Skip to main content

LDAP and LDAPS

Detailed information on how to configure LDAP and LDAPS on your Pantheon Drupal or WordPress website.

Discuss in Slack
Edit this page on GitHub Report an issue with this doc

Lightweight Directory Access Protocol (LDAP) as a provider is not available on Pantheon. For sites at the Elite plan level that need a secure tunnel between your firewall, contact your sales representative regarding Pantheon Secure Integration.

LDAP as a Consumer

LDAP provides access and maintenance of a distributed directory storing organized sets of records. Using LDAP as a consumer of services is supported on the platform and will work at all plan levels, assuming correct configuration. The implementation and configuration details are up to the user as not all instances are supported.

PHP on Pantheon includes LDAP using OpenLDAP, so no changes to the platform are necessary in order to enable LDAP on your Pantheon site.

Note

Pantheon supports IP-based defense-in-depth firewall configuration schemes only when implemented as part of a Pantheon Secure Integration configuration. We recommend certificate-based authentication to be compatible with distributed application containers.

Drupal

Users have reported success using https://drupal.org/project/ldap and https://drupal.org/project/simple_ldap to connect to LDAP servers, including Active Directory.

WordPress

WordPress has several LDAP plugins available. One of the most popular is Simple LDAP Login. It provides you with all the configuration options needed, including the ability to specify an alternate port to run on.

OpenLDAP Configuration for Client Certificates for LDAPS

Developers do not have access to edit the OpenLDAP ldap.conf configuration. Instead, specify LDAP configuration with the function putenv().

If your LDAP server uses security certificate(s), place them in the private file directory in your codebase: SITEROOT/private.

Then, specify the location of the certificate file(s) in sites/default/settings.php using putenv. You may need some or all of these settings depending on your configuration. If you don't need a particular settings, don't include it; there's a strong probability that unnecessary directives will prevent communication. Therefore, use your best judgement and knowledge of your infrastructure and choose accordingly. For more information about working with settings.php, see configuring settings.php.

Ensure that your certificates do not have a password. There is an extremely strong probability that these certificates are different than the certificates used to secure a site environment using HTTPS. If you're unsure, check with your sever administrator to make sure that you are using the correct TLS certificates to communicate with your LDAP server.

You can also specify additional configurations with putnev, such as whether to perform server certificate checks.

Frequently Asked Questions

How can I make changes to the OpenLDAP configuration file?

Users do not have access to make modifications to ldap.conf. Instead, use putenv within settings.php as described above.

Is ldap_sso supported?

The ldap_sso submodule from the suite of modules included in https://drupal.org/project/ldap is not supported. We do have PHP with LDAP support. Any authentication through LDAP needs to be PHP-based and not web server-based.

Does Secure Integration work with LDAP?

WordPress and Drupal both work with the Pantheon Secure Integration. If you’re using the Drupal LDAP module, apply the patch prepared by one of our engineers listed on Drupal.org. The patch allows the use of a PHP constant for the port number, and gives a good example should you need to write a similar patch for another module.

Troubleshooting

The majority of problems with LDAP on Pantheon come from misconfigurations. Pantheon does not filter or block LDAP or LDAPS traffic and does not utilize a firewall to restrict traffic between your Pantheon environment and your locally hosted server.

Use the following script to troubleshoot a variety of configuration problems. Customize it with your settings, then place it in your site root with a name like ldap-test.php. This script requires PHP 7.1 to execute properly without PHP errors. If you are connecting via a Pantheon Secure Integration, use the alternate $settings array below the full script instead. You can execute it remotely using Terminus to fully bootstrap Drupal and include the environmental configurations from your settings.php:

The entire script:

Alternate $settings array when using Secure Integration: