Forum OpenACS Q&A: Re: Help with auth-ldap ("no configured pools")

Thanks for the push, Rocael. As I was pasting in the lines from my config file, I noticed a strange variable, ${serverNAME}, at the bottom which I hadn't noticed before ;)

Now that I've fixed that, I'm able to list all users in LDAP via nscp with something like:

ns_ldap search $ldaph -scope subtree -names true "o=myorg" "(uid=*)"

So, things are working, it would appear, at this level. However, it's unclear how one goes about enabling LDAP for login. I've created a new authority with LDAP selected for authentication, password management, account registration and on-demand sync. It's enabled but I can't see any change in the  login pages. Are there other parameters that need to be changed? Also, I'm unclear on how LDAP is supposed to work with LDAP names (versus email address). Do users log in using their CNs?

Thanks.

Enabling everything for LDAP authentication is ok, you can login through email or through username, anyway, depends on
what you put for Kernel param  UseEmailForLoginP, if 0, then it will ask for the username / auth-name.

Also its important what you set to match with username, usually uid (UsernameAttribute).
It will try to match the oacs username againts something, if its found, will return the record.

Collapse
7: Re: Help with auth-ldap (response to 6)
Posted by Michael Steigman on
Thanks, Rocael (Just getting back to this)

That's the param I was looking for. So I've got UseEmailForLoginP set to 0, my LDAP authority set up and the following options set for the authority:

Authentication - LDAP
Password management - LDAP
Account registration - Local
User Info - LDAP

In the "configure drivers" section of my LDAP authority, I've got:

UsernameAttribute - uid (tried just about everything though)
BaseDN - 'o=myorg'
InfoAttributeMap - 'first_names=givenName;last_name=sn;email=mail'
PasswordHash - SHA (tried MD5 as well)

No matter what, I get an "invalid username/password" error when I try to log in using the LDAP authority. I'm positive both the username and password are correct.

In the log, I'm seeing this, so I'm assuming AOLServer's talking to the LDAP server OK (I was also able to create a little test page that could pull user names from the directory):

[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: getting a handle for thread -1241969744
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: connecting handle from pool ldap
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: entering handle nsldap0 to activeHandles
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: releasehandle nsldap0
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: returning handle to pool ldap for thread -1241969744

Any suggestions as to where to look at this point?

Thanks.