| Prev | Next |
Table of Contents
Table of Contents
+
by Joel Aufrecht
OpenACS docs are written by the named authors, and may be edited
by OpenACS documentation staff.
Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html,v
diff -u -r1.2 -r1.3
--- openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html 14 Oct 2003 09:54:26 -0000 1.2
+++ openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html 20 Oct 2003 15:44:31 -0000 1.3
@@ -1 +1 @@
-
...
Installing AOLserver LDAP support.�Forthcoming. (more information)
Install auth-ldap OpenACS service package.�Install auth-ldap and restart the server.
...
Installing AOLserver LDAP support.�Forthcoming. (more information)
Install auth-ldap OpenACS service package.�Install auth-ldap and restart the server.
cd /usr/local/src/aolserver
tar xzf /tmp/ns_pam-0.1.tar.gz
cd nspam
make
-cp nspam.so /usr/local/aolserver/binSet up a PAM domain.�A PAM domain is a set of rules for granting +make install
Set up a PAM domain.�A PAM domain is a set of rules for granting privileges based on other programs. Each instance of AOLserver uses a domain; different aolserver instances can use the same domain but one AOLserver instance @@ -49,7 +49,13 @@ tar xf /tmp/pam_radius-1.3.16.tar cd pam_radius-1.3.16 make -cp pam_radius_auth.so /lib/security/pam_radius_auth.so
Debian users: apt-get install libpam-radius-auth
Set up the PAM domain by creating the file +cp pam_radius_auth.so /lib/security/pam_radius_auth.so
Debian users: apt-get install libpam-radius-auth
Set up the PAM domain. Recent PAM + distributions have a different file for each domain, + all in /etc/pam.d. + Previous PAM setups put all domain configuration lines + into a single file, + /etc/pam.conf. On + Red Hat, create the file /etc/pam.d/service0 with these contents:
auth sufficient /lib/security/pam_radius_auth.so
Modify the AOLserver configuration file to use @@ -58,25 +64,5 @@ The OpenACS server itself is the "Local Authority," used by default.
Browse to the authentication administration page, http://yourserver/acs-admin/auth/. - Create and name an authority (in the sitewide admin UI)
Set Authentication to PAM.
If the PAM module contains a password command, you can set Password Management to PAM. If not, the PAM module cannot change the user's password and you should leave this option Disabled.
Leave Account Registration disabed.
Set Batch sync enabled to Yes. Set GetDocumentImplementation to HTTP GET. Set ProcessDocumentImplementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.
Click OK.
On the next page, click Configure on the GetDocument Implementation line.
Enter the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.
Configure your Authority (RADIUS server, etc) to supply XML files to the URLs IncrementalURL and SnapshotURL
-<enterprise> - <person recstatus = "1"> added person - <sourcedid> - <id>[username]</id> - </sourcedid> - <name> - <family>[last_name]</family> - <given>[first_names]</given> - </name> - <email>[email]</email> - <url>[homepage_url]</url> - </person> - <person recstatus = "2"> modified person - ... - </person> - <person recstatus = "3"> deleted person - <sourcedid> - <id>LL1</id> only requires username - </sourcedid> - </person> -</enterprise>
(More information: Section�, “IMS Sync driver design”, The IMS 1.1 spec)
Set Authentication to PAM.
If the PAM domain defines a password command, you can set Password Management to PAM. If not, the PAM module cannot change the user's password and you should leave this option Disabled.
Leave Account Registration disabed.
We need examples of how the communication would be done from our clients.
The "GetDocument" communications service contract could be a generic system-wide service contract.
We might need a source/ID column in the users table to identify where they're imported from for doing updates, particularly if -importing from multiple sources (or when some users are local.)
We will parse a document in the IMS Enterprise +importing from multiple sources (or when some users are local.)
We will parse a document in the IMS Enterprise Specification format (example XML document), and translate it into calls to the batch user sync API.
The document will contain either the complete user listitemst (IMS: @@ -135,7 +135,7 @@ <photo imgtype="gif"><extref>...</extref></photo> if present: HTTP GET the photo, insert it into the system. (Do we do this, then, with all users when doing a snapshot update?) -
Consolidation before the leap; IMS Enterprise 1.1: This article says that IMS Enterprise 1.1 (current version) does not address the communication model, which is critically missing for real seamless Index: openacs-4/packages/acs-authentication/www/doc/index.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/index.html,v diff -u -r1.2 -r1.3 --- openacs-4/packages/acs-authentication/www/doc/index.html 14 Oct 2003 09:54:26 -0000 1.2 +++ openacs-4/packages/acs-authentication/www/doc/index.html 20 Oct 2003 15:44:31 -0000 1.3 @@ -1 +1 @@ -