Forum .LRN Q&A: Re: External authentication with dotLRN (LDAP)

Posted by Trenton Cameron on
Well I haven't had time to look through what you did to figure out what you did wrong.  Here is what I did (I know it works)  maybe you can go through it and see what differences there are:

Setting up ldap bind for openACS

First the docs/files you will need <-instructions on setting up nsldap <- latest version of nsldap

First set up ldap:  For RedHat you will need the openldap-devel openldap-clients and openldap packages.  Then edit the /etc/openldap/ldap.conf file
#SIZELIMIT      12
#DEREF          never
BASE dc=xxxx, dc=xxx, dc=xxx
TLS_CACERTDIR /etc/openldap/cacerts

next run a query to make sure everything is working
ldapsearch -H ldap://localhost -D "CN=my name ,OU=xxxx_users,DC=xxxx,DC=xxx,DC=xxx" -x -W -b "OU=xxxx_users,DC=xxxx,DC=xxx,DC=xxx" sAMAccountName=myaccount

be sure to replace the CN and sAMAccountName

if you got a result after entering your windows password congrats you are now talking to ldap.

Now time to set up openACS

first get the module from
now expand it just like any other aolserver module.  Make sure that you AOLSERVER enviroment variable is set and make it on RedHat the command was

make LDAP=/usr/

if everything went well copy the file into the bin directory

now edit the config file.  There are some examples in the README that came with the nsldap tarbal.  These are the changes I ended up making

in the modules section uncomment the
ns_param  nsldap            ${bindir}/

then at the end of the file insert

        ns_section "ns/ldap/pool/ldap"
        ns_param user "cn=my name,ou=xxxx_users, dc=xxxx, dc=xxx, dc=xxx"
        ns_param password "MyPassword"
        #Connection is to local host because stunnel will encrypt it and send it to the DC
        ns_param host ""
        ns_param connections 1
        ns_param verbose On

        # ldap pools
        ns_section "ns/ldap/pools"
        ns_param ldap ldap

        # ldap default pool
        ns_section "ns/server/${server}/ldap"
        ns_param Pools *
        ns_param DefaultPool ldap

the CN in this case is the CN you have set up to query LDAP

Now install the latest versions of acs-authentication and auth-ldap and restart the server

the next steps come from the document

The following is a cut and paste from that document

Enabling bind support and FDN lookup

Now you’ve got your user database prepped and authority configured. The last step is to edit the tcl file /packages/auth-ldap/tcl/auth-ldap-procs.tcl. First, find the line that reads set ldap_bind_p 0 and change the 0 to a 1. Then, comment out the line:

set cn $username

and add the following:

set fdn [lindex [lindex [ns_ldap search $lh -scope subtree $params(BaseDN) "($params(UsernameAttribute)=$username)" dn] 0] 1]

Next, replace cn=$cn with $fdn in the ns_ldap bind call a few lines down, save and reload the file using the package manager or simply restart your server. This will change the default behavior and enable users to log in with their CN.

--End cut and paste
Quick comment on that ... The first time I did this I didn't understand the replace cn=$cn with $fdn.  You need to delete cn=$cn and replace the whole string whith $fdn.

you now need to restart/reload that tcl file.

Next we need to set up the authentication so under acs-admin/auth add an authority and configure it to use ldap.  Then configure the driver.  The settings I have are
UsernameAttribute sAMAccountName
BaseDN ou=xxxx_users,dc=xxxx,dc=xxx,dc=xxx
PasswordHash MD5 (I don't think this last one is necessary)

Almost done ...  Now we just need to modify our users to be under this authority

First in the database we need to find the authority_id
select authority_id, short_name from auth_authorities

now use that id and the AD username to update the accounts
update users set username = :new_username, authority_id =  'your_id' where user_id = :user_id

The last thing we need to do is edit the kernel parameter that has us user email for login we now want to use username.  Set UseEmailForLoginP to 0 instead of one.

That should do it ... log out and log back in as a user using there AD information.

As a last note ethereal was my friend.  Looking at the packets really helped me deduce what was going on behind the scenes.  Good luck