[Building Sakai] Configuring login with LDAP?

Steve Swinsburg steve.swinsburg at gmail.com
Fri Aug 23 15:39:37 PDT 2013 

The JLDAP README is comprehensive, but over the top for a simple LDAP setup
IMO. Which is why I wrote this simplified guide:
https://confluence.sakaiproject.org/display/~steve.swinsburg/LDAP+in+Sakai+2.5

Still current for all Sakai versions.

cheers,
Steve


On Sat, Aug 24, 2013 at 3:47 AM, Niebel, William (wdn5e) <
wdn5e at eservices.virginia.edu> wrote:

>  We've used the jldap provider for several years for user attributes, but
> not for authentication.  For authentication, we use pubcookie for
> university ids and sakai db for guests.  So I don't have experience with
> ldap authentication of individual sakai users.  But for the rest . . .
>
>
> providers/jldap/README_JLDAP.txt seems to be the main documentation for
> this.
>
> You'll need to edit this include file to add your local settings:
> providers/component/src/webapp/WEB-INF/jldap-beans.xml.
> (And importantly, also uncomment in this file so that the include file is
> actually included:  providers/component/src/webapp/WEB-INF/components.xml)
>
>
> I strongly recommend configuring a "connectionLivenessValidator"  This
> checks the underlying com.novell.ldap.jldap ldap connection implementation,
> which is kept open between uses.  This connection will eventually time out,
> and the jldap provider code doesn't handle this timeout well without a
> connectionLivenessValidator configured.
>
> (Also a "laziness" in the implementation seems to make the failure appear,
> sometimes and confusingly, after the ldap search is actually finished and
> the jldap code is mapping the ldap data to sakai.  All-in-all, there's much
> to avoid here and you can do this by configuring a
> connectionLivenessValidator.
>
> Some earlier issues for us seemed to indicate network or ldap server
> performance problems.  This led us to develop retry code as a local mod,
> that is, on unsuccessful ldap search from sakai, try it again.  We continue
> to configure our ldap with this retry code, but it seems unnecessary with
> the connectionLivenessValidator configured.)
>
> We configure the (federating) "ConsensusLdapConnectionLivenessValidator"
> to poll both the "MaxLifetimeLdapConnectionLivenessValidator" (first) and
> (then) also the "SearchExecutingLdapConnectionLivenessValidator".  The
> first considers the underlying connection to still be alive for a certain
> lifetime, which for us is set to less than the timeout of a redirector
> which sits between our sakai and ldap servers.  (Consider that a firewall
> could also condition this.)  The second is only consulted if the first
> considers the connection still alive:  it does a simple but actual ldap
> search to verify the connection still works.  If both fail, jldap gets a
> new underlying ldap connection.
>
> Let me know if you want to see our config on this.
>
>
> We have a few other code patches applied locally:
> * our ldap holds mixed-case (Berkeley.EDU-style) email addresses (grr grr
> grr) so we have a patch to lower-case these in comparisons
> * we have a multi-valued ldap attribute which holds a user's various email
> addresses; we have a patch to prefer that attribute when calling the
> existing method getFindUserByEmailFilter()
> We haven't contributed these back, but probably should.  If you need
> either of these, let me know.
>
> There are a couple known bugs even in 2.9.3 -- see the following Jiras for
> patches:
> * SAK-23689 (We saw this issue on sending mailarchive messages:  sender
> doesn't receive the message, though other participants do.)
> * SAK-23719 (This is pretty arcane, but nevertheless a bug.  A misguided
> but otherwise harmless configuration choice led to our seeing this bug.)
>
> Also consider using ldapsearch command or another non-Sakai tool, run on
> the same machine as your sakai instance, to make sure there's connectivity
> to the ldap server (firewalls, etc., can skew results) and that you've got
> your settings right (a base DN acceptable to your ldap server may
> nevertheless be the wrong one to return the results you need).  This sanity
> check can save you time.
>
>
> Good luck with this.
>
>
> Bill Niebel
> University of Virginia
>
>  ------------------------------
> *From:* sakai-dev-bounces at collab.sakaiproject.org [
> sakai-dev-bounces at collab.sakaiproject.org] on behalf of Thomas, Gregory J
> [gjthomas at iu.edu]
> *Sent:* Friday, August 23, 2013 10:34 AM
> *To:* sakai-dev at collab.sakaiproject.org
> *Subject:* [Building Sakai] Configuring login with LDAP?
>
>   I'm trying to get a gauge on how much time it might take to switch our
> instance of Sakai from using a web service for logging in via CAS to using
> a LDAP.
>
>  Is there some documentation somewhere for configuring Sakai with LDAP?
>  If not, where's the best place in the code for getting started?
>
>  Thanks,
> Greg
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130824/ef5d4fe0/attachment.html

More information about the sakai-dev mailing list