Child pages
  • LDAP Authentication

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

About

LDAP is commonly used for authentication.

Sakai support

An LDAP authentication provider (contributed by Dave Ross) is included in Sakai 2.0, and in Sakai 1.5 under contrib. Installation/configuration instructions can be found here.

Institutions deploying Sakai with LDAP authentication (add your own):

LDAP authentication has been used successfully with these LDAP servers:

  • Novell NLDAP DS 8.7.3.2 using SSL (at UCT)
  • NetscapeLDAP (at PLU)
  • OpenLDAP (also at PLU)

Known issues:

Unmet LDAP authentication requirements:

(add any issues here)

See also:

Introduction

This article will walk you through configuring LDAP for Sakai (Using the Unboundid SDK).


Info

This article applies to Sakai 19.x and greater versions. If you're using Sakai 12.x or prior versions try these instructions:

LDAP in Sakai 2.5


Stop your Tomcat instance and edit this file:

Edit this file in your Tomcat folder:

Code Block
$TOMCAT_HOME/components/sakai-provider-pack/WEB-INF/components.xml

Uncomment the unbound-id provider

Code Block
 <!--  import resource="unboundid-ldap.xml" / -->

Edit the ldap properties in the Unboundid LDAP provider:

Edit this file in your Tomcat folder:

Code Block
$TOMCAT_HOME/components/sakai-provider-pack/WEB-INF/unboundid-ldap.xml

Edit the most important properties, at a minimum you will need to setup:

  • the ldapHost (Host name or address of your LDAP server):


    Code Block
    <property name="ldapHost">
        <value>ldap.server.ac.uk</value>
    </property>
  • the basePath (Base DN for directory searches):


    Code Block
    <property name="basePath">
        <value>ou=users,ou=university,dc=something,dc=somethingelse</value>
    </property>

If you require an authenticated bind to your LDAP server, you will also need the following properties setup:

  • the ldapUser (DN to which to bind for directory searches):


    Code Block
    <property name="ldapUser">
        <value>cn=username,ou=staff,ou=users,ou=university,dc=something,dc=somethingelse</value>
    </property>
  • the ldapPassword (Password for ldapUser defined above):


    Code Block
    <property name="ldapPassword">
        <value>somepassword</value>
    </property>
  • autoBind (Indicate if connection allocation should implicitly bind as the ldapUser above):


    Code Block
    <property name="autoBind">
           <value>true</value>
    </property>

You will also need to uncomment and review some of the settings that map LDAP attributes to Sakai attributes:


Code Block
<property name="attributeMappings">
<map>
<!--
<entry key="aid"><value>krb5PrincipalName</value></entry>
-->
<entry key="login"><value>uid</value></entry> 
<entry key="firstName"><value>givenName</value></entry> 
<entry key="preferredFirstName"><value>preferredName</value></entry>
<entry key="lastName"><value>sn</value></entry> 
<entry key="email"><value>mail</value></entry> 
<entry key="groupMembership"><value>groupMembership</value></entry> 
<entry key="jpegPhoto"><value>jpegPhoto</value></entry> 
</map>

Start your Tomcat instance and test!

Restart Tomcat and see if you can login using a username and password combination that would come from LDAP. Especially try using a username and password that has NEVER logged into Sakai to test it really is working.Also try a user account that exists only in Sakai, ie create a user 'testuser1' and try to login with that. It should also work (as Sakai will fall through LDAP to its internal database if no user is found in LDAP that matches) .

You should also test the User membership tool in the Administration Workspace, try searching for LDAP users.

Troubleshooting

Subscribe and post a message in sakai-dev[at]apereo.org.