Forum .LRN Q&A: Re: External authentication with dotLRN (LDAP)

Collapse
18: Re: External authentication with dotLRN (LDAP) (response to 1)
Posted by Shahid Butt on 10/20/05 11:51 AM
Great news, we have managed to get it working. And I've managed to replicate the solution onto our UAT server. As a summary this is what we did:

Install Openldap and ns_ldap
Installed OpenLDAP and ns_ldap as per instructions:
https://openacs.org/doc/openacs-5-1/install-ldap-radius.html
(NOTE: When installing ns_ldap, you must ensure that the environment vaiable AOLSERVER is set.)

Edit ldap.conf
Edited /usr/local/openldap/etc/openldap/ldap.conf
and /etc/ldap.conf

Added the lines:
host [IP Address]
base dc=[mydomain],dc=com

Test with ldapsearch
At this stage I was able to do an ldapsearch command, great!:
ldapsearch -x ""
or
ldapsearch -x -v -h [IP Address] "" -s base '(objectclass=*)'

dotLRN changes:
I Installed the following services in dotLRN:
Authentication 5.1.4
LDAP Authentication Driver 1.0d2

Downloaded auth-ldap-procs.tcl version 1.9.2.1 from here
http://cvs.openacs.org/cvs/*checkout*/openacs-4/packages/auth-ldap/tcl/auth-ldap-procs.tcl?rev=1.9.2.1

Edited the file:
Changed
from
set ldap_bind_p 0
to
set ldap_bind_p 1

(uncomment)
from
#set cn $username
to
set cn $username

(change)
from
if {[ns_ldap bind $lh "cn=$cn" "$password"]} {
to
set fdn [lindex [lindex [ns_ldap search $lh -scope subtree $params(BaseDN) "($params(UsernameAttribute)=$username)" dn] 0] 1]
ns_log Debug "FDN: $fdn"
if {[ns_ldap bind $lh $fdn $password]} {

(new line)
from
# We do not check LDAP account status
set result(account_status) ok

return [array get result]
to
# We do not check LDAP account status
set result(account_status) ok

ns_log Notice "FDN [array get result]"

return [array get result]

Edit the run file under
[dotlrn]/etc/daemontools
Before the exec command enter
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openldap/lib
export LD_LIBRARY_PATH

Edit the config.tcl file

Remove the '#' in front of the line
ns_param nsldap ${bindir}/nsldap.so

Add the following to the end of the file:

ns_section "ns/ldap/pool/ldap"
ns_param user "cn=[user],ou=[AD Dir],dc=[mydomain],dc=com"
ns_param password "[password]"
ns_param host "[IP Address]"
ns_param connections 2
ns_param verbose On

#
# ldap pools
#
ns_section "ns/ldap/pools"
ns_param ldap ldap

#
# ldap default pool
#
ns_section ns/server/${server}/ldap
ns_param Pools *
ns_param DefaultPool ldap

Create new authority under http://[mydomain]/acs-admin/auth/

Change the users default Authority to LDAP

Hey presto LDAP authentication is working!

Phew!