[Deploying Sakai] LDAP Integration Step by Step Guide

Steve Swinsburg steve.swinsburg at gmail.com
Tue Sep 29 17:19:14 PDT 2009 

Hi John,

Regarding password strength for internal accounts, this could be solved 
by a mod to the User Account tool to check password strength and only 
allow strong passwords - I've Jira'd this as 
http://jira.sakaiproject.org/browse/SAK-17058 because it would be a neat 
feature.

I would look at other ways to not have your Group 2 accounts in Sakai. 
Depending on your mail setup at your institution you can allow users to 
transparently forward mail to their personal accounts via a .forward 
file in their mailbox, or store their personal email addresses in LDAP 
and allow students to keep them up to date so Sakai can get at them.

cheers,
Steve

-- 
Steve Swinsburg
Systems Developer
Enterprise Systems
Division of Information
K Block, Building 3K
The Australian National University
Canberra ACT 0200 Australia

T: +61 2 6125 6608
F: +61 2 6125 0449

CRICOS Provider # 00120C



Grossman,John E wrote:
>
> Correction to my previous post: I confirmed that users are able to log 
> in via LDAP without a Sakai account being created first.
>
> FYI - we have three sets of users, creating an interesting situation:
>
> 1.       Enterprise users who authenticate with LDAP and who use the 
> enterprise email address  present in LDAP. Mostly employees.
>
> 2.       Enterprise users who authenticate with LDAP but who never use 
> enterprise email -- they use their personal email addresses. Mostly 
> students.
>
> 3.       Users external to the enterprise who authenticate using 
> Sakai-maintained accounts. External collaborators, for example.
>
>  
>
> As things work now, we need to create Sakai accounts for groups 2 and 3.
>
> Group 2 needs Sakai accounts so we can maintain their personal email 
> address in Sakai and receive emails from course sites.
>
> Group 3 needs Sakai accounts because they're not in LDAP at all.
>
> This means that both groups 2 and 3 can change their passwords by 
> using the account settings in Sakai. Unfortunately, these passwords 
> can be weak.
>
>  
>
> We've found that if a user logs into Sakai via LDAP (no internal Sakai 
> account), you cannot then go in and create a Sakai account for that 
> person using Admin Workspace/Users/New User. You get Alert: The user 
> id is already in use even though the user can't be found doing a user 
> lookup. It looks like an entry is created in the sakai_user_id_map 
> table and this causes the alert. We have to delete the row in 
> sakai_user_id_map and recreate the user.
>
>  
>
> Ideally we'd like to have these behaviors to improve flexibility and 
> security:
>
> 1.       Allow assignment of a Sakai user account to those users who 
> have already logged in via LDAP. This would allow them to manage their 
> own email addresses. Alternatively, you could have a property that 
> would force emails to be sent to the email address maintained in the 
> user profile instead of to the enterprise email pulled from LDAP.
>
> 2.       Enforce strong passwords for all users who have access to the 
> Sakai account password change page.
>
>  
>
> Has anyone else solved similar problems?
>
>  
>
> John
>
>  
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20090930/f5f48310/attachment-0001.html

More information about the production mailing list