[Building Sakai] Configuring login with LDAP?

Niebel, William (wdn5e) wdn5e at eservices.virginia.edu
Fri Aug 23 10:47:27 PDT 2013 

We've used the jldap provider for several years for user attributes, but not for authentication.  For authentication, we use pubcookie for university ids and sakai db for guests.  So I don't have experience with ldap authentication of individual sakai users.  But for the rest . . .


providers/jldap/README_JLDAP.txt seems to be the main documentation for this.

You'll need to edit this include file to add your local settings:  providers/component/src/webapp/WEB-INF/jldap-beans.xml.
(And importantly, also uncomment in this file so that the include file is actually included:  providers/component/src/webapp/WEB-INF/components.xml)


I strongly recommend configuring a "connectionLivenessValidator"  This checks the underlying com.novell.ldap.jldap ldap connection implementation, which is kept open between uses.  This connection will eventually time out, and the jldap provider code doesn't handle this timeout well without a connectionLivenessValidator configured.

(Also a "laziness" in the implementation seems to make the failure appear, sometimes and confusingly, after the ldap search is actually finished and the jldap code is mapping the ldap data to sakai.  All-in-all, there's much to avoid here and you can do this by configuring a connectionLivenessValidator.

Some earlier issues for us seemed to indicate network or ldap server performance problems.  This led us to develop retry code as a local mod, that is, on unsuccessful ldap search from sakai, try it again.  We continue to configure our ldap with this retry code, but it seems unnecessary with the connectionLivenessValidator configured.)

We configure the (federating) "ConsensusLdapConnectionLivenessValidator" to poll both the "MaxLifetimeLdapConnectionLivenessValidator" (first) and (then) also the "SearchExecutingLdapConnectionLivenessValidator".  The first considers the underlying connection to still be alive for a certain lifetime, which for us is set to less than the timeout of a redirector which sits between our sakai and ldap servers.  (Consider that a firewall could also condition this.)  The second is only consulted if the first considers the connection still alive:  it does a simple but actual ldap search to verify the connection still works.  If both fail, jldap gets a new underlying ldap connection.

Let me know if you want to see our config on this.


We have a few other code patches applied locally:
* our ldap holds mixed-case (Berkeley.EDU-style) email addresses (grr grr grr) so we have a patch to lower-case these in comparisons
* we have a multi-valued ldap attribute which holds a user's various email addresses; we have a patch to prefer that attribute when calling the existing method getFindUserByEmailFilter()
We haven't contributed these back, but probably should.  If you need either of these, let me know.

There are a couple known bugs even in 2.9.3 -- see the following Jiras for patches:
* SAK-23689 (We saw this issue on sending mailarchive messages:  sender doesn't receive the message, though other participants do.)
* SAK-23719 (This is pretty arcane, but nevertheless a bug.  A misguided but otherwise harmless configuration choice led to our seeing this bug.)

Also consider using ldapsearch command or another non-Sakai tool, run on the same machine as your sakai instance, to make sure there's connectivity to the ldap server (firewalls, etc., can skew results) and that you've got your settings right (a base DN acceptable to your ldap server may nevertheless be the wrong one to return the results you need).  This sanity check can save you time.


Good luck with this.


Bill Niebel
University of Virginia

________________________________
From: sakai-dev-bounces at collab.sakaiproject.org [sakai-dev-bounces at collab.sakaiproject.org] on behalf of Thomas, Gregory J [gjthomas at iu.edu]
Sent: Friday, August 23, 2013 10:34 AM
To: sakai-dev at collab.sakaiproject.org
Subject: [Building Sakai] Configuring login with LDAP?

I'm trying to get a gauge on how much time it might take to switch our instance of Sakai from using a web service for logging in via CAS to using a LDAP.

Is there some documentation somewhere for configuring Sakai with LDAP?  If not, where's the best place in the code for getting started?

Thanks,
Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130823/b72314ab/attachment.html

More information about the sakai-dev mailing list