Forum OpenACS Q&A: How to setup LDAP in OACS as of 03/29/2007
PART 1 - BEGIN
--------------
Openldap
1. Download the latest from http://www.openldap.org/software/download/
2. BerkeleyDB must be installed to install openldap server (no required if connecting to other LDAP server, but this installation will use it)
3. Compile and Install
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.5/include"
export LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.5/lib"
export LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.5/lib"
./configure --prefix=/usr --with-wrappers
make depend
make install
4. Configure ldap server sldap.conf
suffix "dc=sample,dc=com"
rootdn "cn=Manager,dc=sample,dc=com"
rootpw secret
5. Start the server
/usr/libexec/slapd -f /usr/etc/openldap/slapd.conf -d -1 &
6. Create an organization file org.ldif which contains
# Organization for Example Corporation
dn: dc=sample,dc=com
objectClass: dcObject
objectClass: organization
dc: sample
o: Sample
# Organizational Role for Directory Manager
dn: cn=Manager,dc=sample,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
# Organizational Role for web users
dn: cn=Web,dc=sample,dc=com
objectClass: organizationalRole
cn: Web
description: Web Users
Create the organization in the ldap server by running
ldapadd -f org.ldif -x -D "cn=Manager,dc=sample,dc=com" -w secret
--------------
PART 1 - END
PART 2 - BEGIN
--------------
Nsldap
1. Download the latest version from https://openacs.org/storage/view/nsldap.tgz
2. Please recompile nsoracle library to avoid conflicts as described in the README file
3. Edit nsldap.c adding the following line in the define section to enable the latest protocol
#define LDAPV3 1
4. Set the following environment variables
export NSHOME=/usr/local/aolserver
export AOLSERVER=/usr/local/aolserver
export LIBXML2=/usr
5. Compile and Install
make install LDAP=/usr INST=/usr/local/aolserver
6. Edit aolserver configuration nsd.tcl
# LDAP authentication
ns_param nsldap ${bindir}/nsldap.so
Add the following lines so that user and password corresponds to ldap server rootdn and rootpw respectively. In openldap server, it is found in slap.conf file
#---------------------------------------------------------------------
#
# LDAP pool ldap
#
ns_section "ns/ldap/pool/ldap"
ns_param user "cn=Manager,dc=example,dc=com"
ns_param password "secret"
ns_param host "xxx.xxx.xxx.xxx"
ns_param connections 1
ns_param verbose On
#
# ldap pools
#
ns_section "ns/ldap/pools"
ns_param ldap ldap
#
# ldap default pool
#
ns_section "ns/server/${servername}/ldap"
ns_param Pools *
ns_param DefaultPool ldap
Aolserver log will show the following lines if ldap library is loaded correctly
[28/Mar/2007:07:57:14][13841.3086989632][-main-] Notice: modload: loading '/usr/local/410L/bin/nsldap.so'
[28/Mar/2007:07:57:14][13841.3086989632][-main-] Debug: nsldap: allowing * -> pool ldap
[28/Mar/2007:07:57:14][13841.3086989632][-main-] Debug: nsldap: adding pool ldap to the list of allowed pools
[28/Mar/2007:07:57:14][13841.3086989632][-main-] Debug: nsldap: Registering LDAPCheckPools (600)
7. Install the following Services:
Authentification (usually install with openacs) and LDAP Authentication Driver
8. Edit ../packages/auth-ldap/tcl/auth-ldap-procs.tcl in procedure ad_proc -private auth::ldap::registration::Register
FROM
set attributes [list]
foreach elm [split $params(Attributes) ";"] {
set elmv [split $elm "="]
set attribute [string trim [lindex $elmv 0]]
set value [string trim [lindex $elmv 1]]
foreach var { username first_names last_name email screen_name url } {
regsub -all "{$var}" $value [set $var] value
}
# Note that this makes a list out of 'value' if it isn't already
lappend attributes $attribute $value
}
# Create the account
set lh [ns_ldap gethandle ldap]
with_catch errmsg {
ns_log Notice "LDAP: Adding user: [concat ns_ldap add [list $lh] [list $dn] attributes]"
eval [concat ns_ldap add [list $lh] [list $dn] $attributes]
ns_ldap releasehandle $lh
} {
TO
set attributes ""
foreach elm [split $params(Attributes) ";"] {
set elmv [split $elm "="]
set attribute [string trim [lindex $elmv 0]]
set value [string trim [lindex $elmv 1]]
foreach var { username first_names last_name email screen_name url } {
regsub -all "{$var}" $value [set $var] value
}
# Note that this makes a list out of 'value' if it isn't already
if {![empty_string_p $attributes]} {append attributes " "}
append attributes "$attribute [list $value]"
}
# Create the account
set lh [ns_ldap gethandle ldap]
with_catch errmsg {
ns_log Notice "LDAP: Adding user: [concat ns_ldap add $lh $dn $attributes]"
eval [concat ns_ldap add $lh $dn $attributes]
ns_ldap releasehandle $lh
} {
9. Create a new authentication authority in http://{url}/acs-admin/auth/
Click on create new authority
Name: LDAP
Short Name: LDAP
Enabled: Yes
Authentication: LDAP
Password management: LDAP
Account registration: LDAP
User Info: LDAP
Batch sync enabled: No
10. Configure drivers for the new authority
Click on LDAP in http://{url}/acs-admin/auth/
Click on Configure drivers for this authority
DNPattern: uid={username}
UsernameAttribute: uid
Elements: username email first_names last_name
BindAuthenticationP: 1
BaseDN: cn=Web,dc=sample,dc=com
InfoAttributeMap: first_names=givenName;last_name=sn;email=mail
Attributes: objectclass=person organizationalPerson inetOrgPerson;cn={{first_names} {last_name}};sn={last_name};givenName={first_names};uid={username};mail={email}
PasswordHash: SHA
11. Restart aolserver and start ldap server
12. To test, create a simple tcl page to get a ldap handle
set lh [ns_ldap gethandle "ldap"]
doc_return 200 text/html "[ns_ldap host $lh]"
If it is successful, it will display the ldap host
--------------
PART 2 - END