Forum OpenACS Q&A: Re: LDAP - OpenACS or .LRN Integration

Collapse
Posted by Michael Steigman on
OK, let's not all answer at the same time! :)

Al - we're using the LDAP module to authenticate against Novell's eDirectory and I have done some consulting on a project that was set up to authenticate against Microsoft's Active Directory. I couldn't find any information on IMS support - IMS is a standard used by the LDAP module to keep user databases in sync - for Novell or Microsoft's LDAP. So, in order to give my users accounts in OpenACS (and keep things synced), I had to write some code to create a snapshot and, essentially, a diff in the IMS XML formats that I could feed to the IMS batch sync function. I have not set up scheduled jobs to automate this yet but that would be trivial. Without IMS support from the LDAP server, you can either try to sync the user database in the manner I describe above or let the users log in and have the system create the account for them (which it will happily do, provided the LDAP server has an email address for the user). The Microsoft AD implementation I'm working on chose the latter route, as they had a large LDAP database (50,000 users) but only needed to authenticate a small subset of users. Of course, this means that unless you hack the registration code, you cannot assign users to groups or subsites until they log in. We're working on a feature that will allow subsite admins to add users from external authorities (e.g., LDAP) via the members pages.

I should add that authenticating against eDir or AD is not possible without the "bind" support added by Malte in the latest nsldap module and the latest version of auth-ldap.