[LON-CAPA-admin] ldap authentication
Stuart Raeburn
raeburn at msu.edu
Tue Aug 11 12:30:15 EDT 2009
Lars,
> (1) Do I put my changes in this section of /home/httpd/lib/perl/localauth.pm?
>
> # ----START LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
> sub localauth {
> my ($username,$password,$optional_argument,$domain) = @_;
> return 0;
> }
> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
Yes
> (2) Do I replace the following lines above,
>
> sub localauth {
> my ($username,$password,$optional_argument,$domain) = @_;
> return 0;
> }
>
> with the code on page 15-16 in the Domain Coordinator manual?
Yes. You'd need to customize that code with settings appropriate for
the LDAP service at your institution.
You'll also need to install the CPAN modules: Net::LDAP and
Net::LDAPS. If you can find rpms for these modules in a repository
you use with your distro then install those, otherwise you'll need to
either install using cpan, or downland the tarballs from cpan.org,
then make and install from there. To date, I have not created rpms
for these packages and added them to the LON-CAPA repos for supprted
distros, although I may do so in the future.
> (3) After having done (1) and (2) with proper configuration for out
> site, will I still be able to login as usual (internally
> authenticated)? (At TMCC, only the students are in ldap.) If a
> username in the ldap container matches an already existing loncapa
> instructor username, the ldap user obviously can't login. But is there
> a way of changing the instructor username of the lon-capa user.
> (Changing it to upper case would work because all student accounts are
> lower case.)
>
After the change you will be able to log-in as usual (internally
authenticated) as long as you have not modified the authentication
type for your LON-CAPA account. The issue of potential overlap between
institutional usernames (i.e., ldap usernames) and internally
authenticated LON-CAPA usernames is discussed in
the Domain Coordination manual (see section 2.7: "Identity Management:
Creating New Users"). Implementation of username format checking
requires modification of localenroll.pm, another customizable file
found in /home/httpd/lib/perl. Once implemented, control of format
rules etc. is via the Domain Configuration menu, available to Domain
Coordinators via the Main Menu.
Ideally you'll want to implement checking of usernames when a new
"LDAP-type" user is added to your LON-CAPA domain to ensure that a
username in the format used for the LDAP user exists (and is always
added with the authentication type set to "localauth"). Usernames for
new users who do not have LDAP usernames should employ a different
format. Requiring one or more upper case characters in the username
for internal authenticated users would be one approach that would work
in your situation. See: "4.3 Format Rule Definitions and Checks:
Usernames and IDs" in the Domain Coordination manual for more
information.
Unfortunately, LON-CAPA does not currently support changing usernames
for existing users. This has been on the list of planned development
work since 2007, and the required virtualization of usernames will
hopefully get worked on soon.
If you have access to a campus LDAP service, your use of that service
can potentially go beyond authentication, to encompass support for
institutional directory searches. See: "4.4 Institutional Directory
Information" in the Domain Coordination manual, which includes an
example ldap_search() routine called by localenroll::get_user_info().
This type of functionality requires customization of appropriate
routines in localenroll.pm.
Please contact me offlist if you have specific questions, or need
assistance implementing interface(s) to your particular campus systems
via the customizable LON-CAPA localauth.pm and localenroll.pm modules.
Stuart Raeburn
MSU LON-CAPA group
[ helpdesk at loncapa.org ]
Quoting Lars Jensen <ljensen at mail.tmcc.edu>:
> Hi Stuart,
>
> On Fri, Jul 24, 2009 at 12:32 PM, Stuart Raeburn<raeburn at msu.edu> wrote:
>> Lars,
>>
>> Yes, user authentication via LDAP is possible.
>> /home/httpd/lib/perl/localauth.pm can be customized to authenticate against
>> your campus LDAP service.
>>
>> There's an example in the Domain Coordination Manual (e.g.,
>> http://msu.loncapa.org/adm/help/domain.manual.pdf) -- see section 4.1
>> "Institutional Authentication" on page 14.
>
> (1) Do I put my changes in this section of /home/httpd/lib/perl/localauth.pm?
>
> # ----START LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
> sub localauth {
> my ($username,$password,$optional_argument,$domain) = @_;
> return 0;
> }
> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>
> (2) Do I replace the following lines above,
>
> sub localauth {
> my ($username,$password,$optional_argument,$domain) = @_;
> return 0;
> }
>
> with the code on page 15-16 in the Domain Coordinator manual?
>
> (3) After having done (1) and (2) with proper configuration for out
> site, will I still be able to login as usual (internally
> authenticated)? (At TMCC, only the students are in ldap.) If a
> username in the ldap container matches an already existing loncapa
> instructor username, the ldap user obviously can't login. But is there
> a way of changing the instructor username of the lon-capa user.
> (Changing it to upper case would work because all student accounts are
> lower case.)
>
> Thanks,
> Lars.
>
>>
>> Once you have localauth.pm configured and working you can switch existing
>> users to use LDAP by modifying the authentication type for them to
>> "localauth" (they are probably currently set to internal"). One way to do
>> this is to become the Domain Coordinator and proceed as follows:
>>
>> A. Go to Main Menu
>>
>> B. Clck on "Create users or modify the roles and privileges of users"
>>
>> C. Click on "Upload a File of Users"
>>
>> upload a file containing usernames of users for whom the authentication
>> mechanism is to be changed.
>>
>>
>> D. On the next page, identify the username field, and in the "Login Type
>> section:
>>
>> 1. Change authentication for existing users in domain "msu" to these
>> settings
>> to "Yes"
>>
>> 2. Select the radio button for "locally authenticated"
>>
>> In the "Default domain" set the domain to tmcc (Truckee Meadows)
>>
>> In the "Setting for assigning roles"
>> 1. Select the radio button for "No role changes"
>>
>> Click "Update Users".
>>
>> This will take some time to complete.
>>
>> Another way to do this is to run a script at the command line, as the www
>> user which will modify the contents of the
>> /home/httpd/lonUsers/tmcc/$1/$2/$3/$username/passwd files for existing users
>> to be:
>>
>> localauth:
>>
>> (where $1, $2 and $3 are the first, second and third characters in the
>> username, e.g., change the contents of
>> /home/httpd/lonUsers/tmcc/j/e/n/jensen/passwd).
>>
>> As Domain Coordinator, you will also want to use "Set domain configuration"
>> from the Main Menu, to set the configuration "User creation" setting the
>> "Assignable authentication types" to include "Local" for all contexts.
>>
>> Stuart Raeburn
>> MSU LON-CAPA group
>>
>>
>> Quoting Lars Jensen <ljensen at tmcc.edu>:
>>
>>> Hi,
>>>
>>> We now have an ldap server for student authentications so I'd like to
>>> configure lon-capa to use it. Is this possible, and is there any
>>> documentation anywhere?
>>>
>>> Thanks,
>>> Lars.
>>>
More information about the LON-CAPA-admin
mailing list