[LON-CAPA-admin] ldap authentication

Tue Jun 1 02:07:01 EDT 2010

Hi Stuart,

Sorry - everything is working after all. I didn't realize I had to
restart loncontrol. After a restart, ldap authentication worked
perfectly.

Thanks,
Lars.

On Mon, May 31, 2010 at 10:46 PM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
> Hi Stuart,
>
> Do you have a localauth.pm configured for LDAP that works on some
> system? So far I haven't had any luck configuring lon-capa for ldap.
> It may help to have another sample (including a bind user) to look at
> that is known to work.  I know exactly what information lon-capa needs
> to send to the ldap server, I am just not sure how to configure it in
> localauth.pm.
>
> Also, do I need to restart any services (loncontrol or apache2?)before
> ldap authentication takes effect?
>
> Lars.
>
> On Fri, May 28, 2010 at 8:41 AM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>> Hi Craig and Stuart,
>>
>> Thanks for the reply. I tried to code, but it isn't working for me. I
>> have included two versions of localauth.pm I have tried (see below) -
>> none of them works, and I'm not sure where the problem lies. My guess
>> is it is in the $ldap->search line. I'm not exactly sure what the
>> filter =>  and the attr => lines should be. I have another system
>> (WeBWorK) I have successfully configured to authenticate with the same
>> ldap server, this one includes the following $ldap->search
>> configuration
>>
>> $mesg = $ldap->search(base => $base, filter => "sAMAccountName=$username");
>>
>> but I still can't get lon-capa to authenticate... Any obvious errors
>> in the configuration? Any help is greatly appreciated.
>>
>> Notes:
>> * I installed the Net::LDAP module  on the server
>> * I created a lon-capa user with a username equal to the one the user
>> has in the ldap directory and set the lon-capa authentication to
>> "Local Authentication with argument " (I left the argument empty).
>>
>> %%%%% 1st try - localauth.pm %%%%%%%%%%%%%%%%
>>
>> use Net::LDAP;
>> use Net::LDAPS;
>>
>> sub localauth {
>>   my ($username,$password,$optional_argument,$domain) = @_;
>>
>>   my $ldap_host_name = '10.16.19.10';
>>   my $ldap_ca_file_name = ' ';
>>   my $ldap_dn = "cn=acadjensen,ou=Service
>> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>>
>>   my $ldap = Net::LDAPS->new($ldap_host_name,
>>                              verify => 'none', # certificate not needed
>>                              cafile => $ldap_ca_file_name,
>>                              );
>>   if (not defined $ldap) {
>>       return -3;
>>   }
>>
>>   # Bind with password
>>   # This should be enough to authenticate user
>>   my $mesg = $ldap->bind($ldap_dn,
>>                          password => "XXXXXXXX");
>>   if ($mesg->code) {
>>       $ldap->unbind;
>>       $ldap->disconnect;
>>       return -2;
>>   }
>>
>>   # But let's search for the ugaAuthCheck attribute too
>>   $mesg = $ldap->search(base =>
>> "ou=Students,dc=acad,dc=tmccadmn,DC=tmcc,DC=edu",
>>                         filter => "sAMAccountName=$username",
>>                         attrs => ['dn'],
>>                         );
>>   $ldap->unbind;
>>   $ldap->disconnect;
>>   if ($mesg->count < 1) {
>>       return -1;
>>   }
>>
>>   return 1;
>> }
>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>
>> 1;
>> __END__
>>
>>
>> %%%%%%%%%%% 2nd try - localauth.pm %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>> use strict;
>> use Net::LDAP;
>> use Net::LDAPS;
>> sub localauth {
>>    my ($username,$password) = @ ;
>>    my $ldap_host_name = ’10.16.19.10’; # insert the host name of your
>> ldap server, e.g., ldap.msu.edu
>>    my $ldap_ca_file_name = ’’; # insert the ldap certificate filename
>> - include absolute path
>>    # certificate is required if you wish to encrypt the password.
>>    # e.g., /home/http/perl/lib/local/ldap.certificate
>>    my $ldap_dn = "cn=acadjensen,ou=Service
>> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>>    my $bindpassword = "XXXXXXXX";
>>    my $ldap_search_base =
>> "ou=Students,DC=acad,DC=tmccadmn,DC=tmcc,DC=edu"; # ldap search base,
>> this might be set to ’o=msu.edu’.
>>    my $ldap = Net::LDAPS->new(
>>        $ldap_host_name,
>>        verify => ’none’, # ’require’ -> a certificate is needed, ->
>> ’none’ if no certificate used
>>        cafile => $ldap_ca_file_name,
>>  );
>>    if (!(defined($ldap))) {
>>        return (0);
>>  }
>>    $ldap->bind( $ldap_dn, password => $bindpassword );
>>    my $search_string = ’(uid=’.$username.’)’;
>>    my $mesg = $ldap->search (
>>        base => $ldap_search_base,
>>        filter => "sAMAccountName=.'$username.'",
>>        attrs => [’dn’] ,
>>  );
>>    if ($mesg->code) {
>>        $ldap->unbind;
>>        $ldap->disconnect;
>>        return (0);
>>  }
>>    my @entries = $mesg->all entries;
>>    if (@entries > 0) {
>>        $ldap->unbind;
>>        $ldap->disconnect;
>>        return (0);
>>   }
>>      $mesg = $ldap->bind (
>>          dn => $entries[0]->dn,
>>          password => $password,
>>   );
>>      $ldap->unbind;
>>      $ldap->disconnect;
>>      if ($mesg->code) {
>>          return (0)
>>   }
>>      return (1);
>> }
>>  1;
>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>
>> 1;
>> __END__
>> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>
>