[LON-CAPA-admin] ldap authentication
raeburn at msu.edu
Sat Jun 5 15:32:31 EDT 2010
A Domain Coordinator in domain tmcc can configure LON-CAPA to allow a
user who successfully authenticates via either Kerberos or localauth,
or alternatively via single sign on (SSO), to create a corresponding
user account in the LON-CAPA tmcc domain, if the user does not
currently have one.
To do this in your tmcc domain, select the DC role then use:
Main Menu -> Set domain configuration
Check the checkboxes for the following:
On the next page:
(a) In the "Default authentication/language/timezone" box:
set "Default authentication type" to local
(b) In the "User creation" box:
Check the checkbox for "Instutional Login in the "User creates own
account" row in the "User account creation" block.
(c) In the "User modification" box:
Within the third block [Status of user/Information settable when
self-creating account (if directory data blank)]
Check the boxes for any of the following items for which you will
allow users to complete their own information:
Last Name, First Name, Middle Name, Generation, E-mail address,
for the case where LON-CAPA is unable to retrieve this information
from your institution's directory service (LDAP in your case).
Retrieval of user information from LDAP will require customization of
localenroll.pm. This customization is different to the modification
of localauth.pm which you completed to allow authentication.
By default, your settings for user-definable information items applies
to "All users", but if you have defined institutional
status/affiliation types (e.g., faculty, staff, student) you can
assign different sets of user-definable information for the different
affiliations. These status types are the same as I discussed in my
recent post to this list about course cloning
The same status types can also play a role in restricting the ability
of users to create their own accounts. If you have defined
institutional status/affiliation types you can set which of those
types may create their own user accounts following successful
In this case the "User account creation" block in the Domain
Configuration "User creation" box would contain an additional row:
"Institutional affiliation(s) able to create own account (login/SSO)"
with checkboxes for: Faculty, Staff, Student, Other users etc.
Of course for this to work your customized get_userinfo() subroutine
in localenroll.pm will need to return information about the user's
institutional status, so this can be checked when a user without a
LON-CAPA user account authenticates with a campus username (via LDAP),
to see if this type of user is allowed to create an account.
You will need to modify the get_userinfo() subroutine in
localenroll.pm. If you decide to embark on this type of institutional
integration, I recommend that you also consider implementing directory
searches, username and/or student/employee ID checking when Course
Coordinators add users to their courses, and Autoupdate of user
The result of this customization would be that for all users who
authenticate via LDAP, user information within LON-CAPA (i.e., first
name, last name, permanent e-mail address, student/employee ID) for
these users would be in sync with institutional data. Also you can
prevent creation of new user accounts by Course Coordinators for
usernames with a format matching that used by campus LDAP usernames
which do not currently exist at your institution.
I do not recommend allowing users to set their own Student/Employee
IDs if this information cannot be retrieved from LDAP.
Student/Employee IDs which are a second unique identifier (besides
username) which each LON-CAPA user may receive are used for
bubblesheet grading to map student identity on a bubblesheet to
username in the course.
The Domain Coordination manual, e.g.,
includes some discussion as well as example code from the customized
version of localenroll.pm used at MSU. See section 4: "Integration
with Institutional Systems".
As you have discovered, restart of loncontrol is needed after making
changes to subroutines in localenroll.pm, as these are called by the
lond and lonsql daemons, which a loncontrol restart will restart for
you (and pick changes made to /home/httpd/lib/perl/localenroll.pm).
MSU LON-CAPA group
Quoting Lars Jensen <ljensen at mail.tmcc.edu>:
> Hi Stuart,
> OK, so LDAP works, but it seems that user accounts must be pre-created
> in loncapa before ldap login works. Is it possible to have users in
> the LDAP directory login and create their accounts at the moment they
> login the first time? If so, how do I enable this?
> On Mon, May 31, 2010 at 11:07 PM, Lars Jensen <ljensen at mail.tmcc.edu> wrote:
>> Hi Stuart,
>> Sorry - everything is working after all. I didn't realize I had to
>> restart loncontrol. After a restart, ldap authentication worked
More information about the LON-CAPA-admin