[Deploying Sakai] LDAP Integration Step by Step Guide

Grossman,John E john.grossman at mdanderson.org
Tue Sep 29 12:19:40 PDT 2009 

Correction to my previous post: I confirmed that users are able to log in via LDAP without a Sakai account being created first.
FYI - we have three sets of users, creating an interesting situation:

1.       Enterprise users who authenticate with LDAP and who use the enterprise email address  present in LDAP. Mostly employees.

2.       Enterprise users who authenticate with LDAP but who never use enterprise email - they use their personal email addresses. Mostly students.

3.       Users external to the enterprise who authenticate using Sakai-maintained accounts. External collaborators, for example.

As things work now, we need to create Sakai accounts for groups 2 and 3.
Group 2 needs Sakai accounts so we can maintain their personal email address in Sakai and receive emails from course sites.
Group 3 needs Sakai accounts because they're not in LDAP at all.
This means that both groups 2 and 3 can change their passwords by using the account settings in Sakai. Unfortunately, these passwords can be weak.

We've found that if a user logs into Sakai via LDAP (no internal Sakai account), you cannot then go in and create a Sakai account for that person using Admin Workspace/Users/New User. You get Alert: The user id is already in use even though the user can't be found doing a user lookup. It looks like an entry is created in the sakai_user_id_map table and this causes the alert. We have to delete the row in sakai_user_id_map and recreate the user.

Ideally we'd like to have these behaviors to improve flexibility and security:

1.       Allow assignment of a Sakai user account to those users who have already logged in via LDAP. This would allow them to manage their own email addresses. Alternatively, you could have a property that would force emails to be sent to the email address maintained in the user profile instead of to the enterprise email pulled from LDAP.

2.       Enforce strong passwords for all users who have access to the Sakai account password change page.

Has anyone else solved similar problems?

John


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20090929/6e8d19fe/attachment.html

More information about the production mailing list