[LON-CAPA-admin] ldap authentication

[Lars Jensen]

Hi Stuart,

Is there a sample file available that shows the configuration? I'm not
sure how to do this. We don't allow anonymous ldap authentication.
Where does the bind user and password go?

Thanks,
Lars.

On Tue, Aug 11, 2009 at 9:30 AM, Stuart Raeburn <raeburn at msu.edu> wrote:
> Lars,
>
>> (1) Do I put my changes in this section of
>> /home/httpd/lib/perl/localauth.pm?
>>
>> # ----START LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>> sub localauth {
>>    my ($username,$password,$optional_argument,$domain) = @_;
>>    return 0;
>> }
>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>
> Yes
>
>> (2) Do I replace the following lines above,
>>
>> sub localauth {
>>    my ($username,$password,$optional_argument,$domain) = @_;
>>    return 0;
>> }
>>
>> with the code on page 15-16 in the Domain Coordinator manual?
>
> Yes. You'd need to customize that code with settings appropriate for the
> LDAP service at your institution.
>
> You'll also need to install the CPAN modules: Net::LDAP and Net::LDAPS.  If
> you can find rpms for these modules in a repository you use with your distro
> then install those, otherwise you'll need to either install using cpan, or
> downland the tarballs from cpan.org, then make and install from there.  To
> date, I have not created rpms for these packages and added them to the
> LON-CAPA repos for supprted distros, although I may do so in the future.
>
>> (3) After having done (1) and (2) with proper configuration for out
>> site, will I still be able to login as usual (internally
>> authenticated)? (At TMCC, only the students are in ldap.) If a
>> username in the ldap container matches an already existing loncapa
>> instructor username, the ldap user obviously can't login. But is there
>> a way of changing the instructor username of the lon-capa user.
>> (Changing it to upper case would work because all student accounts are
>> lower case.)
>>
>
> After the change you will be able to log-in as usual (internally
> authenticated) as long as you have not modified the authentication type for
> your LON-CAPA account. The issue of potential overlap between institutional
> usernames (i.e., ldap usernames) and internally authenticated LON-CAPA
> usernames is discussed in
> the Domain Coordination manual (see section 2.7: "Identity Management:
> Creating New Users").  Implementation of username format checking requires
> modification of localenroll.pm, another customizable file found in
> /home/httpd/lib/perl. Once implemented, control of format rules etc. is via
> the Domain Configuration menu, available to Domain Coordinators via the Main
> Menu.
>
> Ideally you'll want to implement checking of usernames when a new
> "LDAP-type" user is added to your LON-CAPA domain to ensure that a username
> in the format used for the LDAP user exists (and is always added with the
> authentication type set to "localauth").  Usernames for new users who do not
> have LDAP usernames should employ a different format. Requiring one or more
> upper case characters in the username for internal authenticated users would
> be one approach that would work in your situation.  See: "4.3 Format Rule
> Definitions and Checks: Usernames and IDs" in the Domain Coordination manual
> for more information.
>
> Unfortunately, LON-CAPA does not currently support changing usernames for
> existing users. This has been on the list of planned development work since
> 2007, and the required virtualization of usernames will hopefully get worked
> on soon.
>
> If you have access to a campus LDAP service, your use of that service can
> potentially go beyond authentication, to encompass support for institutional
> directory searches. See:  "4.4 Institutional Directory Information" in the
> Domain Coordination manual, which includes an example ldap_search() routine
> called by localenroll::get_user_info().  This type of functionality requires
> customization of appropriate routines in localenroll.pm.
>
> Please contact me offlist if you have specific questions, or need assistance
> implementing interface(s) to your particular campus systems via the
> customizable LON-CAPA localauth.pm and localenroll.pm modules.
>
> Stuart Raeburn
> MSU LON-CAPA group
> [ helpdesk at loncapa.org ]
>
>
> Quoting Lars Jensen <ljensen at mail.tmcc.edu>:
>
>> Hi Stuart,
>>
>> On Fri, Jul 24, 2009 at 12:32 PM, Stuart Raeburn<raeburn at msu.edu> wrote:
>>>
>>> Lars,
>>>
>>> Yes, user authentication via LDAP is possible.
>>> /home/httpd/lib/perl/localauth.pm can be customized to authenticate
>>> against
>>> your campus LDAP service.
>>>
>>> There's an example in the Domain Coordination Manual (e.g.,
>>> http://msu.loncapa.org/adm/help/domain.manual.pdf) -- see section 4.1
>>> "Institutional Authentication" on page 14.
>>
>> (1) Do I put my changes in this section of
>> /home/httpd/lib/perl/localauth.pm?
>>
>> # ----START LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>> sub localauth {
>>    my ($username,$password,$optional_argument,$domain) = @_;
>>    return 0;
>> }
>> # ----END LOCAL CHANGES HERE ----- DON'T DELETE THIS LINE
>>
>> (2) Do I replace the following lines above,
>>
>> sub localauth {
>>    my ($username,$password,$optional_argument,$domain) = @_;
>>    return 0;
>> }
>>
>> with the code on page 15-16 in the Domain Coordinator manual?
>>
>> (3) After having done (1) and (2) with proper configuration for out
>> site, will I still be able to login as usual (internally
>> authenticated)? (At TMCC, only the students are in ldap.) If a
>> username in the ldap container matches an already existing loncapa
>> instructor username, the ldap user obviously can't login. But is there
>> a way of changing the instructor username of the lon-capa user.
>> (Changing it to upper case would work because all student accounts are
>> lower case.)
>>
>> Thanks,
>> Lars.
>>
>>>
>>> Once you have localauth.pm configured and working you can switch existing
>>> users to use LDAP by modifying the authentication type for them to
>>> "localauth" (they are probably currently set to internal").  One way to
>>> do
>>> this is to become the Domain Coordinator and proceed as follows:
>>>
>>> A. Go to Main Menu
>>>
>>> B. Clck on "Create users or modify the roles and privileges of users"
>>>
>>> C. Click on  "Upload a File of Users"
>>>
>>> upload a file containing usernames of users for whom the authentication
>>> mechanism is to be changed.
>>>
>>>
>>> D. On the next page, identify the username field, and in the "Login Type
>>> section:
>>>
>>>  1. Change authentication for existing users in domain "msu" to these
>>> settings
>>>     to "Yes"
>>>
>>>  2. Select the radio button for "locally authenticated"
>>>
>>>  In the "Default domain" set the domain to tmcc (Truckee Meadows)
>>>
>>>  In the "Setting for assigning roles"
>>>  1. Select the radio button for "No role changes"
>>>
>>>  Click "Update Users".
>>>
>>> This will take some time to complete.
>>>
>>> Another way to do this is to run a script at the command line, as the www
>>> user which will modify the contents of the
>>> /home/httpd/lonUsers/tmcc/$1/$2/$3/$username/passwd files for existing
>>> users
>>> to be:
>>>
>>> localauth:
>>>
>>> (where $1, $2 and $3 are the first, second and third characters in the
>>> username, e.g., change the contents of
>>> /home/httpd/lonUsers/tmcc/j/e/n/jensen/passwd).
>>>
>>> As Domain Coordinator, you will also want to use "Set domain
>>> configuration"
>>> from the Main Menu, to set the configuration "User creation" setting the
>>> "Assignable authentication types" to include "Local" for all contexts.
>>>
>>> Stuart Raeburn
>>> MSU LON-CAPA group
>>>
>>>
>>> Quoting Lars Jensen <ljensen at tmcc.edu>:
>>>
>>>> Hi,
>>>>
>>>> We now have an ldap server for student authentications so I'd like  to
>>>> configure lon-capa to use it. Is this possible, and is there any
>>>>  documentation anywhere?
>>>>
>>>> Thanks,
>>>> Lars.
>>>>
>
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>