Child pages
  • Active Directory
Skip to end of metadata
Go to start of metadata

About

Active Directory essentially uses LDAP for authentication, but it also involves shared network resources, and may afford some unique integration approaches.
BU School of Management is using a .NET web service to query the AD and serve up authentication and authorization information for a Sakai consumer. We'd also be interested in developing ways to integrate Sakai with shared network resources.

Support in Sakai:

A modified version of the Sakai 2.3.1 LDAP provider for non-anonymous binding to Active Directory can be found here:

https://source.sakaiproject.org/contrib/unicon/providers/tags/providers-uarts-patch-1/jldap

Instutitions interested in integrating Active Directory with Sakai: (add yourself)

  • BU School of Management
  • Indiana University School of Medicine

See Also

LDAP Authentication

  • No labels

2 Comments

  1. It has been noted that the LDAP provider does not work out of the box as Active Directory does not support anonymous lookups, which several methods depend upon. One suggested workaround is to create a lookup user in Active Directory for Sakai that can first bind and then run the LDAP query.

    Also of note, if you have a group of Active Directory servers behind one hostname, you may need to set the LDAP connection property that allows referrals. The default value of the property is false.

    1. another approach is to not have the provider "search" the directory for the user... this can be done if all your users are in the same ou... you simply append that ou to their login and then bind based on that.

      The problem is that a userDirectoryProvider does more than authenticate users. It is used by Sakai to obtain and display data about ALL users who authenticate through the provider... which means when you view a class list, the userDirectory provider is asked for details of every member in the class. If AD won't give out information to non-authenticated users (and we can't bind as the current logged-in user because we only know their password at authenticate-time), you would HAVE to either use a lookup user or enable anonymous access to completely implement the userDirectoryProvider interface.