Forum .LRN Q&A: Re: External authentication with dotLRN (LDAP)
Setting up ldap bind for openACS
First the docs/files you will need
https://openacs.org/doc/openacs-5-1/install-ldap-radius.html <-instructions on setting up nsldap
http://www.sussdorff.de/ressources/nsldap.tgz <- latest version of nsldap
First set up ldap: For RedHat you will need the openldap-devel openldap-clients and openldap packages. Then edit the /etc/openldap/ldap.conf file
#SIZELIMIT 12
TIMELIMIT 15
#DEREF never
HOST 127.0.0.1
BASE dc=xxxx, dc=xxx, dc=xxx
TLS_CACERTDIR /etc/openldap/cacerts
next run a query to make sure everything is working
ldapsearch -H ldap://localhost -D "CN=my name ,OU=xxxx_users,DC=xxxx,DC=xxx,DC=xxx" -x -W -b "OU=xxxx_users,DC=xxxx,DC=xxx,DC=xxx" sAMAccountName=myaccount
be sure to replace the CN and sAMAccountName
if you got a result after entering your windows password congrats you are now talking to ldap.
Now time to set up openACS
first get the module from http://www.sussdorff.de/ressources/nsldap.tgz
now expand it just like any other aolserver module. Make sure that you AOLSERVER enviroment variable is set and make it on RedHat the command was
make LDAP=/usr/
if everything went well copy the ldap.so file into the bin directory
now edit the config file. There are some examples in the README that came with the nsldap tarbal. These are the changes I ended up making
in the modules section uncomment the
ns_param nsldap ${bindir}/nsldap.so
then at the end of the file insert
ns_section "ns/ldap/pool/ldap"
ns_param user "cn=my name,ou=xxxx_users, dc=xxxx, dc=xxx, dc=xxx"
ns_param password "MyPassword"
#Connection is to local host because stunnel will encrypt it and send it to the DC
ns_param host "127.0.0.1"
ns_param connections 1
ns_param verbose On
#
# ldap pools
#
ns_section "ns/ldap/pools"
ns_param ldap ldap
#
# ldap default pool
#
ns_section "ns/server/${server}/ldap"
ns_param Pools *
ns_param DefaultPool ldap
the CN in this case is the CN you have set up to query LDAP
Now install the latest versions of acs-authentication and auth-ldap and restart the server
the next steps come from the document
https://openacs.org/storage/view/miscellaneous/OpenACS_LDAP_Integration.doc
The following is a cut and paste from that document
Enabling bind support and FDN lookup
Now you’ve got your user database prepped and authority configured. The last step is to edit the tcl file /packages/auth-ldap/tcl/auth-ldap-procs.tcl. First, find the line that reads set ldap_bind_p 0 and change the 0 to a 1. Then, comment out the line:
set cn $username
and add the following:
set fdn [lindex [lindex [ns_ldap search $lh -scope subtree $params(BaseDN) "($params(UsernameAttribute)=$username)" dn] 0] 1]
Next, replace cn=$cn with $fdn in the ns_ldap bind call a few lines down, save and reload the file using the package manager or simply restart your server. This will change the default behavior and enable users to log in with their CN.
--End cut and paste
Quick comment on that ... The first time I did this I didn't understand the replace cn=$cn with $fdn. You need to delete cn=$cn and replace the whole string whith $fdn.
you now need to restart/reload that tcl file.
Next we need to set up the authentication so under acs-admin/auth add an authority and configure it to use ldap. Then configure the driver. The settings I have are
UsernameAttribute sAMAccountName
BaseDN ou=xxxx_users,dc=xxxx,dc=xxx,dc=xxx
PasswordHash MD5 (I don't think this last one is necessary)
Almost done ... Now we just need to modify our users to be under this authority
First in the database we need to find the authority_id
select authority_id, short_name from auth_authorities
now use that id and the AD username to update the accounts
update users set username = :new_username, authority_id = 'your_id' where user_id = :user_id
The last thing we need to do is edit the kernel parameter that has us user email for login we now want to use username. Set UseEmailForLoginP to 0 instead of one.
That should do it ... log out and log back in as a user using there AD information.
As a last note ethereal was my friend. Looking at the packets really helped me deduce what was going on behind the scenes. Good luck
-Trent