Note, this is still experimental, so it's not part of this release. It'll be rolled in as part of the ACS 4.0 release. If you're interested in helping us test this, please contact me at lars@pinds.com, and I can provide you with the patch.
Currently, We do not stuff users into the LDAP directory. If a new user is to have access to the site, he must first have an entry created in the LDAP server by some other means.
If you want to know more about what LDAP is, I've actually written up something about it.
ou=people,
dc=arsdigita, dc=com
).
This software builds on the assumption that you want all the users under the base DN to have access to this ACS installation. This is not always reasonable, but since we don't deal with authorization, you'll have to modify this yourself. We also assume that you have some other means of maintaining the information in the directory. We don't provide tools for that yet.
The login process goes like this:
Important Note: We still have the two special users system
andanonymous
around. Since their password is still checked against the password in the local database, they pose a security risk. However, they're needed for setting up the site. See the section on installation below for more info.
You might want to add other requirements. How to do that is shown in a comment inmail: email as typed in by user objectClass: inetOrgPerson
LdapLogin.sqlj
.
The attributes being retrieved and stuffed into the users table are:
LDAP attribute | Description | Column in users table |
---|---|---|
dn |
Distinguished name, the primary key of the entry | ldap_dn |
givenName |
The person's first name | first_names |
sn |
The person's last name (surname) | last_name |
mail |
The email address | email |
Again, you might want to get others. How to do this is shown in
LdapLogin.sqlj
.
There are a few Java stored procedures to handle the interfacing between ACS and the LDAP server. Here are their interfaces:
String getDnByEmail(String url, String base, String email) String bind(String url, String dn, String password, String securityMechanism) String syncUsersTable(String url, String dn)
inetOrgPerson
with a
mail
attribute that matches the email address given and
returns the DN if successful. If there's an error, the string "Error:
explanation" is returned.
ok
if the bind was successfull. If not, it
returns Error: explanation
user_id
. If it's not, it queries the LDAP server for the
givenName
, sn
and mail
attributes and puts them into the first_names
,
last_name
and email
columns of the users
table, respectively.
[ns/server/yourdomain/acs] ... ; what authentication method we use ; possible values are: internal, ldap AuthenticationMethod=ldap ... [ns/server/yourdomain/acs/ldap] ; The URL of the LDAP server, including ldap:// ServerURL=ldap://ldap.yourdomain.com ; The base DN under which all the users of this website resides BaseDN=ou=people,dc=yourdomain,dc=com ; Preferred security mechanisms seperated by space, e.g. ; simple, CRAM-MD5, DIGEST-MD5 SecurityMechanism=simple
Important Note: You must make sure you have a login process with email and password prompt on the same page, i.e. the following lines in the general section of your acs .ini file: ; use the old login process where email and password are on separate pages? SeparateEmailPasswordPagesP=0
/packages/acs-core/ldap-procs.tcl
.
ldap_dn
column in the
users
table. Here's the DDL to put it in:
alter table users add ( ldap_dn varchar(400) constraint users_ldap_dn_unq unique );
It'll give you a bunch of warnings, but it should compile nevertheless (look out for "source needs recompilation").$ cd /web/yourservice/www/register/java $ loadjava -user yourservice/password -resolve -verbose LdapLogin.sqlj
$ sqlplus yourservice/password < ldap-authentication-wrappers.sql
system
using the default password
(changeme
), and make yourself site-wide administrator
(visit /admin/ug, group type administration,
group site-wide administrators, add member).
system
and anonymous
, so people can't log in
as those.