Child pages
  • LDAP in Sakai 2.5
Skip to end of metadata
Go to start of metadata

Introduction

The way LDAP is configured in Sakai 2.4 and 2.5 has changed quite radically. Sakai 2.4 had a verbose configuration method and you had to edit different files in different modules. Sakai 2.5 has a managed Spring bean approach which means its more configurable and you only need to touch one part of the providers project.

This article will walk you through configuring LDAP for Sakai 2.5 (Using the JLDAP Provider) in an easy to read fashion, as I found the resources available somewhat over-technical for the first time user looking to get a tiny bit of integration into their Sakai environment by the way of LDAP.

This also works for all Sakai versions > 2.5

I have recently reviewed this document and can confirm this procedure still works fine for Sakai 2.6, 2.7, 2.8 and 2.9.

Edit the pom.xml

Open for editing:

SAKAI-SRC/providers/component/pom.xml

And uncomment the JLDAP dependency:

<!-- Needed for the JLDAP Provider -->
          	<dependency>
                        <groupId>org.sakaiproject</groupId>
                        <artifactId>sakai-jldap-provider</artifactId>
                        <version>${sakai.version}</version>
                </dependency>

                <dependency>
                        <groupId>openldap</groupId>
                        <artifactId>ldap</artifactId>
                        <version>2005.03.29</version>
                </dependency>
<!--    -->

Edit components.xml

Open for editing:

SAKAI-SRC/providers/component/src/webapp/WEB-INF/components.xml

And uncomment the JLDAP include statement:

<!-- Uncomment and configure to use the JLDAPDirectoryProvider -->
        <import resource="jldap-beans.xml" />

Edit jldap-beans.xml

Open for editing:

SAKAI-SRC/providers/component/src/webapp/WEB-INF/jldap-beans.xml

And configure the properties for your LDAP environment.

At a minimum you will need to setup:

  • the ldapHost (Host name or address of your LDAP server):
    <property name="ldapHost">
    	<value>ldap.server.ac.uk</value>
    </property>
    
  • the basePath (Base DN for directory searches):
    <property name="basePath">
    	<value>ou=users,ou=university,dc=something,dc=somethingelse</value>
    </property>
    

If you require an authenticated bind to your LDAP server, you will also need the following properties setup:

  • the ldapUser (DN to which to bind for directory searches):
    <property name="ldapUser">
    	<value>cn=username,ou=staff,ou=users,ou=university,dc=something,dc=somethingelse</value>
    </property>
    
  • the ldapPassword (Password for ldapUser defined above):
    <property name="ldapPassword">
    	<value>somepassword</value>
    </property>
    
  • autoBind (Indicate if connection allocation should implicitly bind as the ldapUser above):
    <property name="autoBind">
           <value>true</value>
    </property>
    

You will also need to uncomment and review some of the settings that map LDAP attributes to Sakai attributes:

<property name="attributeMappings">
	<map>
		<entry key="login"><value>cn</value></entry>
		<entry key="distinguishedName"><value>distinguishedName</value></entry>
		<entry key="firstName"><value>givenName</value></entry>
		<entry key="lastName"><value>sn</value></entry>
		<entry key="email"><value>mail</value></entry>
		<!--
		<entry key="groupMembership"><value>groupMembership</value></entry>
		-->
	</map>
</property>

Rebuild and redeploy the providers project

Navigate to:

SAKAI-SRC/providers

And rebuild:

mvn clean install sakai:deploy

Test!

Restart Tomcat and see if you can login using a username and password combination that would come from LDAP. Especially try using a username and password that has NEVER logged into Sakai to test it really is working.
Also try a user account that exists only in Sakai, ie create a user 'testuser1' and try to login with that. It should also work (as Sakai will fall through LDAP to its internal database if no user is found in LDAP that matches) .

You should also test that the Mailtool in Sakai works and can send an email to a member of a site, as well as all parameters resolving to their mapped parameters from LDAP in the Site Info tool where it lists the users of a Site.

You don't need to create users in Sakai when using this LDAP integration (except for extra users)

 Please note that you DO NOT (and should not) create user accounts in Sakai when using the LDAP integration for user accounts that can authenticate from LDAP. You should only create accounts in Sakai for those users who do not have an LDAP entry, ie guest accounts or other miscellaneous users. You may run into problems if you have user accounts in both LDAP and Sakai for the same user, ie which password should Sakai authenticate from? What if they change their name in Sakai only, it won't be reflected properly. Keep your data centralised and only create accounts in Sakai if you absolutely need to.



  • No labels

13 Comments

  1. Hello,

    Thanks a lot for your guide. We're deploying Sakai with LDAP and your guide helped a lot. But we got problem with group mapping from LDAP to Sakai now (Apple's Open Directory, which is basically Openldap based). Did you try group mapping before? If yes, please kindly share with us your experience.

    1. Hi,

      I haven't done group mapping before but will be exploring this in the future. I do believe there are docs in Confluence about it though. If you work it out, it would be great if you could post any info you find.

      Thanks!

  2. LDAP For Sakai 2.6

    The above steps are 99% of what you need to get LDAP to work with 2.6

    you need to make a slight change to 

    SAKAI-SRC/providers/component/pom.xml
    

     change the dependency for openldap version to use the 2.6 version information like this -

          
          <dependency>
            <groupId>openldap</groupId>
            <artifactId>ldap</artifactId>
            <version>2.6.ORC1-SNAPSHOT</version>
         </dependency>
    
    
        
     
    



    rebuild and deploy it as mentioned above

    Truth be told -

    I'm lazy - I copied my jldap-beans.xml file from my old 2.5 source tree because I didn't want to look up all the proper settings again -

    So from this directory :

    ~/sakai/providers/component/src/webapp/WEB-INF
    

    I ran this :

    cp ~/sakai_2-5-x/providers/component/src/webapp/WEB-INF/jldap-beans.xml .
    



    then ran the rebuild and deploy above and it working as if I actually knew what I was doing.

    1. Hi Jonathon,

      Ok so you didn't need to change the dependency version right?
      My 2.6.x and trunk versions shows:

      <dependency>
      	<groupId>openldap</groupId>
      	<artifactId>ldap</artifactId>
       	<version>2005.03.29</version>
      </dependency>
      

      which seems to be ok.

  3. Thanks for the tutorial !!

  4. Thanks a lot for this useful document! LDAP can be quite complicated, at least we got the Sakai easily! (smile)

  5. Thanks for the tutorial!!!

     But I've one question.

    is it possible to map users taking the ou (organizative unit)??

    1. Sure, in jldap-beans:

      <property name="basePath">
      <value>ou=People,o=anu.edu.au</value>
      </property>

  6. Hi All,

     

    I have problem in seting up LDAP to sakai 2.8.1

    I have followed instructions above but got LDAP "Invalid credentials (49)"

    I can run below commad with success.

    ldapsearch -LLL -h yustudent.local -p 389 -b 'dc=yustudent,dc=local' -D 'YUSTUDENT\accont' -w 'password'

    can you advise me how to make modifications on  jldap-beans.xml

     

    LDAP is windows Active Directory

    Thanks.

    Regards

    Irfan

  7. Is anything different for Sakai 10?

  8. Hi Steve,

    Thanks for your guide. Do you have any suggestion about error below.

    Thanks in advance.

    org.sakaiproject.portal.api.PortalHandlerException: java.lang.RuntimeException: getUsers(): RuntimeException during search eid = 1020003009]
    at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:901)
    caused by: java.lang.RuntimeException: getUsers(): RuntimeException during search eid = 1020003009]
    at org.sakaiproject.user.impl.DbUserService$DbStorage.getUsersByIds(DbUserService.java:702)
    caused by: java.lang.RuntimeException: searchDirectory(): RuntimeException while executing search [baseDN = null][filter = (|(sAMAccountName=1020003009))][return attribs = null][max results = 200]
    at edu.amc.sakai.user.JLDAPDirectoryProvider.getUsers(JLDAPDirectoryProvider.java:630)
    caused by: java.lang.RuntimeException: failed to get pooled connection
    at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectory(JLDAPDirectoryProvider.java:908)
    caused by: java.util.NoSuchElementException: Timeout waiting for idle object
    at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1167)

  9. Dependency in Sakai 12 is:

    <dependency>
        <groupId>com.novell.ldap</groupId>
        <artifactId>jldap</artifactId>
        <version>2009-10-07</version>
    </dependency>