By Malte -Sussdorff -
</authorblurb>This step by step guide on how to use LDAP for external +authentication
This step by step guide on how to use LDAP for external authentication using the LDAP bind command, which differs from the approach usually taken by auth-ldap. Both will be dealt with in these section
-Install openldap. Download and install +Install openldap. Download and install ns_ldap
[root aolserver]#cd /usr/local/src/
[root src]#wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz
[root src]#tar xvfz openldap-2.2.17.tgz
[root src]#cd openldap-2.2.17
[root src]#./configure --prefix=/usr/local/openldap
[root openldap]#make install
[root openldap]# -cd /usr/local/src/ +cd /usr/local/src/ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz tar xvfz openldap-2.2.17.tgz cd openldap-2.2.17 ./configure --prefix=/usr/local/openldap --disable-slapd make install - +
-Install ns_ldap. Download and install +Install ns_ldap. Download and install ns_ldap
[root aolserver]#cd /usr/local/src/aolserver/
- [root aolserver]#wget http://www.sussdorff.de/ressources/nsldap.tgz
+ [root aolserver]#wget http://www.sussdorff.de/resources/nsldap.tgz
[root aolserver]#tar xfz nsldap.tgz
[root aolserver]#cd nsldap
[root ns_pam-0.1]#make install LDAP=/usr/local/openldap INST=/usr/local/aolserver
[root ns_pam-0.1]# -cd /usr/local/src/aolserver/ +cd /usr/local/src/aolserver/ wget http://www.sussdorff.de/resources/nsldap.tgz tar xfz nsldap.tgz cd nsldap make install LDAP=/usr/local/openldap INST=/usr/local/aolserver - +
-Configure ns_ldap for traditional use. -Traditionally OpenACS has supported ns_ldap for authentication by -storing the OpenACS password in an encrypted field within the LDAP -server called "userPassword". Furthermore a CN field was -used for searching for the username, usually userID or something -similar. This field is identical to the usernamestored in OpenACS. Therefore the -login will only work if you change login method to make use of the -username instead.
Change config.tcl. Remove +Configure ns_ldap for traditional +use. Traditionally OpenACS has supported ns_ldap for +authentication by storing the OpenACS password in an encrypted +field within the LDAP server called "userPassword". +Furthermore a CN field was used for searching for the username, +usually userID or something similar. This field is identical to the +usernamestored in OpenACS. +Therefore the login will only work if you change login method to +make use of the username instead.
Change config.tcl. Remove
the # in front of
ns_param nsldap
${bindir}/nsldap.so
to enable the loading of the ns_ldap
module.
-Configure ns_ldap for use with LDAP bind. -LDAP authentication usually is done by trying to bind (aka. login) -a user with the LDAP server. The password of the user is not stored -in any field of the LDAP server, but kept internally. The latest -version of ns_ldap supports this method with the ns_ldap bind command. All you have to do -to enable this is to configure auth_ldap to make use of the BIND -authentication instead. Alternatively you can write a small script -on how to calculate the username out of the given input (e.g. if -the OpenACS username is malte.fb03.tu, the LDAP request can be -translated into "ou=malte,ou=fb03,o=tu" (this example is -encoded in auth_ldap and you just have to comment it out to make -use of it).
+Configure ns_ldap for use with LDAP +bind. LDAP authentication usually is done by trying +to bind (a.k.a. login) a user with the LDAP server. The password of +the user is not stored in any field of the LDAP server, but kept +internally. The latest version of ns_ldap supports this method with +the ns_ldap bind command. +All you have to do to enable this is to configure auth_ldap to make +use of the BIND authentication instead. Alternatively you can write +a small script on how to calculate the username out of the given +input (e.g. if the OpenACS username is malte.fb03.tu, the LDAP +request can be translated into "ou=malte,ou=fb03,o=tu" +(this example is encoded in auth_ldap and you just have to comment +it out to make use of it).