[LON-CAPA-admin] ldap authentication

Lars Jensen ljensen at mail.tmcc.edu
Fri Jun 4 14:59:43 EDT 2010 

Hi Stuart,

OK, so LDAP works, but it seems that user accounts must be pre-created
in loncapa before ldap login works. Is it possible to have users in
the LDAP directory login and create their accounts at the moment they
login the first time? If so, how do I enable this?

Thanks,
Lars.

On Mon, May 31, 2010 at 11:07 PM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
> Hi Stuart,
>
> Sorry - everything is working after all. I didn't realize I had to
> restart loncontrol. After a restart, ldap authentication worked
> perfectly.
>
> Thanks,
> Lars.
>
> On Mon, May 31, 2010 at 10:46 PM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>> Hi Stuart,
>>
>> Do you have a localauth.pm configured for LDAP that works on some
>> system? So far I haven't had any luck configuring lon-capa for ldap.
>> It may help to have another sample (including a bind user) to look at
>> that is known to work.  I know exactly what information lon-capa needs
>> to send to the ldap server, I am just not sure how to configure it in
>> localauth.pm.
>>
>> Also, do I need to restart any services (loncontrol or apache2?)before
>> ldap authentication takes effect?
>>
>> Lars.
>>
>> On Fri, May 28, 2010 at 8:41 AM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>>> Hi Craig and Stuart,
>>>
>>> Thanks for the reply. I tried to code, but it isn't working for me. I
>>> have included two versions of localauth.pm I have tried (see below) -
>>> none of them works, and I'm not sure where the problem lies. My guess
>>> is it is in the $ldap->search line. I'm not exactly sure what the
>>> filter =>  and the attr => lines should be. I have another system
>>> (WeBWorK) I have successfully configured to authenticate with the same
>>> ldap server, this one includes the following $ldap->search
>>> configuration
>>>
>>> $mesg = $ldap->search(base => $base, filter => "sAMAccountName=$username");
>>>
>>> but I still can't get lon-capa to authenticate... Any obvious errors
>>> in the configuration? Any help is greatly appreciated.
>>>
>>> Notes:
>>> * I installed the Net::LDAP module  on the server
>>> * I created a lon-capa user with a username equal to the one the user
>>> has in the ldap directory and set the lon-capa authentication to
>>> "Local Authentication with argument " (I left the argument empty).
>>>
>>> %%%%% 1st try - localauth.pm %%%%%%%%%%%%%%%%
>>>
>>> use Net::LDAP;
>>> use Net::LDAPS;
>>>
>>> sub localauth {
>>>   my ($username,$password,$optional_argument,$domain) = @_;
>>>
>>>   my $ldap_host_name = '10.16.19.10';
>>>   my $ldap_ca_file_name = ' ';
>>>   my $ldap_dn = "cn=acadjensen,ou=Service
>>> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>>>
>>>   my $ldap = Net::LDAPS->new($ldap_host_name,
>>>                              verify => 'none', # certificate not needed
>>>                              cafile => $ldap_ca_file_name,
>>>                              );
>>>   if (not defined $ldap) {
>>>       return -3;
>>>   }
>>>
>>>   # Bind with password
>>>   # This should be enough to authenticate user
>>>   my $mesg = $ldap->bind($ldap_dn,
>>>                          password => "XXXXXXXX");
>>>   if ($mesg->code) {
>>>       $ldap->unbind;
>>>       $ldap->disconnect;
>>>       return -2;
>>>   }
>>>
>>>   # But let's search for the ugaAuthCheck attribute too
>>>   $mesg = $ldap->search(base =>
>>> "ou=Students,dc=acad,dc=tmccadmn,DC=tmcc,DC=edu",
>>>                         filter => "sAMAccountName=$username",
>>>                         attrs => ['dn'],
>>>                         );
>>>   $ldap->unbind;
>>>   $ldap->disconnect;
>>>   if ($mesg->count < 1) {
>>>       return -1;
>>>   }
>>>
>>>   return 1;
>>> }
>>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>>
>>> 1;
>>> __END__
>>>
>>>
>>> %%%%%%%%%%% 2nd try - localauth.pm %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>> use strict;
>>> use Net::LDAP;
>>> use Net::LDAPS;
>>> sub localauth {
>>>    my ($username,$password) = @ ;
>>>    my $ldap_host_name = ’10.16.19.10’; # insert the host name of your
>>> ldap server, e.g., ldap.msu.edu
>>>    my $ldap_ca_file_name = ’’; # insert the ldap certificate filename
>>> - include absolute path
>>>    # certificate is required if you wish to encrypt the password.
>>>    # e.g., /home/http/perl/lib/local/ldap.certificate
>>>    my $ldap_dn = "cn=acadjensen,ou=Service
>>> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>>>    my $bindpassword = "XXXXXXXX";
>>>    my $ldap_search_base =
>>> "ou=Students,DC=acad,DC=tmccadmn,DC=tmcc,DC=edu"; # ldap search base,
>>> this might be set to ’o=msu.edu’.
>>>    my $ldap = Net::LDAPS->new(
>>>        $ldap_host_name,
>>>        verify => ’none’, # ’require’ -> a certificate is needed, ->
>>> ’none’ if no certificate used
>>>        cafile => $ldap_ca_file_name,
>>>  );
>>>    if (!(defined($ldap))) {
>>>        return (0);
>>>  }
>>>    $ldap->bind( $ldap_dn, password => $bindpassword );
>>>    my $search_string = ’(uid=’.$username.’)’;
>>>    my $mesg = $ldap->search (
>>>        base => $ldap_search_base,
>>>        filter => "sAMAccountName=.'$username.'",
>>>        attrs => [’dn’] ,
>>>  );
>>>    if ($mesg->code) {
>>>        $ldap->unbind;
>>>        $ldap->disconnect;
>>>        return (0);
>>>  }
>>>    my @entries = $mesg->all entries;
>>>    if (@entries > 0) {
>>>        $ldap->unbind;
>>>        $ldap->disconnect;
>>>        return (0);
>>>   }
>>>      $mesg = $ldap->bind (
>>>          dn => $entries[0]->dn,
>>>          password => $password,
>>>   );
>>>      $ldap->unbind;
>>>      $ldap->disconnect;
>>>      if ($mesg->code) {
>>>          return (0)
>>>   }
>>>      return (1);
>>> }
>>>  1;
>>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>>
>>> 1;
>>> __END__
>>> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>>
>>
>

More information about the LON-CAPA-admin mailing list