When I was tasked with making it possible for employees to log in to a Drupal site with LDAP passwords, I turned to the shib_auth module.

The shib_auth module lets users authenticate to a Drupal site using Shibboleth, the 'single sign on' framework used by many institutions (and federations of institutions).

In Shibboleth-speak, this involves setting up the Drupal site as an "service provider" and making it talk to the central authority - the "identity provider" (which in our institution turns around and talks to the LDAP server). Easier said than done.

This is the story of one modest implementation. I will describe what I did to set up a service producer and get shib_auth working. [I won't cover how to set up an identity provider, or spend much time on generalities about why you should use Shibboleth.]

I made mistakes along the way, and while it's working, some challenges remain. I hope my experiences will save you some time and annoyance.