]po[ OpenLDAP Driver

Note:This package is outdated. Starting with V4.0, it's functionality will be covered by package auth-ldap-adldapsearch.

This package establishes an interface between ]po[ and the OpenLDAP authentication infrastructure using the “ldapsearch” command line tool from the “OpenLDAP” Linux RPM.

Obtaining the Right Version of ldapsearch

The "ldapsearch" tool is available in two versions with completely incompatible command line parameters:

  • as part of "OpenLDAP" and
  • as part of "OpenLDAP2" or MozLDAP (Mozilla LDAP package).

For the purpose of this ]project-open[ LDAP package we need version 2.4, To check if you got the right version please enter:

# ldapsearch -VV
As a result, you should get a total of three lines with a first line similar to "ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.21 (...)",

Obtaining the ]po[ Package

The package “auth-ldap-openldap” is available from CVS only at the moment. You can obtain the software via CVS if you are running an earlier version of ]po[:

# cd /web/projop/packages
# cvs -d :pserver:anonymous@cvs.project-open.net:/cvsroot/ checkout auth-ldap-openldap

The required "OpenLDAP" Linux RPM is part of all major Linux distributions and included in the ]po[ VMware installers. OpenLDAP is a stable package with few changes in the last years, so most versions of it should work together with ]po[.

Installing “auth-ldap-openldap”

Please make sure the package are available in the /packages/ directory of your ]po[ installation. Then go to /acs-admin/apm/ URL and select “Install New Packages” and select the package for installation. Restart the server and go back again to /acs-admin/apm/ and check that the package is available.

Please uninstall any other "auth-*" package before installing auth-ldap-openldap, otherwise you will get an error message talking about duplicate values.

Configuring LDAP Access To OpenLDAP

Before configuring the LDAP module, we recommend that you test the LDAP connection manually using the command line. ]po[ relies on the “ldapsearch” command line tool to establish a connection to the LDAP server, so you can test the connection manually before configuring ]po[.

Test Connection Parameters

To check the validity of a username/password combination, we use the “ldapsearch –n” comand, which doesn’t perform any specific action, but returns an error if the username/password combination is wrong. An example call of the tool may look like this:

# ldapsearch -n -x -H ldap://ldap.project-open.net -D "cn=Manager,dc=whp,dc=fr" "uid=bbigboss" -w secret

In this example, ldap.project-open.net is your ldap server, "bbigboss" is the user_id of the user and "secrect" is a valid password for bbigboss.

This command should return a 0 return code and a first line NOT containing “Invalid credentials (49)”. For details please see the ldapsearch “man” page for details.

Setup a new LDAP Authority

Once your command line works, you can setup a new OpenACS “Authentication Authority”. This object controls the authentication of users:

  • Go to Admin -> Auth Authorities (URL: /acs-admin/auth/)
  • Create a new Authority with the following values:
    • General Name: “LDAP”
    • Short Name: “LDAP”
    • Enabled: “Yes”
    • Help contact text: <empty>
    • Authentication: “LDAP”
    • Password Management: “LDAP”
    • Recover password URL: <empty>
    • Change password URL: <empty>
    • Account Registration: “--Disabled--”
    • Account registration URL: <empty>
    • User Info: “--Disabled--”
    • Batch sync enabled: “No”
    • GetDocument implementation: “--Disabled—“
    • ProcessDocument implementation: “--Disabled—“
  • Go back to the list of Authorites, click on your new Autority and choose ”Configure drivers for this authority”. In this page you will need to set specifc LDAP parameters that will differ between organizations.
    • UsernameAttribute: uid
    • BaseDN: cn=Manager,dc=project-open,dc=com
    • LdapURI: ldap://ldap.project-open.net/
    • PasswordHash: <empty>
    • BindDN: <empty> 

Enabling LDAP on the Login Page

Please go to Admin -> Parameters -> Kernel Parameters and set the parameter UseEmailForLoginP to 0. With "username" instead of "email" enabled for user login, the login screen will now show an additional drop-down box for the selection of the [Authentication Authority].

Before testing your new login method, please go to "My Account" and click on the "Edit" button of the user "Basic Information" and check the value of "Username". Otherwise you may lock yourself out!

Debugging the ]project-open[ - Active Directory LDAP Interface

  • Invalid user: Your authentication was successful, but your user account does not exist in our database:
    Please update the users.authority_id to the user's LDAP authority: "update users set authority_id = xxx where username = 'yyy';". You can find out about your authorities using "select * from auth_authorities;".
For other generic dbugging issues please enter:
# cd /web/projop/log
# tail -f error.log | grep ldapsearch

This command will give you only the calls to “ldapsearch”. Copy & past these lines and execute them manually in the command line in order to drill-down further.

References

Open Discussion Forum

  Contact Us
  Project Open Business Solutions S.L.

Calle Aprestadora 19, 12o-2a

08902 Hospitalet de Llobregat (Barcelona)

Spain

 Tel Europe: +34 609 953 751
 Tel US: +1 415 200 2465
 Mail: info@project-open.com