[LON-CAPA-admin] ldap authentication

Lars Jensen ljensen at mail.tmcc.edu
Tue Jun 1 01:46:16 EDT 2010 

Hi Stuart,

Do you have a localauth.pm configured for LDAP that works on some
system? So far I haven't had any luck configuring lon-capa for ldap.
It may help to have another sample (including a bind user) to look at
that is known to work.  I know exactly what information lon-capa needs
to send to the ldap server, I am just not sure how to configure it in
localauth.pm.

Also, do I need to restart any services (loncontrol or apache2?)before
ldap authentication takes effect?

Lars.

On Fri, May 28, 2010 at 8:41 AM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
> Hi Craig and Stuart,
>
> Thanks for the reply. I tried to code, but it isn't working for me. I
> have included two versions of localauth.pm I have tried (see below) -
> none of them works, and I'm not sure where the problem lies. My guess
> is it is in the $ldap->search line. I'm not exactly sure what the
> filter =>  and the attr => lines should be. I have another system
> (WeBWorK) I have successfully configured to authenticate with the same
> ldap server, this one includes the following $ldap->search
> configuration
>
> $mesg = $ldap->search(base => $base, filter => "sAMAccountName=$username");
>
> but I still can't get lon-capa to authenticate... Any obvious errors
> in the configuration? Any help is greatly appreciated.
>
> Notes:
> * I installed the Net::LDAP module  on the server
> * I created a lon-capa user with a username equal to the one the user
> has in the ldap directory and set the lon-capa authentication to
> "Local Authentication with argument " (I left the argument empty).
>
> %%%%% 1st try - localauth.pm %%%%%%%%%%%%%%%%
>
> use Net::LDAP;
> use Net::LDAPS;
>
> sub localauth {
>   my ($username,$password,$optional_argument,$domain) = @_;
>
>   my $ldap_host_name = '10.16.19.10';
>   my $ldap_ca_file_name = ' ';
>   my $ldap_dn = "cn=acadjensen,ou=Service
> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>
>   my $ldap = Net::LDAPS->new($ldap_host_name,
>                              verify => 'none', # certificate not needed
>                              cafile => $ldap_ca_file_name,
>                              );
>   if (not defined $ldap) {
>       return -3;
>   }
>
>   # Bind with password
>   # This should be enough to authenticate user
>   my $mesg = $ldap->bind($ldap_dn,
>                          password => "XXXXXXXX");
>   if ($mesg->code) {
>       $ldap->unbind;
>       $ldap->disconnect;
>       return -2;
>   }
>
>   # But let's search for the ugaAuthCheck attribute too
>   $mesg = $ldap->search(base =>
> "ou=Students,dc=acad,dc=tmccadmn,DC=tmcc,DC=edu",
>                         filter => "sAMAccountName=$username",
>                         attrs => ['dn'],
>                         );
>   $ldap->unbind;
>   $ldap->disconnect;
>   if ($mesg->count < 1) {
>       return -1;
>   }
>
>   return 1;
> }
> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>
> 1;
> __END__
>
>
> %%%%%%%%%%% 2nd try - localauth.pm %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> use strict;
> use Net::LDAP;
> use Net::LDAPS;
> sub localauth {
>    my ($username,$password) = @ ;
>    my $ldap_host_name = ’10.16.19.10’; # insert the host name of your
> ldap server, e.g., ldap.msu.edu
>    my $ldap_ca_file_name = ’’; # insert the ldap certificate filename
> - include absolute path
>    # certificate is required if you wish to encrypt the password.
>    # e.g., /home/http/perl/lib/local/ldap.certificate
>    my $ldap_dn = "cn=acadjensen,ou=Service
> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>    my $bindpassword = "XXXXXXXX";
>    my $ldap_search_base =
> "ou=Students,DC=acad,DC=tmccadmn,DC=tmcc,DC=edu"; # ldap search base,
> this might be set to ’o=msu.edu’.
>    my $ldap = Net::LDAPS->new(
>        $ldap_host_name,
>        verify => ’none’, # ’require’ -> a certificate is needed, ->
> ’none’ if no certificate used
>        cafile => $ldap_ca_file_name,
>  );
>    if (!(defined($ldap))) {
>        return (0);
>  }
>    $ldap->bind( $ldap_dn, password => $bindpassword );
>    my $search_string = ’(uid=’.$username.’)’;
>    my $mesg = $ldap->search (
>        base => $ldap_search_base,
>        filter => "sAMAccountName=.'$username.'",
>        attrs => [’dn’] ,
>  );
>    if ($mesg->code) {
>        $ldap->unbind;
>        $ldap->disconnect;
>        return (0);
>  }
>    my @entries = $mesg->all entries;
>    if (@entries > 0) {
>        $ldap->unbind;
>        $ldap->disconnect;
>        return (0);
>   }
>      $mesg = $ldap->bind (
>          dn => $entries[0]->dn,
>          password => $password,
>   );
>      $ldap->unbind;
>      $ldap->disconnect;
>      if ($mesg->code) {
>          return (0)
>   }
>      return (1);
> }
>  1;
> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>
> 1;
> __END__
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>

More information about the LON-CAPA-admin mailing list