[LON-CAPA-admin] ldap authentication

Lars Jensen ljensen at mail.tmcc.edu
Sat Jun 5 14:29:13 EDT 2010 

Hi Stuart,

I have been playing around with acount creation, and somehow I have
got into a situation where I can't delete my testaccount. Normally I
just delete the corresponding directory in
/home/httpd/lonUsers/tmcc/l/a/r and delete the account there (the
username od the test account is lars_jensen), but there is no
directory there. On the other habe, when I login as dc and try to
modify the account manually, I am able to enter the configuration
screen for the user, but there is an error:

ERROR: This user has an unrecognized authentication scheme
(unknown_user). Please specify login data below.

and when I try to save the modifications, I get this error:

Modifying authentication: error: pass_file_failed_error
Home server: tmcc1Unable to successfully change environment for
lars_jensen in domain tmcc

With my  only LDAP test account corrupted, I can no longer do any
experimentation with account creation... How do I completely delete a
useraccount?

Lars.

On Fri, Jun 4, 2010 at 11:59 AM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
> Hi Stuart,
>
> OK, so LDAP works, but it seems that user accounts must be pre-created
> in loncapa before ldap login works. Is it possible to have users in
> the LDAP directory login and create their accounts at the moment they
> login the first time? If so, how do I enable this?
>
> Thanks,
> Lars.
>
> On Mon, May 31, 2010 at 11:07 PM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>> Hi Stuart,
>>
>> Sorry - everything is working after all. I didn't realize I had to
>> restart loncontrol. After a restart, ldap authentication worked
>> perfectly.
>>
>> Thanks,
>> Lars.
>>
>> On Mon, May 31, 2010 at 10:46 PM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>>> Hi Stuart,
>>>
>>> Do you have a localauth.pm configured for LDAP that works on some
>>> system? So far I haven't had any luck configuring lon-capa for ldap.
>>> It may help to have another sample (including a bind user) to look at
>>> that is known to work.  I know exactly what information lon-capa needs
>>> to send to the ldap server, I am just not sure how to configure it in
>>> localauth.pm.
>>>
>>> Also, do I need to restart any services (loncontrol or apache2?)before
>>> ldap authentication takes effect?
>>>
>>> Lars.
>>>
>>> On Fri, May 28, 2010 at 8:41 AM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>>>> Hi Craig and Stuart,
>>>>
>>>> Thanks for the reply. I tried to code, but it isn't working for me. I
>>>> have included two versions of localauth.pm I have tried (see below) -
>>>> none of them works, and I'm not sure where the problem lies. My guess
>>>> is it is in the $ldap->search line. I'm not exactly sure what the
>>>> filter =>  and the attr => lines should be. I have another system
>>>> (WeBWorK) I have successfully configured to authenticate with the same
>>>> ldap server, this one includes the following $ldap->search
>>>> configuration
>>>>
>>>> $mesg = $ldap->search(base => $base, filter => "sAMAccountName=$username");
>>>>
>>>> but I still can't get lon-capa to authenticate... Any obvious errors
>>>> in the configuration? Any help is greatly appreciated.
>>>>
>>>> Notes:
>>>> * I installed the Net::LDAP module  on the server
>>>> * I created a lon-capa user with a username equal to the one the user
>>>> has in the ldap directory and set the lon-capa authentication to
>>>> "Local Authentication with argument " (I left the argument empty).
>>>>
>>>> %%%%% 1st try - localauth.pm %%%%%%%%%%%%%%%%
>>>>
>>>> use Net::LDAP;
>>>> use Net::LDAPS;
>>>>
>>>> sub localauth {
>>>>   my ($username,$password,$optional_argument,$domain) = @_;
>>>>
>>>>   my $ldap_host_name = '10.16.19.10';
>>>>   my $ldap_ca_file_name = ' ';
>>>>   my $ldap_dn = "cn=acadjensen,ou=Service
>>>> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>>>>
>>>>   my $ldap = Net::LDAPS->new($ldap_host_name,
>>>>                              verify => 'none', # certificate not needed
>>>>                              cafile => $ldap_ca_file_name,
>>>>                              );
>>>>   if (not defined $ldap) {
>>>>       return -3;
>>>>   }
>>>>
>>>>   # Bind with password
>>>>   # This should be enough to authenticate user
>>>>   my $mesg = $ldap->bind($ldap_dn,
>>>>                          password => "XXXXXXXX");
>>>>   if ($mesg->code) {
>>>>       $ldap->unbind;
>>>>       $ldap->disconnect;
>>>>       return -2;
>>>>   }
>>>>
>>>>   # But let's search for the ugaAuthCheck attribute too
>>>>   $mesg = $ldap->search(base =>
>>>> "ou=Students,dc=acad,dc=tmccadmn,DC=tmcc,DC=edu",
>>>>                         filter => "sAMAccountName=$username",
>>>>                         attrs => ['dn'],
>>>>                         );
>>>>   $ldap->unbind;
>>>>   $ldap->disconnect;
>>>>   if ($mesg->count < 1) {
>>>>       return -1;
>>>>   }
>>>>
>>>>   return 1;
>>>> }
>>>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>>>
>>>> 1;
>>>> __END__
>>>>
>>>>
>>>> %%%%%%%%%%% 2nd try - localauth.pm %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>>> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>>> use strict;
>>>> use Net::LDAP;
>>>> use Net::LDAPS;
>>>> sub localauth {
>>>>    my ($username,$password) = @ ;
>>>>    my $ldap_host_name = ’10.16.19.10’; # insert the host name of your
>>>> ldap server, e.g., ldap.msu.edu
>>>>    my $ldap_ca_file_name = ’’; # insert the ldap certificate filename
>>>> - include absolute path
>>>>    # certificate is required if you wish to encrypt the password.
>>>>    # e.g., /home/http/perl/lib/local/ldap.certificate
>>>>    my $ldap_dn = "cn=acadjensen,ou=Service
>>>> Accounts,dc=acad,dc=tmccadmn,dc=tmcc,dc=edu";
>>>>    my $bindpassword = "XXXXXXXX";
>>>>    my $ldap_search_base =
>>>> "ou=Students,DC=acad,DC=tmccadmn,DC=tmcc,DC=edu"; # ldap search base,
>>>> this might be set to ’o=msu.edu’.
>>>>    my $ldap = Net::LDAPS->new(
>>>>        $ldap_host_name,
>>>>        verify => ’none’, # ’require’ -> a certificate is needed, ->
>>>> ’none’ if no certificate used
>>>>        cafile => $ldap_ca_file_name,
>>>>  );
>>>>    if (!(defined($ldap))) {
>>>>        return (0);
>>>>  }
>>>>    $ldap->bind( $ldap_dn, password => $bindpassword );
>>>>    my $search_string = ’(uid=’.$username.’)’;
>>>>    my $mesg = $ldap->search (
>>>>        base => $ldap_search_base,
>>>>        filter => "sAMAccountName=.'$username.'",
>>>>        attrs => [’dn’] ,
>>>>  );
>>>>    if ($mesg->code) {
>>>>        $ldap->unbind;
>>>>        $ldap->disconnect;
>>>>        return (0);
>>>>  }
>>>>    my @entries = $mesg->all entries;
>>>>    if (@entries > 0) {
>>>>        $ldap->unbind;
>>>>        $ldap->disconnect;
>>>>        return (0);
>>>>   }
>>>>      $mesg = $ldap->bind (
>>>>          dn => $entries[0]->dn,
>>>>          password => $password,
>>>>   );
>>>>      $ldap->unbind;
>>>>      $ldap->disconnect;
>>>>      if ($mesg->code) {
>>>>          return (0)
>>>>   }
>>>>      return (1);
>>>> }
>>>>  1;
>>>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>>>
>>>> 1;
>>>> __END__
>>>> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>>>>
>>>
>>
>

More information about the LON-CAPA-admin mailing list