[Deploying Sakai] LDAP Integration Step by Step Guide

Grossman,John E john.grossman at mdanderson.org
Thu Oct 8 08:01:29 PDT 2009

We found it useful to use an LDAP browsing tool like Jxplorer. You can interactively set your base DN and see if searches behave the way you want. Then once you’re confident you have the right base DN transfer it to jldap-beans.xml.


On 10/7/09 5:46 PM, "Steve Swinsburg" <steve.swinsburg at gmail.com> wrote:


What happens if you leave out the OU=xxx altogether and just have the other path parts? In my debugging, an LDAP search still works.

Otherwise you could use a custom LDAP provider that chains search paths (and indeed completely different LDAP servers) together. This is one I worked on a while ago, but it is for 2.4: https://source.sakaiproject.org/contrib/une/providers/


On 07/10/2009, at 11:11 PM, Ishtiaq Ahmad wrote:

Hi All,

I am facing one problem in LDAP searching user accounts in different OUs (Organizational Unit).

Jldap_bean.xml Configurations
Base path:

 Sakai is able to search those user accounts which exist at base path specified above....but it is not searching user accounts which exist in the OUs. We want to search user accounts in the LDAP whole directory.... Can u please tell me how can i instruct to sakai to search user accounts in the whole directory.?

I have different OUs as defined below...


Ishtiaq Ahmad

On Fri, Oct 2, 2009 at 8:02 PM, Steve Selby <Steve_Selby at bonfils.org> wrote:

To turn on LDAP debugging, enter the following 2 lines in your sakai.properties file:


log.config.1 = DEBUG.edu.amc.sakai.user.JLDAPDirectoryProvider

Also make sure that you are not in demo mode – demo mode won’t use LDAP.  Demo mode is usually set by adding -Dsakai.demo=true to your JAVA_OPTS.

Finally, the LDAP fields are case sensitive – make sure you have the spelling AND case correct.

Steve Selby

Director of Information Technology

Bonfils Blood Center

717 Yosemite Street

Denver, CO 80230-6918

Direct: 303-363-2296

www.bonfils.org <http://www.bonfils.org/>

Advancing Healthcare.  Saving Lives.

From: production-bounces at collab.sakaiproject.org [mailto:production-bounces at collab.sakaiproject.org] On Behalf Of Ishtiaq Ahmad
 Sent: Friday, October 02, 2009 7:40 AM
 To: Steve Swinsburg

 Cc: production at collab.sakaiproject.org; sakai-dev at collab.sakaiproject.org
 Subject: Re: [Deploying Sakai] LDAP Integration Step by Step Guide

Hi Steve,

 I am still unable to authenticate the user from LDAP.

 I have run the following scenarios.

 1. User: admin    : this user exist in both sakai and ldap

password in sakai: admin
 password in LDAP: 1234

 sakai is authenticating the user with sakai password

 2. User: Salman : this user exist only in LDAP

password in LDAP: 123

 sakai is unable to authenticate the user from ldap

 Note: I can login with this user name (Salman) on ldap directory domain but not from sakai.

Is there any mechanism to check whether sakai is actually communicating  with LDAP or not?
 how can I see error messages when sakai authenticate the user from LDAP?

 I have enabled the logging mode of DEBUG in tomcate5w.exe

 I am using Windows Server 2003 active directory, and sakai version is 2.5.4.

 attached is my "jldap-beans.xml" and ldap directory structure...

 Ishtiaq Ahmad

On Fri, Sep 25, 2009 at 6:06 PM, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:

Delete the user from your Sakai instance or use another user in LDAP that doesn't have a record in Sakai. With LDAP you don't need to create the user accounts in Sakai, all of their info will come from LDAP.



On 25/09/2009, at 10:36 PM, Ishtiaq Ahmad wrote:

 thanks for a nice document, I have followed all the steps mentioned in this document. But my SAKAI 2.5.4 is not authenticating from LDAP....
 I have a user in sakai and in LDAP: 0056
 Password in sakai: 1234
 Password in LDAP: 0056

 Login Successful using sakai password but fail using ldap password...

 Please tell me if any other configuration...or how can i trace whether sakai is using my specified ldap...?

 Ishtiaq Ahmad

On Fri, Sep 25, 2009 at 3:39 PM, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:


 Here's one I prepared earlier:

 http://confluence.sakaiproject.org/display/~steve.swinsburg/LDAP+in <http://confluence.sakaiproject.org/display/%7Esteve.swinsburg/LDAP+in> +Sakai+2.5


 On 25/09/2009, at 8:18 PM, Ishtiaq Ahmad wrote:

Need a step by step guide for integrating Sakai with LDAP in 2.5.x.

 Ishtiaq Ahmad

 Ishtiaq Ahmad

 Ishtiaq Ahmad

  Please consider our environment before you print this email.

 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information and must be protected in accordance with those provisions.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20091008/a2ea18a2/attachment-0001.html 

More information about the production mailing list