At the same time several business units were in the process of implementing the Drupal 6.5 CMS solution. The problem as we quickly realized was that Drupal 6.5 will only work with PHP 5.2 or older. From an organizational standpoint we absolutely needed PHP 5.3 . We also did not want to run more than one version of PHP on our webservers, just to host Drupal. Also, the various business units could not wait for Drupal 7 to be released (whenever that may be). And even if Drupal 7 were released, I am less inclined to do an immediate upgrade without a complete evaluation of the entire CMS.

So How do I get Drupal 6.5 to work on PHP 5.3?
I decided to just dive into the Drupal 6.5 source code and figure out what was broken and start fixing it all. I found four (4) core issues at the heart of the Drupal 6.5 / PHP 5.3 incompatibility.

1 ) Function ereg() is deprecated
Once you run Drupal 6.5 on PHP 5.3, the first error you will get is this one. Yes the ereg() function is deprecated (discontinued) but it still runs fine and the warning/notice can be silenced for now until you upgrade to Drupal 7. To silence the function warning, simply add a “@” before the “ereg()”  function call so “ereg()” becomes “@ereg()” . There were several instances of this. I decided to only change those that showed up on the Dripal site, instead of doing a global search and replace. The ones I found and changed are listed below:

- The “ereg()” call should be silenced as such “@ereg()”
- Line 895 – /includes/file.inc
- Line 385 – /modules/user/user.module  (yes that is the “.module” extension)
- Line 553 – /includes/file.inc
– Silence the “array_merge()” within the “ereg()” function call as well

 2 ) Function split() is deprecated
Not sure why such a symbolic function is deprecated, but I’m sure it’s all for a good cause. Like the “ereg()” call, it must be silenced as well. Below are (not all) the instanced I changed:

- Line 895 – /modules/filter/filter.module

3 ) warning: call_user_func_array() expects parameter 2 to be array
It appears PHP 5.3 is less forgiving as far as whether or not you specify explicitly that you are passing an arguement to a function by value or my reference. In most classical languages such as C/C++ this is very important. Is seems PHP 5.2 was okay with it either way. I think this change is a good thing and will go a long way to forcing programmers to think about how they write code and give more creative room as far as optimizing your applications to use memory more efficiently. However the solution to this problem is quite simple actually; you jsut have to add an ampersand “&” infront of any relevant arguments that are causing this error. The “&” simply states that you are passing a the argument by reference and not by value. Initially I found 27 instances of these calls in the Drupal 6.5 source. I am sure there are more instances in the “.module” code but I’m only making the changes as needed. I try to avoid global changes I don’t have to.

Example: The call call_user_func_array($function, $args) should change to call_user_func_array($function, &$args) 
- Line 436 – /includes/menu.inc
- Line 617 – /includes/theme.inc
- Line 553 – /includes/file.inc

 4 ) PHP Warning: Call-time pass-by-reference has been deprecated
Once I made all the above changes and my Drupal 6.5 instance was up and running I was now getting a warning from PHP. The fix of arguement references caused PHP to issue a warning of it’s own. You can fix this by making sure the value for “allow_call_time_pass_reference” is set to “On” in your “php.ini” file. This is a good practice anyways and highly recommended for any production environment as your PHP intance should not report any errors or warnings to the browser, but to the server log file.

Please let me know if you find any more instances where the Drupal 6.5 code needs patching, so I may add them to my notes here. So far the Drupal 6.5 instances have been running successfully. Thanks and all the best.

DISCLAIMER:
I have only been working with Drupal for several days so far. Please bear with me as I dive deeper into the source code and architecture. You may see several new messages in your log files. In my case I’m running Apache. Most of the new log errors are the “deprecated function” warnings so it’s not a big deal for now, until I upgrade to Drupal 7. I am still investigating any other effects these fixes may have had on the servers.

The greatest benefits of such an integration are that you can quickly and easily setup a Web Single Sign-On (WSSO) for all your corporate applications. Your same Windows user name gets you onto all the different web applications that you use in your organization. No more need to remember numerous username/password combinations. When a new employee is hired, the Systems Administrator sets up their network user and assigns them to the appropriate user groups in Active Directory and they’re good to go. Voila!

You will need PHP 5.3+
PHP for the most part has what you need to do an LDAP integration. I did run into one little but crucial issue and that was with PHP5.2 . There was one crucial method not yet implemented. The “ldap_set_option” . Everything worked fine as long as my routines were given a correct user name and password combination. We all know this is hardly always the case. If the username/password was incorrect, the PHP LDAP module would lock-up while waiting for a response from the LDAP server that failed to authenticate the wrong username/password combination. The module tied-up the PHP server process untill the script timed-out. To remedy this I needed to be able to set a timeout on my PHP-to-LDAP connection. It turned out the PHP community was working on a solution around the same time to be released in PHP 5.3 . One simple line made all the difference:

ldap_set_option($ldap_handle, LDAP_OPT_NETWORK_TIMEOUT, 10);

You will also need some kind of LDAP browsing tool. I used LDAP Browser 2.6 by Softerra. Thanks Mark. It also shows you what queries are being sent back to your LDAP service. From this you will very quickly be  able to decypher your active directory and determine what you need to look for in your LDAP search queries. Just playing around with the LDAP browser told me way more about active directory than I learned after endless nights realy manuals and protocol spec sheets.

 Below is a function I put together to authenticate users against an LDAP service. I have inserted comments at every step and simplified a lot of my original code to present my solution is a very straight-forward, step-by-step process. I have not tested the resulting code below and as a result it may be missing a semi-colon here or there. I expect anyone who finds this interesting is self-sufficient enough to make this solution work for themselves as needed.

function LDAP_UserLogin($Portal) {
	// $Portal is my applciation framework which resides in my session at all times.
	
	// Set user and password to Administrator for testing
	$USR_Name = $Portal->Web['UserName'];
	$PWD = $Portal->Web['Password'];
	
	// LDAP Windows server name
	$HOST = "LDAP_ServerName";
	// Fully qualified network user name
	$USER_DN = "NETWORK_DOMAIN\\".$USR_Name; 
	
	// This value is determined by your active directory structure
	$BASE_DN = "DC=NETWORK_DOMAIN,DC=local";
	
	/*
	Specify what user (node) you wish to have returned.	If you use 
	the wildcard, LDAP will return every single node accessible to 
	the authenticated user. So a wildcard query from */
	$SEARCH_OBJECT="(mailnickname=$USR_Name)";
	// To show everything accessible to $USER_DN use $SEARCH_OBJECT="(objectClass=*)"; 
	
	// Specify what fields (nodes) you wish returned for the authenticated user.
	$FILTER = array("*");
	// OR select only specific tree nodes/values to return.
	//$FILTER = array("sn", "mailnickname", "displayname", "memberof");
	
	// LDAP authentication process updates
	$Message = '';
	
	// Step 1 - connect to LDAP Server
	if($ldap_handle=ldap_connect($HOST)) {
		$Message .= 'LDAP Connect Successful<br>';
	} else {
		$Message .= 'LDAP Connect Failed<br>';
		return $Message;
	}
	
	/* 
	Step 2 - Set a timeout for the PHP-to-LDAP connection, or it will tie-up 
	the server process until the script times-out, whenever someone 
	provides a wrong user/password combination. 5-10 seconds is long 
	enough to wait for an LDAP server response. */
	ldap_set_option($ldap_handle, LDAP_OPT_NETWORK_TIMEOUT, 10);
	
	// Step 3 - Bind to LDAP Server using user credentials
	if(@$bind_result=ldap_bind($ldap_handle,$USER_DN,$PWD)) {
		$Portal->User->Profile['LoginStatus'] = 1;
		$Message .= 'LDAP Bind Successful<br>';
	} else {
		$Message .= 'LDAP Bind Failed for '.$USER_DN.'<br>';
		return $Message;
	}
	
	/* 
	Step 4 - Search Active Directory for specified object - user record.
	User authentication happens in Step 3 when you bind the user to your 
	LDAP connection. you will only be able to search any nodes that user 
	has access to within the active directory tree. Therefore system 
	Administrator will be able to search the entire network directory so 
	be careful. Active directories can be very, very big! */
	if($search_result=ldap_search($ldap_handle,$BASE_DN,$SEARCH_OBJECT,$FILTER)) {
		$Message .= 'LDAP Seach Successful<br>';
		//Print out search result tree as array
		//print_r($search_result);
	} else {
		$Message .= 'LDAP Search Failed<br>';
		return $Message;
	}
	
	/* 
	Step 5 - Get first entry of LDAP record search result. This is not 
	really neccessary. It's a left over from my testing of the PHP LDAP 
	module. It helps sometimes when debuging to see if what is being 
	returned. See the commented-out line below. */
	if($result=ldap_first_entry($ldap_handle,$search_result)) {
		$Message .= 'LDAP Get First Entry Successful<br>';
		//Print out tree as array.
		//print_r($result);
	} else {
		$Message .= 'LDAP Get First Entry Failed<br>';
		return $Message;
	}
	
	
	/*
	Step 6 - Get all returned LDAP entries that met your search criteria. 
	This is important. You can uncomment the line below to see the entire 
	tree. Again be careful when querrying the entire tree with a user who 
	has full network administrative previlleges. */
	if($result=ldap_get_entries($ldap_handle,$search_result)) {
		$Message .= 'LDAP Get Entries Successful<br>';
		// Print out all entries as array
		//echo "<pre>"; print_r($result);
	} else {
		$Message .= 'LDAP Get Entries Failed<br>'; 
		return $Message;
	}
	
	
	/*
	Step 7 - Extract groups to which user is assigned. This is once you 
	have all the previous steps running successfully. You can extract 
	any relevant groups from the 'memberof' values. */
	if($result[0]['memberof']) {
		$Message .= 'LDAP Get Group Entries Successful<br>';
	} else {
		$Message .= 'LDAP Get Group Entries Failed<br>'; 
	}
	
	/*
	I chose to setup a separate "Organizational Unit" (OU) called "Intranet" 
	on the windows domain server. Within that OU I have groups setup for every 
	biz application I've deployed. Based on what business unit an employee is 
	under, they will be assigned to the appropriate groups and gain access to 
	any neccessary applicaitons. OU=Intranet helps sys admin manage and organize 
	all permissions related to web access and it helps me identify within the 
	active directory tree, what groups/permission items I should be looking for.*/
	foreach($result[0]['memberof'] as $key => $value) {
		if(strpos($value,'OU=Intranet')) {
			//This pattern may vary from one active directory to another.
			$group = preg_replace('/CN=(.*?),OU=Intranet.*?$/i','$1',$value);
			
			/*
			Push user group into application framework. $Portal->User->Groups is 
			an array I can lookup at anytime, anywhere in my application to make 
			sure the user has access to any particular group. */
			array_push($Portal->User->Groups, $group);
		}
	}
	
	//Once all user groups have been extracted, save framework object to session.
	$_SESSION['Portal'] = serialize($Portal);
	
	//Debug view, another way to dump user's entire directory tree to screen
	//print_r(ldap_explode_dn($BASE_DN,'')); 
	
	/* Step 8 - Close LDAP connection. 
	Just good practice to keep your code clean. */
	if(ldap_close($ldap_handle)) {
		$Message .= 'LDAP Connection Closed';
	} else {
		$Message .= 'LDAP Connection Failed to Close<br>';
	}
	
	// Return all status messages, for debuging and confirmation.
	return $Message;
}

If you have any questions about my application framework let me know and I can prepare a post about a basic application framework. I hope you found this post helpful. I am open to and welcome all constructive feedback, comments and suggestions.

Happy coding