Gordon Heydon <gordon at heydon.com.au> wrote:
Hi,
Yes I have gotten this to work before, but it only works on IE
complete (FF will automatically ask for the user/password).
Other issues is that it will not pass the password so Drupal has no
idea of the password. Basically I had it working so that it placed
trust in the ADS that the company used.
I would be a bit more specific, but I can't find my original code.
If you want to know more just let me know and I will see if I can find
it.
Gordon.
On 27/01/2009, at 11:28 AM, N?stor wrote:
> Hi people,
>
> I want to set up drupal in a windows + IIS environment and I want
> the user not to have to log in
> I want drupal to automatically knwo who they are.
>
> I am reading all kinds of stuff but some how I am not installing
> them correct because they do not work
>
> Drupal + IIS + Windows and the user did not have to login because its
> information was automagically pass to drupal.
>
> Did any of you people get this to work?
>
> Thanks,
>
> Nestor :-)
> --
> [ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20090130/acb50f97/attachment.htm \
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic