Home / Blog / Autofill ASU User Data on your Pantheon Site Using LDAP

Autofill ASU User Data on your Pantheon Site Using LDAP

Do you need to access ASU user data on your Pantheon / webspark site? For example, you may wish to autopopulate new accounts with certain information (by using the CAS Attributes module) or searching ASU users with the ASU Userpicker module.
This can be done by connecting to ASU's LDAP server. Fortunately, Drupal has a module called LDAP which can create this connection. Once you have set it up, you may then use this connection to view and pull ASU user data.

To connect to ASU LDAP on a webspark site (or any other site hosted on Pantheon) requires a few things:

  • An ASU LDAP app ID
  • Drupal's LDAP module suite
  • An intermediate certificate (this is no longer required)


The first thing you will require is an ASU LDAP app ID to be able to query the LDAP server. This app ID must be requested from ednateam@asu.edu.

Email ednateam@asu.edu and describe your use case, department, and other pertinent information. They will review your request and, if approved, grant you an app ID to use. This app ID should then be entered in the Binding Method configurations when setting up the LDAP module suite.

LDAP Module Suite

If you are using webspark, then all the modules that you will need come preinstalled!

However, if you are not using webspark, you can download the proper modules yourself. 
The LDAP module suite can be downloaded here: https://drupal.org/project/ldap. Install it into your Drupal site like any other module.

The suite contains many different LDAP related modules. To connect to ASU LDAP, you only need to enable the "LDAP Servers" submodule. However, you may also find it useful to enable the "LDAP Test" module. This allows one to test-query LDAP and ensure that your connection is working as desired.

The two modules enabled. Only the LDAP Servers module is required, but the Test module is useful.

Once you have enabled the LDAP Servers module, we must create a new LDAP server record and configure it. This can be done by going to Administration > Configuration > People > LDAP Configuration.

To create a new server record, click "Add LDAP Server Configuration". This will present a form with many different configurations to fill out. We will go through each configuration step by step.

Connection Settings:

This group deals with establishing a connection with ASU's LDAP server.

Machine Name for this Server Configuration:
This is Drupal's internal name for the server. Choose any descriptive name.

This is Drupal's human-readable name for the server. Again, choose any descriptive name.

This checkbox controls whether you wish the server to be available to be used by other modules. You can uncheck the box to prevent people from using the server connection while still maintaining the configuration. Check it for now.

LDAP Server Type:
Allows you to choose the type of LDAP server we are using. Choose "Default LDAP".

LDAP Server:
This is the URI that points to ASU's LDAP server. This should be "ldaps://sec-ds.asu.edu".
NOTE: you must connect to the LDAP server using LDAPS, which sends all data through SSL. This is to protect both your and other's data!

LDAP Port:
The port we connect to the LDAP server through. Enter 636.

The remaining checkboxes can be ignored and left unchecked.

The configuration settings for the Connection Settings tab.

Binding Method:

This section defines the credentials and parameters we will be using for our LDAP connection. This section is highly important, so make sure you enter the information correctly!

Binding Method for Searches:
We will be using the default Service Account Bind to connect to the ASU LDAP server.

DN for Non-Anonymous Search:
The DN ("Distinguished Name", described here) is a series of attributes ("RDN"s) that identify an entity which will be querying the LDAP server. The information you enter here will be specific to your own binding! You will need to enter three items:

  • uid: this is the app ID that you got in the previous section. It is used to identify your app to ASU LDAP.
  • ou: the organization unit that contains your uid. If you are only getting Read access to the LDAP server, this should be "ReadOnly".
  • o: the organization. This should be "asu.edu".

These three attributes should be entered as a single string, in the following format: "uid=<your app id>,ou=ReadOnly,o=asu.edu"

The remaining fields may be left blank.

The binding settings. I have blacked out the uid value.

LDAP User to Drupal User Relationship:

This section deals with how LDAP maps to Drupal user accounts. This information is required if you want to create Drupal accounts out of LDAP data.

Base DNs for LDAP users, groups and other entries.
Once again, we must enter a DN which will describe where the users we are referencing can be found. The value here should be "ou=People,o=asu.edu"

AuthName attribute:
This should be "asuriteid".

Email attribute:
This should be "mail".

The remaining attribute fields may be filled in as the need arises.

Some of the LDAP User to Drupal User settings.

LDAP Group Configuration:

These fields are not required to connect to ASU LDAP, but may be filled out depending on your use case.

LDAP Pagination:

These fields are not required to connect to ASU LDAP, but may be filled out depending on your use case.


Intermediate Certificate:

At time of writing, the connection between LDAP and Drupal sites hosted on Pantheon (such as webspark sites) is unstable and goes up and down. ASU UTO and Pantheon are currently looking into this; in the meantime, we can use an intermediate certificate to solve the problem.

There are two steps to setting up the intermediate certificate workaround.

  1. Get the intermediate certificate, which can be requested by contacting pantheon@asu.edu.
    Once you have received the certificate, place it in a private folder in your site's root directory. If the private folder is not there, create it yourself.
  2. Insert some code at the bottom of your site's settings.php file. The code should be entered as follows:
    $tls_cacert = __DIR__ . '/../../private/<certificate_name>.crt';
    if (!file_exists($tls_cacert)) die($tls_cacert . ' CA cert does not exist');

If done right, these two steps will create a stable connection between ASU LDAP and your Drupal site. 

What Next? Making Use of LDAP:

There are many useful things you can do with the information provided by ASU LDAP. These include:

  • Using the CAS and CAS Attributes modules to download user information from ASU LDAP and populate Drupal accounts upon user signin.
  • Using the ASU Userpicker module to create user reference fields in entities; these user reference fields can reference ASU users stored in LDAP, even if they don't have local Drupal accounts! If you wish, you can configure the Userpicker module to create Drupal accounts when someone refers to an LDAP user in a Userpicker field.