This step by step guide on how to use LDAP for external +authentication using the LDAP bind command, which differs from the +approach usually taken by auth-ldap. Both will be dealt with in +these section
+Install openldap. Download and install +ns_ldap
+[root aolserver]#+cd /usr/local/src/
+ [root src]#wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz
+ [root src]#tar xvfz openldap-2.2.17.tgz
+ [root src]#cd openldap-2.2.17
+ [root src]#./configure --prefix=/usr/local/openldap
+ [root openldap]#make install
+ [root openldap]# +cd /usr/local/src/ +wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz +tar xvfz openldap-2.2.17.tgz +cd openldap-2.2.17 +./configure --prefix=/usr/local/openldap --disable-slapd +make install + +
+Install ns_ldap. Download and install +ns_ldap
+[root aolserver]#+cd /usr/local/src/aolserver/
+ [root aolserver]#wget http://www.sussdorff.de/ressources/nsldap.tgz
+ [root aolserver]#tar xfz nsldap.tgz
+ [root aolserver]#cd nsldap
+ [root ns_pam-0.1]#make install LDAP=/usr/local/openldap INST=/usr/local/aolserver
+ [root ns_pam-0.1]# +cd /usr/local/src/aolserver/ +wget http://www.sussdorff.de/resources/nsldap.tgz +tar xfz nsldap.tgz +cd nsldap +make install LDAP=/usr/local/openldap INST=/usr/local/aolserver + +
+Configure ns_ldap for traditional +use. Traditionally OpenACS has supported ns_ldap +for authentification by storing the OpenACS password in an +encrypted field within the LDAP server called "userPassword". +Furthermore a CN field was used for searching for the username, +usually userID or something similar. This field is identical to the +usernamestored in OpenACS. +Therefore the login will only work if you change login method to +make use of the username instead.
Change config.tcl. Remove
+the # in front of
+ns_param nsldap
+${bindir}/nsldap.so
to enable the loading of the ns_ldap
+module.
+Configure ns_ldap for use with LDAP +bind. LDAP authentication usually is done by trying +to bind (aka. login) a user with the LDAP server. The password of +the user is not stored in any field of the LDAP server, but kept +internally. The latest version of ns_ldap supports this method with +the ns_ldap bind command. +All you have to do to enable this is to configure auth_ldap to make +use of the BIND authentification instead. Alternatively you can +write a small script on how to calculate the username out of the +given input (e.g. if the OpenACS username is malte.fb03.tu, the +LDAP request can be translated into "ou=malte,ou=fb03,o=tu" (this +example is encoded in auth_ldap and you just have to comment it out +to make use of it).
+