[LON-CAPA-admin] ldap authentication

Stuart Raeburn raeburn at msu.edu
Sun Jun 6 13:03:21 EDT 2010 

Lars,

> ....I don't understand how it can be that a student can login
> (authenticating through ldap) without the student's directory being
> created under lonUsers.

If a domain has configured self-creation of accounts for institutional  
login (e.g., with authentication type: local) LON-CAPA can  
authenticate the user, but the user will not receive an account (with  
creation of a user directory in /home/httpd/lonUsers on the primary  
library server for the domain), until a "Create LON-CAPA account"  
button has been clicked on a screen displayed after username and  
password have been submitted via the standard log-in screen (and were  
authenticated).  This intermediate screen also allows the user to  
provide user information (e.g., first name, last name, which were not  
retrieved from an institutional source such as LDAP), as permitted by  
the domain configuration.

If the user is authenticated but has no LON-CAPA account, the  
following will be logged in /home/httpd/perl/logs/lonnet.log on the  
server hosting the user session:

"User <username> at <domain> authorized by <primary library server>,  
but needs account"

Although the user has authenticated he/she does not have a LON-CAPA  
session until the "Create LON-CAPA account" is clicked, and the  
information submitted from that page has been verified.

Note: for account creation to be successful, the domain configuration  
has to have appropriate settings (see earlier post:   
http://mail.lon-capa.org/pipermail/lon-capa-admin/2010-June/002387.html), and  
the user's institutional status must satisfy any constraints defined  
for the domain.

As LON-CAPA is a networked system, the user's browser interaction can  
potentially occur on any server in the network, but the permanent  
storage of the user account (e.g., the creation of a user directory in  
/home/httpd/lonUsers will occur on the primary library server in the  
domain).

Consequently, /home/httpd/lib/perl/Apache/lonnet.pm on the server  
hosting the session, and /home/httpd/perl/lond on the primary library  
server in the user's domain are involved in the process.

Stuart Raeburn
MSU LON-CAPA group


Quoting Lars Jensen <ljensen at mail.tmcc.edu>:

> ....I don't understand how it can be that a student can login
> (authenticating through ldap) without the student's directory being
> created under lonUsers. Why is no directory created under lonUsers if
> one does not exist to begin with?
>
> Thanks,
> Lars.
>

More information about the LON-CAPA-admin mailing list