A snapshot file is similar but doesn't have recstatus, since -it's not a delta but a list of valid records. See the larger +
A snapshot file is similar but doesn't have recstatus, since +it's not a delta but a list of valid records. See the larger example in the design document for more details.
(More information: the section called “IMS Sync driver design”, The IMS 1.1 spec)
Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp,v diff -u -N -r1.1.2.3 -r1.1.2.4 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp 9 Jun 2016 13:03:11 -0000 1.1.2.3 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp 5 Jul 2016 08:47:51 -0000 1.1.2.4 @@ -11,45 +11,45 @@ Using LDAP/Active Directory with OpenACS-ToDo: Add/verify information on on-demand sync, -account registration, and batch synchronization. Add section on -ldapsearch.
-Overview. You do not want to make users remember yet -another password and username. If you can avoid it you do not want -to store their passwords either. This document should help you set -your system up so your users can seamlessly log in to your OpenACS -instance using the password they are accustomed to using for other -things at your institution.
-Background. The original OpenACS LDAP implementation -(which has been depreciated by this package) treated the LDAP -server as another data store similar to Oracle or Postgresql. It -opened a connection using a priveleged account and read or stored -an encrypted password for the user in question. This password was -independent of the user's operating system or network account, and -had to be synchronized if you wanted the same password for -OpenACS.Save their passwords? Sync passwords? Deal with forgotten -password requests? No Thanks. Using ldap bind, you can delegate -authentication completely to LDAP. This way you can let the IT -department (if you are lucky) worry about password +ToDo: Add/verify information on on-demand +sync, account registration, and batch synchronization. Add section +on ldapsearch.
+Overview. You do not want to make users +remember yet another password and username. If you can avoid it you +do not want to store their passwords either. This document should +help you set your system up so your users can seamlessly log in to +your OpenACS instance using the password they are accustomed to +using for other things at your institution.
+Background. The original OpenACS LDAP +implementation (which has been depreciated by this package) treated +the LDAP server as another data store similar to Oracle or +Postgresql. It opened a connection using a priveleged account and +read or stored an encrypted password for the user in question. This +password was independent of the user's operating system or +network account, and had to be synchronized if you wanted the same +password for OpenACS.Save their passwords? Sync passwords? Deal +with forgotten password requests? No Thanks. Using ldap bind, you +can delegate authentication completely to LDAP. This way you can +let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they -match up. This document takes the 'bind' approach so that your -users LDAP/AD password (or whatever else you use) can be used to -login to OpenACS.
-Note on Account Creation. On the authentication -driver configure screens, you will also see lots of options for -synchronizing users between your directory and OpenACS. This -document takes the approach of provisioning users on demand instead -of ahead-of-time. This means that when they attempt to login to -OpenACS, if they have a valid Windows account, we'll create an -account for them in OpenACS and log them in.
+Note on Account Creation. On the +authentication driver configure screens, you will also see lots of +options for synchronizing users between your directory and OpenACS. +This document takes the approach of provisioning users on demand +instead of ahead-of-time. This means that when they attempt to +login to OpenACS, if they have a valid Windows account, we'll +create an account for them in OpenACS and log them in.
Installing AOLserver LDAP support -(openldap and nsldap). Install openldap and nsldap using -the document Malte created Next, modify your -config.tcl file as directed in the nsldap README. Here's what the -relevant additions should look like:
+(openldap and nsldap). Install openldap and nsldap
+using the document Malte created Next, modify your config.tcl
+file as directed in the nsldap README. Here's what the relevant
+additions should look like:
# LDAP authentication
ns_param nsldap ${bindir}/nsldap.so
@@ -76,29 +76,29 @@
[10/Jan/2006:11:11:08][22553.3076437088][-main-] Debug: nsldap: Registering LDAPCheckPools (600)
-auth-ldap + driver installation. Next, visit the -software installation page in acs-admin and install the auth-ldap -package. Your OpenACS installation now has all the code required to -authenticate using nsldap, so now you need to configure your site's -authentication to take advantage of it. To add the authentication -driver to your OpenACS instance, go to: Main Site, Site-Wide -Administration, and then AuthenticationHere's some sample -Authentication Driver values:Name=Active Directory, Short Name=AD, -Enabled=Yes, Authentication=LDAP, Password Management=LDAPYou may -wish to push this new authority to the top of the list so it will -become the default for users on the login screen.Next, you have to -configure the authentication driver parameters by going to: Main -Site, Site-Wide Administration, Authentication, Active Directory, -and then ConfigureParameters that match our example will look -like:UsernameAttribute=sAMAccountNMame, BaseDN= -cn=Users,dc=mydomain,dc=com, +auth-ldap + driver installation. Next, +visit the software installation page in acs-admin and install the +auth-ldap package. Your OpenACS installation now has all the code +required to authenticate using nsldap, so now you need to configure +your site's authentication to take advantage of it. To add the +authentication driver to your OpenACS instance, go to: Main Site, +Site-Wide Administration, and then AuthenticationHere's some +sample Authentication Driver values:Name=Active Directory, Short +Name=AD, Enabled=Yes, Authentication=LDAP, Password +Management=LDAPYou may wish to push this new authority to the top +of the list so it will become the default for users on the login +screen.Next, you have to configure the authentication driver +parameters by going to: Main Site, Site-Wide Administration, +Authentication, Active Directory, and then ConfigureParameters that +match our example will look like:UsernameAttribute=sAMAccountNMame, +BaseDN= cn=Users,dc=mydomain,dc=com, InfoAttributeMap=first_names=givenName;last_name=sn;email=mail, PasswordHash=N/A
-Code Tweaks for Bind. Bind-style authentication is -not supported via configuration parameters, so we will have to -modify the tcl authentication routine to provide this -behavior.You'll have to modify the existing +Code Tweaks for Bind. Bind-style +authentication is not supported via configuration parameters, so we +will have to modify the tcl authentication routine to provide this +behavior.You'll have to modify the existing ./packages/auth-ldap/tcl/auth-ldap-procs.tcl file to support bind authentication.First toggle ldap bind support.Change this:
# LDAP bind based authentication ?
@@ -130,17 +130,18 @@
-Troubleshooting. If you're having trouble figuring -out some the values for the ldapm, see this useful page on setting up Active Directory integration with Bugzilla. -It explains how distinguished names are defined in Active -Directory, and how to test that you have the correct values for -connectivity and base DN using the OpenLDAP command-line utility -ldapsearch.John had an issue where nsldap was not loading because -AOLServer couldn't find the openldap client libraries, but he was -able to fix it by adding the openldap libraries to his +Troubleshooting. If you're having +trouble figuring out some the values for the ldapm, see this useful +page on setting up Active Directory integration with +Bugzilla. It explains how distinguished names are defined in +Active Directory, and how to test that you have the correct values +for connectivity and base DN using the OpenLDAP command-line +utility ldapsearch.John had an issue where nsldap was not loading +because AOLServer couldn't find the openldap client libraries, +but he was able to fix it by adding the openldap libraries to his LD_LIBRARY_PATH (e.g. /usr/local/openldap/lib)
-Credits. Thanks to Malte Sussdorf for his help and -the Laboratory of Computer Science at Massachusetts General +Credits. Thanks to Malte Sussdorf for his +help and the Laboratory of Computer Science at Massachusetts General Hospital for underwriting this work.
-Add PAM support to AOLserver. OpenACS supports PAM -support via the PAM AOLserver module. PAM is system of modular -support, and can provide local (unix password), RADIUS, LDAP -(more information), and other forms of +Add PAM support to AOLserver. OpenACS +supports PAM support via the PAM AOLserver module. PAM is system of +modular support, and can provide local (unix password), RADIUS, +LDAP (more information), and other forms of authentication. Note that due to security issues, the AOLserver PAM module cannot be used for local password authentication.
-Compile and
-install ns_pam. Download the tarball to /tmp.
Debian users: first do apt-get
+Compile
+and install ns_pam. Download the tarball to /tmp.
Debian users: first do apt-get
install libpam-dev
[root\@yourserver root]# cd /usr/local/src/aolserver
@@ -52,13 +52,13 @@
-Set up a PAM domain. A PAM domain is a set of rules -for granting privileges based on other programs. Each instance of -AOLserver uses a domain; different aolserver instances can use the -same domain but one AOLserver instance cannot use two domains. The -domain describes which intermediate programs will be used to check -permissions. You may need to install software to perform new types -of authentication.
RADIUS in PAM.
-Install auth-pam OpenACS service package. Installauth-pam and restart the server.
auth-pam and
+restart the server.Create an OpenACS authority. OpenACS supports multiple authentication -authorities. The OpenACS server itself is the "Local Authority," -used by default.
Browse to the authentication administration page, http://yourserver/acs-admin/auth/
. Create and name an
authority (in the sitewide admin UI)
Set Authentication to PAM.
If the PAM domain defines a password command, you can set Password
-Management to PAM. If not, the PAM module cannot change the user's
-password and you should leave this option Disabled.
Leave Account Registration disabed.
Leave Account Registration disabed.
We need examples of how the communication would be done from our -clients.
The "GetDocument" communications service contract could be a -generic system-wide service contract.
We might need a source/ID column in the users table to identify -where they're imported from for doing updates, particularly if +clients.
The "GetDocument" communications service contract +could be a generic system-wide service contract.
We might need a source/ID column in the users table to identify +where they're imported from for doing updates, particularly if importing from multiple sources (or when some users are local.)
We will parse a document in the IMS Enterprise Specification format (example XML document), and translate it into calls to the batch user sync API.
The document will contain either the complete user listitemst -(IMS: "snapshot"), or an incremental user listitemst (IMS: "Event -Driven" -- contains only adds, edits, and deletes). You could for -example do a complete transfer once a month, and incrementals every -night. The invocation should decide which type is returned.
The design should favor interoperability, reliability and robustness.
<enterprise> @@ -148,9 +149,10 @@
Mandatory fields which we can rely on are:
sourcedid: ID as defined by the source system. Used for username.
name.fn (formatted name). Used for first_names, last_name
Note that we require 'email' attribute, but the IMS Enterprise -spec does not. Hence, unless we change our data model to allow -users without an email address, we will have to throw an error.
Here's how we map IMS enterprise to OpenACS tables.
Note that we require 'email' attribute, but the IMS +Enterprise spec does not. Hence, unless we change our data model to +allow users without an email address, we will have to throw an +error.
Here's how we map IMS enterprise to OpenACS tables.
username:
<userid> ... @@ -192,8 +194,8 @@ article says that IMS Enterprise 1.1 (current version) does not address the communication model, which is critically missing for real seamless interoperability. IMS Enterprise 2.0 will address -this, but Blackboard, who's influential in the IMS committee, is -adopting OKI's programming interrfaces for this.