[Building Sakai] Configuring login with LDAP?
Steve Swinsburg
steve.swinsburg at gmail.com
Fri Aug 23 15:39:37 PDT 2013
The JLDAP README is comprehensive, but over the top for a simple LDAP setup
IMO. Which is why I wrote this simplified guide:
https://confluence.sakaiproject.org/display/~steve.swinsburg/LDAP+in+Sakai+2.5
Still current for all Sakai versions.
cheers,
Steve
On Sat, Aug 24, 2013 at 3:47 AM, Niebel, William (wdn5e) <
wdn5e at eservices.virginia.edu> wrote:
> We've used the jldap provider for several years for user attributes, but
> not for authentication. For authentication, we use pubcookie for
> university ids and sakai db for guests. So I don't have experience with
> ldap authentication of individual sakai users. But for the rest . . .
>
>
> providers/jldap/README_JLDAP.txt seems to be the main documentation for
> this.
>
> You'll need to edit this include file to add your local settings:
> providers/component/src/webapp/WEB-INF/jldap-beans.xml.
> (And importantly, also uncomment in this file so that the include file is
> actually included: providers/component/src/webapp/WEB-INF/components.xml)
>
>
> I strongly recommend configuring a "connectionLivenessValidator" This
> checks the underlying com.novell.ldap.jldap ldap connection implementation,
> which is kept open between uses. This connection will eventually time out,
> and the jldap provider code doesn't handle this timeout well without a
> connectionLivenessValidator configured.
>
> (Also a "laziness" in the implementation seems to make the failure appear,
> sometimes and confusingly, after the ldap search is actually finished and
> the jldap code is mapping the ldap data to sakai. All-in-all, there's much
> to avoid here and you can do this by configuring a
> connectionLivenessValidator.
>
> Some earlier issues for us seemed to indicate network or ldap server
> performance problems. This led us to develop retry code as a local mod,
> that is, on unsuccessful ldap search from sakai, try it again. We continue
> to configure our ldap with this retry code, but it seems unnecessary with
> the connectionLivenessValidator configured.)
>
> We configure the (federating) "ConsensusLdapConnectionLivenessValidator"
> to poll both the "MaxLifetimeLdapConnectionLivenessValidator" (first) and
> (then) also the "SearchExecutingLdapConnectionLivenessValidator". The
> first considers the underlying connection to still be alive for a certain
> lifetime, which for us is set to less than the timeout of a redirector
> which sits between our sakai and ldap servers. (Consider that a firewall
> could also condition this.) The second is only consulted if the first
> considers the connection still alive: it does a simple but actual ldap
> search to verify the connection still works. If both fail, jldap gets a
> new underlying ldap connection.
>
> Let me know if you want to see our config on this.
>
>
> We have a few other code patches applied locally:
> * our ldap holds mixed-case (Berkeley.EDU-style) email addresses (grr grr
> grr) so we have a patch to lower-case these in comparisons
> * we have a multi-valued ldap attribute which holds a user's various email
> addresses; we have a patch to prefer that attribute when calling the
> existing method getFindUserByEmailFilter()
> We haven't contributed these back, but probably should. If you need
> either of these, let me know.
>
> There are a couple known bugs even in 2.9.3 -- see the following Jiras for
> patches:
> * SAK-23689 (We saw this issue on sending mailarchive messages: sender
> doesn't receive the message, though other participants do.)
> * SAK-23719 (This is pretty arcane, but nevertheless a bug. A misguided
> but otherwise harmless configuration choice led to our seeing this bug.)
>
> Also consider using ldapsearch command or another non-Sakai tool, run on
> the same machine as your sakai instance, to make sure there's connectivity
> to the ldap server (firewalls, etc., can skew results) and that you've got
> your settings right (a base DN acceptable to your ldap server may
> nevertheless be the wrong one to return the results you need). This sanity
> check can save you time.
>
>
> Good luck with this.
>
>
> Bill Niebel
> University of Virginia
>
> ------------------------------
> *From:* sakai-dev-bounces at collab.sakaiproject.org [
> sakai-dev-bounces at collab.sakaiproject.org] on behalf of Thomas, Gregory J
> [gjthomas at iu.edu]
> *Sent:* Friday, August 23, 2013 10:34 AM
> *To:* sakai-dev at collab.sakaiproject.org
> *Subject:* [Building Sakai] Configuring login with LDAP?
>
> I'm trying to get a gauge on how much time it might take to switch our
> instance of Sakai from using a web service for logging in via CAS to using
> a LDAP.
>
> Is there some documentation somewhere for configuring Sakai with LDAP?
> If not, where's the best place in the code for getting started?
>
> Thanks,
> Greg
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130824/ef5d4fe0/attachment.html
More information about the sakai-dev
mailing list