[Deploying Sakai] LDAP Integration Step by Step Guide

Steve Swinsburg steve.swinsburg at gmail.com
Mon Sep 28 17:21:20 PDT 2009 

As a followup, I can confirm this same procedure works for 2.6 and 2.7 
without needing to create accounts in Sakai.

If you post the following info (you can obfuscate the values if you 
wish) we can tell you what to put in your jldap-beans.xml

Host name of LDAP server, ie ldap.somewhere.edu.au
Base DN for directory searches, ie ou=People,o=somewhere.edu.au
A sample record so we can get the following block configured properly:

<property name="attributeMappings">
            <map>
                <entry key="login"><value>uid</value></entry>        
                <entry key="firstName"><value>givenName</value></entry>
                <entry key="lastName"><value>sn</value></entry>
                <entry key="email"><value>mail</value></entry> 
                <!--<entry 
key="groupMembership"><value>groupMembership</value></entry>     -->
            </map>
</property>

By default, the login is cn, but it might be uid or something else. 
You'll need to check an LDAP record. Thats the most important one to get 
right, the others just won't give the right info if they are incorrect 
but you can tweak that later.

A good way to check your values is to get an LDAP browser and run a 
search to find a record. I recommend Ldapper on OS X: 
http://carl-bell-2.baylor.edu/~Carl_Bell/ReadMeFiles/LDapper.html

cheers,
Steve

-- 
Steve Swinsburg
Systems Developer
Enterprise Systems
Division of Information
K Block, Building 3K
The Australian National University
Canberra ACT 0200 Australia

T: +61 2 6125 6608
F: +61 2 6125 0449

CRICOS Provider # 00120C



Steve Swinsburg wrote:
> The issue with users being about to edit their account settings is 
> because they have an account in Sakai. Using the LDAP provider you 
> should not need to create accounts. My bet is the LDAP integration 
> isn't setup quite right.
>
> As a test, have a user that exists in both LDAP and Sakai with 
> identical passwords, login with that user then change their password 
> in Sakai. Logout, log back in again and see what password works. That 
> should tell you from what source they are authenticating.
>
> I'll run some tests on a local instance to see if I can reproduce your 
> issue.
> cheers,
> Steve
>
> -- 
> Steve Swinsburg
> Systems Developer
> Enterprise Systems
> Division of Information
> K Block, Building 3K
> The Australian National University
> Canberra ACT 0200 Australia
>
> T: +61 2 6125 6608
> F: +61 2 6125 0449
>
> CRICOS Provider # 00120C
>   
>
>
> Grossman,John E wrote:
>>
>> Steve -- We recently set up LDAP in 2.6.0 using your instructions. 
>> However, we find that we do need to create the user accounts in Sakai 
>> by entering a user id. Otherwise, the LDAP authentication fails. Is 
>> there a setting that eliminates the need to do this?
>>
>>  
>>
>> We also have a related concern. Users can edit their account settings 
>> and create weak passwords in Sakai. Since Sakai allows authentication 
>> to fall through from LDAP to application-managed authentication, the 
>> users can then authenticate with these weak passwords. Do you have 
>> any suggestions for
>>
>> 1.       preventing LDAP-authenticated users from authenticating with 
>> internal Sakai passwords
>>
>> 2.       enforcing strong passwords for those users who don't have 
>> LDAP entries?
>>
>>  
>>
>> John
>>
>>  
>>
>>  
>>
>> *From:* production-bounces at collab.sakaiproject.org 
>> [mailto:production-bounces at collab.sakaiproject.org] *On Behalf Of 
>> *Steve Swinsburg
>> *Sent:* Friday, September 25, 2009 8:07 AM
>> *To:* organic.ishtiaq at gmail.com
>> *Cc:* production at collab.sakaiproject.org; 
>> sakai-dev at collab.sakaiproject.org
>> *Subject:* Re: [Deploying Sakai] LDAP Integration Step by Step Guide
>>
>>  
>>
>> Delete the user from your Sakai instance or use another user in LDAP 
>> that doesn't have a record in Sakai. With LDAP you don't need to 
>> create the user accounts in Sakai, all of their info will come from LDAP.
>>
>>  
>>
>> cheers,
>>
>> Steve
>>
>>  
>>
>>  
>>
>>  
>>
>> On 25/09/2009, at 10:36 PM, Ishtiaq Ahmad wrote:
>>
>>
>>
>> Hi,
>> thanks for a nice document, I have followed all the steps mentioned 
>> in this document. But my SAKAI 2.5.4 is not authenticating from LDAP....
>> Steps:
>> I have a user in sakai and in LDAP: 0056
>> Password in sakai: 1234
>> Password in LDAP: 0056
>>
>> Login Successful using sakai password but fail using ldap password...
>>
>>
>> Please tell me if any other configuration...or how can i trace 
>> whether sakai is using my specified ldap...?
>>
>> Regards,
>> Ishtiaq Ahmad
>>
>> On Fri, Sep 25, 2009 at 3:39 PM, Steve Swinsburg 
>> <steve.swinsburg at gmail.com <mailto:steve.swinsburg at gmail.com>> wrote:
>>
>> Hi,
>>
>> Here's one I prepared earlier:
>>
>> http://confluence.sakaiproject.org/display/~steve.swinsburg/LDAP+in 
>> <http://confluence.sakaiproject.org/display/%7Esteve.swinsburg/LDAP+in>+Sakai+2.5
>>
>> cheers,
>> Steve
>>
>>
>>
>> On 25/09/2009, at 8:18 PM, Ishtiaq Ahmad wrote:
>>
>> Need a step by step guide for integrating Sakai with LDAP in 2.5.x.
>>
>>
>>
>> -- 
>> Regards,
>> Ishtiaq Ahmad
>>
>>  
>>
>>
>>
>>
>> -- 
>> Regards,
>> Ishtiaq Ahmad
>>
>>  
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20090929/2638d512/attachment-0001.html

More information about the production mailing list