install-ldap-radius.adp

Delivered as text/html

Related Files

• packages/acs-core-docs/www/install-ldap-radius.adp

[ hide source ] | [ make this the default ]

File Contents

<property name="context">{/doc/acs-core-docs/ {ACS Core Documentation}} {Install LDAP for use as external authentication}</property>
<property name="doc(title)">Install LDAP for use as external authentication</property>
<master>
<style>
div.sect2 > div.itemizedlist > ul.itemizedlist > li.listitem {margin-top: 16px;}
div.sect3 > div.itemizedlist > ul.itemizedlist > li.listitem {margin-top: 6px;}
</style>              
<include src="/packages/acs-core-docs/lib/navheader"
			leftLink="install-pam-radius" leftLabel="Prev"
			title="Appendix B. Install
additional supporting software"
			rightLink="aolserver" rightLabel="Next">
		    <div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="install-ldap-radius" id="install-ldap-radius"></a>Install LDAP for use as external
authentication</h2></div></div></div><div class="authorblurb">
<p>By <a class="ulink" href="mailto:openacs\@sussdorff.de" target="_top">Malte Sussdorff</a>
</p>
OpenACS docs are written by the named authors, and may be edited by
OpenACS documentation staff.</div><p>This step by step guide on how to use LDAP for external
authentication using the LDAP bind command, which differs from the
approach usually taken by auth-ldap. Both will be dealt with in
these section</p><div class="orderedlist"><ol class="orderedlist" type="1">
<li class="listitem">
<a name="install-openldap" id="install-openldap"></a><p>
<strong>Install openldap. </strong>Download and install
ns_ldap</p><pre class="screen">[root aolserver]# <strong class="userinput"><code>cd /usr/local/src/</code></strong>
          [root src]# <strong class="userinput"><code>wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz</code></strong>
          [root src]# <strong class="userinput"><code>tar xvfz openldap-2.2.17.tgz</code></strong>
          [root src]# <strong class="userinput"><code>cd openldap-2.2.17</code></strong>
          [root src]# <strong class="userinput"><code>./configure --prefix=/usr/local/openldap</code></strong>
          [root openldap]# <strong class="userinput"><code>make install</code></strong>
          [root openldap]#
<span class="action"><span class="action">cd /usr/local/src/
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz
tar xvfz openldap-2.2.17.tgz
cd openldap-2.2.17
./configure --prefix=/usr/local/openldap --disable-slapd
make install
</span></span>
</pre>
</li><li class="listitem">
<a name="install-ns_ldap" id="install-ns_ldap"></a><p>
<strong>Install ns_ldap. </strong>Download and install
ns_ldap</p><pre class="screen">[root aolserver]# <strong class="userinput"><code>cd /usr/local/src/aolserver/</code></strong>
          [root aolserver]# <strong class="userinput"><code>wget http://www.sussdorff.de/resources/nsldap.tgz</code></strong>
          [root aolserver]# <strong class="userinput"><code>tar xfz nsldap.tgz</code></strong>
          [root aolserver]# <strong class="userinput"><code>cd nsldap</code></strong>
          [root ns_pam-0.1]# <strong class="userinput"><code>make install LDAP=/usr/local/openldap INST=/usr/local/aolserver</code></strong>
          [root ns_pam-0.1]#
<span class="action"><span class="action">cd /usr/local/src/aolserver/
wget http://www.sussdorff.de/resources/nsldap.tgz
tar xfz nsldap.tgz
cd nsldap
make install LDAP=/usr/local/openldap INST=/usr/local/aolserver
</span></span>
</pre>
</li><li class="listitem">
<a name="configure-ns_ldap" id="configure-ns_ldap"></a><p>
<strong>Configure ns_ldap for traditional
use. </strong>Traditionally OpenACS has supported ns_ldap for
authentication by storing the OpenACS password in an encrypted
field within the LDAP server called "userPassword".
Furthermore, a CN field was used for searching for the username,
usually userID or something similar. This field is identical to the
<span class="emphasis"><em>username</em></span>stored in OpenACS.
Therefore, the login will only work if you change login method to
make use of the username instead.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;"><li class="listitem"><p>Change <span class="emphasis"><em>config.tcl</em></span>. Remove
the <span class="emphasis"><em>#</em></span> in front of
<code class="computeroutput">ns_param nsldap
${bindir}/nsldap.so</code> to enable the loading of the ns_ldap
module.</p></li></ul></div>
</li><li class="listitem">
<a name="configure-ns_ldap-bind" id="configure-ns_ldap-bind"></a><p>
<strong>Configure ns_ldap for use with LDAP
bind. </strong>LDAP authentication usually is done by trying
to bind (aka login) a user with the LDAP server. The password of
the user is not stored in any field of the LDAP server, but kept
internally. The latest version of ns_ldap supports this method with
the <span class="emphasis"><em>ns_ldap bind</em></span> command.
All you have to do to enable this is to configure auth_ldap to make
use of the BIND authentication instead. Alternatively you can write
a small script on how to calculate the username out of the given
input (e.g. if the OpenACS username is malte.fb03.tu, the LDAP
request can be translated into "ou=malte,ou=fb03,o=tu"
(this example is encoded in auth_ldap and you just have to comment
it out to make use of it).</p>
</li>
</ol></div>
</div>
<include src="/packages/acs-core-docs/lib/navfooter"
			leftLink="install-pam-radius" leftLabel="Prev" leftTitle="Install PAM Radius for use as external
authentication"
			rightLink="aolserver" rightLabel="Next" rightTitle="Install AOLserver 3.3oacs1"
			homeLink="index" homeLabel="Home" 
			upLink="install-more-software" upLabel="Up">