In the web team we recently took over the technical maintenance and development of the Edinburgh College of Art (ECA) website. Part of this development work involved integrating the University’s standard authentication service (EASE) with the Content Management System (CMS) used by the ECA website, Drupal 7.

Although the Drupal CMS has been used for many years throughout the University, it has not been widely used with EASE. The only exceptions that I am aware of are work I did myself in collaboration with Colin Higgs on the School of Engineering website to implement EASE authentication on a Drupal 6 plaftform in 2010, and which has subsequently been updated to Drupal 7 by Billy Rosendale, and http://www.projects.ed.ac.uk, built using Drupal 6. The University Website Programme (UWP) are currently developing Drupal 7 for use as the main University CMS and part of this development process is support for EASE authentication – and this EASE integration work was used by the web team as a model for the ECA website.

The required behaviour for the ECA website Drupal CMS was Single Sign-On (SSO), in other words, a member of staff or a matriculated student at the University should only have to log in once with their standard University account username (UUN) and password during a single browser session, to get access to the ECA website CMS for editing and updating. The main content of the website itself is always publicly viewable and is not part of the authentication requirements.

This was achieved by the web team using the University’s LDAP and EASE CoSign services for authentication (which use the $_SERVER[‘REMOTE_USER’] environment variable set in a browser session), and then native Drupal user permissions for authorisation. The functionality is implemented by using the standard Drupal LDAP module package (https://drupal.org/project/ldap) with a few important implementation details:

• version 7.x-2.0-beta8 of the Drupal LDAP module package has to be used (https://drupal.org/node/2169125)
• the package has to use a patch (https://drupal.org/node/2175881) for the /ldap/ldap_sso module
• only 4 of the modules in this package of modules need to be enabled: LDAP Authentication, LDAP Servers, LDAP SSO and LDAP User

A Drupal Feature on a dedicated standalone test version of the ECA website was created to manage the configuration and development of this using Git and Bitbucket, to ensure the work fitted in with the team’s structured collaborative development, versioning and rapid application development workflow and methodology.

This Drupal Feature contained all the required LDAP settings for EASE authentication to work and was created with an ‘LDAP SERVERS’ component (containing the connection details to the University’s LDAP server) and two variables in the STRONGARM component (ldap_authentication_conf and ldap_user_conf).

The website also had to contain this line in the main Drupal .htaccess file to enable EASE redirects to work:

RewriteCond %{REQUEST_URI} !=/cosign/valid

There were also several server-side configuration tasks that needed to be done:

• the PHP server that the website uses has to have the LDAP package compiled
• the PHP ‘server memory_limit’ setting has to be set correctly (96Mb is too low), and the ‘max_execution_time’ has to be tested also
• the University’s CoSign service has be configured to service requests from the domain that the website uses
• the website has to be included in the University’s CoSign environment and this was done by adding this directive to the Apache virtual hosts configuration file for the website (httpd-vhosts.conf) on the webserver – this protects the Drupal login path used by the LDAP module (/user/login/sso) and triggers EASE authentication:

 <Location /user/login/sso>
 CosignProtected On
 AuthType Cosign
 </Location>

The final steps needed to achieve the required behaviour were:

• a user account was manually created in Drupal for anyone needing access to the CMS (accounts are not created automatically by the Drupal EASE/LDAP system, but this is an option which can be configured – for instance, if required, accounts can be created upon an initial login using the user’s details stored on the LDAP server, but this is probably not such a good idea if EASE is used to authenticate users who are Drupal editors or administrators)
• the Drupal user account username must match the UUN on the University’s LDAP server so that the supplied details are synchronised

This system successfully provides authentication to the ECA website CMS using the University’s EASE system, but not authorisation, which still has to be done using Drupal Roles and Permissions for users.

[thanks go to Alain Forrester, Adrian Richardson and Mairi Fraser of the University Information Services Applications Division team for their technical support during this development work]