[LON-CAPA-admin] ldap authentication

Stuart Raeburn raeburn at msu.edu
Tue Aug 11 12:30:15 EDT 2009 

Lars,

> (1) Do I put my changes in this section of /home/httpd/lib/perl/localauth.pm?
>
> # ----START LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
> sub localauth {
>     my ($username,$password,$optional_argument,$domain) = @_;
>     return 0;
> }
> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE

Yes

> (2) Do I replace the following lines above,
>
> sub localauth {
>     my ($username,$password,$optional_argument,$domain) = @_;
>     return 0;
> }
>
> with the code on page 15-16 in the Domain Coordinator manual?

Yes. You'd need to customize that code with settings appropriate for  
the LDAP service at your institution.

You'll also need to install the CPAN modules: Net::LDAP and  
Net::LDAPS.  If you can find rpms for these modules in a repository  
you use with your distro then install those, otherwise you'll need to  
either install using cpan, or downland the tarballs from cpan.org,  
then make and install from there.  To date, I have not created rpms  
for these packages and added them to the LON-CAPA repos for supprted  
distros, although I may do so in the future.

> (3) After having done (1) and (2) with proper configuration for out
> site, will I still be able to login as usual (internally
> authenticated)? (At TMCC, only the students are in ldap.) If a
> username in the ldap container matches an already existing loncapa
> instructor username, the ldap user obviously can't login. But is there
> a way of changing the instructor username of the lon-capa user.
> (Changing it to upper case would work because all student accounts are
> lower case.)
>

After the change you will be able to log-in as usual (internally  
authenticated) as long as you have not modified the authentication  
type for your LON-CAPA account. The issue of potential overlap between  
institutional usernames (i.e., ldap usernames) and internally  
authenticated LON-CAPA usernames is discussed in
the Domain Coordination manual (see section 2.7: "Identity Management:  
Creating New Users").  Implementation of username format checking  
requires modification of localenroll.pm, another customizable file  
found in /home/httpd/lib/perl. Once implemented, control of format  
rules etc. is via the Domain Configuration menu, available to Domain  
Coordinators via the Main Menu.

Ideally you'll want to implement checking of usernames when a new  
"LDAP-type" user is added to your LON-CAPA domain to ensure that a  
username in the format used for the LDAP user exists (and is always  
added with the authentication type set to "localauth").  Usernames for  
new users who do not have LDAP usernames should employ a different  
format. Requiring one or more upper case characters in the username  
for internal authenticated users would be one approach that would work  
in your situation.  See: "4.3 Format Rule Definitions and Checks:  
Usernames and IDs" in the Domain Coordination manual for more  
information.

Unfortunately, LON-CAPA does not currently support changing usernames  
for existing users. This has been on the list of planned development  
work since 2007, and the required virtualization of usernames will  
hopefully get worked on soon.

If you have access to a campus LDAP service, your use of that service  
can potentially go beyond authentication, to encompass support for  
institutional directory searches. See:  "4.4 Institutional Directory  
Information" in the Domain Coordination manual, which includes an  
example ldap_search() routine called by localenroll::get_user_info().   
This type of functionality requires customization of appropriate  
routines in localenroll.pm.

Please contact me offlist if you have specific questions, or need  
assistance implementing interface(s) to your particular campus systems  
via the customizable LON-CAPA localauth.pm and localenroll.pm modules.

Stuart Raeburn
MSU LON-CAPA group
[ helpdesk at loncapa.org ]


Quoting Lars Jensen <ljensen at mail.tmcc.edu>:

> Hi Stuart,
>
> On Fri, Jul 24, 2009 at 12:32 PM, Stuart Raeburn<raeburn at msu.edu> wrote:
>> Lars,
>>
>> Yes, user authentication via LDAP is possible.
>> /home/httpd/lib/perl/localauth.pm can be customized to authenticate against
>> your campus LDAP service.
>>
>> There's an example in the Domain Coordination Manual (e.g.,
>> http://msu.loncapa.org/adm/help/domain.manual.pdf) -- see section 4.1
>> "Institutional Authentication" on page 14.
>
> (1) Do I put my changes in this section of /home/httpd/lib/perl/localauth.pm?
>
> # ----START LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
> sub localauth {
>     my ($username,$password,$optional_argument,$domain) = @_;
>     return 0;
> }
> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>
> (2) Do I replace the following lines above,
>
> sub localauth {
>     my ($username,$password,$optional_argument,$domain) = @_;
>     return 0;
> }
>
> with the code on page 15-16 in the Domain Coordinator manual?
>
> (3) After having done (1) and (2) with proper configuration for out
> site, will I still be able to login as usual (internally
> authenticated)? (At TMCC, only the students are in ldap.) If a
> username in the ldap container matches an already existing loncapa
> instructor username, the ldap user obviously can't login. But is there
> a way of changing the instructor username of the lon-capa user.
> (Changing it to upper case would work because all student accounts are
> lower case.)
>
> Thanks,
> Lars.
>
>>
>> Once you have localauth.pm configured and working you can switch existing
>> users to use LDAP by modifying the authentication type for them to
>> "localauth" (they are probably currently set to internal").  One way to do
>> this is to become the Domain Coordinator and proceed as follows:
>>
>> A. Go to Main Menu
>>
>> B. Clck on "Create users or modify the roles and privileges of users"
>>
>> C. Click on  "Upload a File of Users"
>>
>> upload a file containing usernames of users for whom the authentication
>> mechanism is to be changed.
>>
>>
>> D. On the next page, identify the username field, and in the "Login Type
>> section:
>>
>>  1. Change authentication for existing users in domain "msu" to these
>> settings
>>     to "Yes"
>>
>>  2. Select the radio button for "locally authenticated"
>>
>>  In the "Default domain" set the domain to tmcc (Truckee Meadows)
>>
>>  In the "Setting for assigning roles"
>>  1. Select the radio button for "No role changes"
>>
>>  Click "Update Users".
>>
>> This will take some time to complete.
>>
>> Another way to do this is to run a script at the command line, as the www
>> user which will modify the contents of the
>> /home/httpd/lonUsers/tmcc/$1/$2/$3/$username/passwd files for existing users
>> to be:
>>
>> localauth:
>>
>> (where $1, $2 and $3 are the first, second and third characters in the
>> username, e.g., change the contents of
>> /home/httpd/lonUsers/tmcc/j/e/n/jensen/passwd).
>>
>> As Domain Coordinator, you will also want to use "Set domain configuration"
>> from the Main Menu, to set the configuration "User creation" setting the
>> "Assignable authentication types" to include "Local" for all contexts.
>>
>> Stuart Raeburn
>> MSU LON-CAPA group
>>
>>
>> Quoting Lars Jensen <ljensen at tmcc.edu>:
>>
>>> Hi,
>>>
>>> We now have an ldap server for student authentications so I'd like  to
>>> configure lon-capa to use it. Is this possible, and is there any
>>>  documentation anywhere?
>>>
>>> Thanks,
>>> Lars.
>>>

More information about the LON-CAPA-admin mailing list