Browse to the authentication administration page, http://yourserver/acs-admin/auth/ - and choose an authority for + and choose an authority for batch sync.
Set Batch sync enabled to Yes. Set GetDocument Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a -few steps.
Click OK.
On the next page, click Configure on the GetDocument Implementation +few steps.
Click OK.
On the next page, click Configure on the GetDocument Implementation line.
Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.
-
Index: openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.html,v
diff -u -r1.2 -r1.2.22.1
--- openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.html 19 Feb 2004 14:59:42 -0000 1.2
+++ openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.html 16 Jul 2016 17:28:03 -0000 1.2.22.1
@@ -1,7 +1,7 @@
Configure Batch Synchronization Browse to the authentication administration page, - http://yourserver/acs-admin/auth/ + http://yourserver/acs-admin/auth/ and choose an authority for batch sync.
Set Batch sync enabled to Yes. Set GetDocument - Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.
Click OK.
On the next page, click Configure on the GetDocument Implementation line.
Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.
Configure your Authority (RADIUS server, etc) to + Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.
Click OK.
On the next page, click Configure on the GetDocument Implementation line.
Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.
Configure your Authority (RADIUS server, etc) to supply XML files to the URLs IncrementalURL and SnapshotURL. A typical set of incremental file record looks like:
<?xml version="1.0" encoding="ISO-8859-1"?> Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-design.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-design.html,v diff -u -r1.3 -r1.3.22.1 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-design.html 19 Feb 2004 14:59:42 -0000 1.3 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-design.html 16 Jul 2016 17:28:03 -0000 1.3.22.1 @@ -1,4 +1,25 @@ -
Design Table of Contents
+ + + +Design + + + + + + + + + ++ Table of Contents
by Joel Aufrecht OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff. Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-install.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-install.html,v diff -u -r1.7 -r1.7.14.1 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-install.html 4 Jun 2006 00:45:21 -0000 1.7 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-install.html 16 Jul 2016 17:28:03 -0000 1.7.14.1 @@ -1,4 +1,4 @@ -Installation Table of Contents
+
Installation Table of Contents
OpenACS docs are written by the named authors, and may be edited Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html,v diff -u -r1.5 -r1.5.14.1 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html 4 Jun 2006 00:45:21 -0000 1.5 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html 16 Jul 2016 17:28:03 -0000 1.5.14.1 @@ -1,7 +1,7 @@Using LDAP/Active Directory with OpenACS ToDo:�Add/verify information on on-demand sync, account registration, and batch synchronization. Add section on ldapsearch.
Overview.�You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution.
Background.�The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS.
Note on Account Creation.�On the authentication driver configure screens, you will also see lots of options for synchronizing users between your directory and OpenACS. This document takes the approach of provisioning users on demand instead of ahead-of-time. This means that when they attempt to login to OpenACS, if they have a valid Windows account, we'll create an account for them in OpenACS and log them in.
ToDo: Add/verify information on on-demand sync, account registration, and batch synchronization. Add section on ldapsearch.
Overview. You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution.
Background. The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS.
Note on Account Creation. On the authentication driver configure screens, you will also see lots of options for synchronizing users between your directory and OpenACS. This document takes the approach of provisioning users on demand instead of ahead-of-time. This means that when they attempt to login to OpenACS, if they have a valid Windows account, we'll create an account for them in OpenACS and log them in.
Installing AOLserver LDAP support (openldap and nsldap). Install openldap and nsldap using the document Malte created Next, modify your config.tcl file as directed in the nsldap README. Here's what the relevant additions should look like:
# LDAP authentication @@ -30,9 +30,9 @@ [10/Jan/2006:11:11:08][22553.3076437088][-main-] Debug: nsldap: adding pool ldap to the list of allowed pools [10/Jan/2006:11:11:08][22553.3076437088][-main-] Debug: nsldap: Registering LDAPCheckPools (600)-auth-ldap + driver installation.�Next, visit the software installation page in acs-admin and install the auth-ldap package. Your OpenACS installation now has all the code required to authenticate using nsldap, so now you need to configure your site's authentication to take advantage of it. To add the authentication driver to your OpenACS instance, go to: Main Site, Site-Wide Administration, and then AuthenticationHere's some sample Authentication Driver values:Name=Active Directory, Short Name=AD, Enabled=Yes, Authentication=LDAP, Password Management=LDAPYou may wish to push this new authority to the top of the list so it will become the default for users on the login screen.Next, you have to configure the authentication driver parameters by going to: Main Site, Site-Wide Administration, Authentication, Active Directory, and then ConfigureParameters that match our example will look like:UsernameAttribute=sAMAccountNMame, BaseDN= cn=Users,dc=mydomain,dc=com, +
auth-ldap + driver installation. Next, visit the software installation page in acs-admin and install the auth-ldap package. Your OpenACS installation now has all the code required to authenticate using nsldap, so now you need to configure your site's authentication to take advantage of it. To add the authentication driver to your OpenACS instance, go to: Main Site, Site-Wide Administration, and then AuthenticationHere's some sample Authentication Driver values:Name=Active Directory, Short Name=AD, Enabled=Yes, Authentication=LDAP, Password Management=LDAPYou may wish to push this new authority to the top of the list so it will become the default for users on the login screen.Next, you have to configure the authentication driver parameters by going to: Main Site, Site-Wide Administration, Authentication, Active Directory, and then ConfigureParameters that match our example will look like:UsernameAttribute=sAMAccountNMame, BaseDN= cn=Users,dc=mydomain,dc=com, InfoAttributeMap=first_names=givenName;last_name=sn;email=mail, -PasswordHash=N/A
Code Tweaks for Bind.�Bind-style authentication is not supported via configuration parameters, so we will have to modify the tcl authentication routine to provide this behavior.You'll have to modify the existing ./packages/auth-ldap/tcl/auth-ldap-procs.tcl file to support bind authentication.First toggle ldap bind support.Change this:
+PasswordHash=N/A
Code Tweaks for Bind. Bind-style authentication is not supported via configuration parameters, so we will have to modify the tcl authentication routine to provide this behavior.You'll have to modify the existing ./packages/auth-ldap/tcl/auth-ldap-procs.tcl file to support bind authentication.First toggle ldap bind support.Change this:
# LDAP bind based authentication ? set ldap_bind_p 0 @@ -65,4 +65,4 @@ set result(auth_status) ok }-
Troubleshooting.�If you're having trouble figuring out some the values for the ldapm, see this useful page on setting up Active Directory integration with Bugzilla. It explains how distinguished names are defined in Active Directory, and how to test that you have the correct values for connectivity and base DN using the OpenLDAP command-line utility ldapsearch.John had an issue where nsldap was not loading because AOLServer couldn't find the openldap client libraries, but he was able to fix it by adding the openldap libraries to his LD_LIBRARY_PATH (e.g. /usr/local/openldap/lib)
Credits.�Thanks to Malte Sussdorf for his help and the Laboratory of Computer Science at Massachusetts General Hospital for underwriting this work.
View comments on this page at openacs.org +Troubleshooting. If you're having trouble figuring out some the values for the ldapm, see this useful page on setting up Active Directory integration with Bugzilla. It explains how distinguished names are defined in Active Directory, and how to test that you have the correct values for connectivity and base DN using the OpenLDAP command-line utility ldapsearch.John had an issue where nsldap was not loading because AOLServer couldn't find the openldap client libraries, but he was able to fix it by adding the openldap libraries to his LD_LIBRARY_PATH (e.g. /usr/local/openldap/lib)
Credits. Thanks to Malte Sussdorf for his help and the Laboratory of Computer Science at Massachusetts General Hospital for underwriting this work.
View comments on this page at openacs.org Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.html,v diff -u -r1.5 -r1.5.14.1 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.html 4 Jun 2006 00:45:21 -0000 1.5 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.html 16 Jul 2016 17:28:03 -0000 1.5.14.1 @@ -1,10 +1,10 @@ -Using Pluggable Authentication Modules (PAM) with OpenACS OpenACS supports PAM authetication via the ns_pam module in AOLserver.
Add PAM support to AOLserver.�OpenACS supports PAM support via the PAM AOLserver +
Using Pluggable Authentication Modules (PAM) with OpenACS OpenACS supports PAM authetication via the ns_pam module in AOLserver.
Add PAM support to AOLserver. OpenACS supports PAM support via the PAM AOLserver module. PAM is system of modular support, and can provide local (unix password), RADIUS, LDAP (more information), and other forms of authentication. Note that due to security issues, the AOLserver PAM module cannot be used for local password - authentication.
Compile and install ns_pam.�Download the tarball to + authentication.
Compile and install ns_pam. Download the tarball to
/tmp.Debian users: first do
apt-get install libpam-dev[root@yourserver root]#
cd /usr/local/src/aolserver[root@yourserver aolserver]#tar xzf /tmp/ns_pam-0.1.tar.gz[root@yourserver aolserver]#cd nspam@@ -26,15 +26,15 @@ tar xzf /tmp/ns_pam-0.1.tar.gz cd nspam make -make installSet up a PAM domain.�A PAM domain is a set of rules for granting +make install
Set up a PAM domain. A PAM domain is a set of rules for granting privileges based on other programs. Each instance of AOLserver uses a domain; different aolserver instances can use the same domain but one AOLserver instance cannot use two domains. The domain describes which intermediate programs will be used to check permissions. You may need to install software to perform new types of authentication. -
RADIUS in PAM.�
Untar the pam_radius +
RADIUS in PAM.
Untar the pam_radius tarball and compile and install. (more information)
[root@yourserver root]#
cd /usr/local/src/[root@yourserver src]#tar xf /tmp/pam_radius-1.3.16.tar@@ -59,8 +59,8 @@/etc/pam.d/service0with these contents:auth sufficient /lib/security/pam_radius_auth.so
Modify the AOLserver configuration file to use - this PAM domain. Edit the line
ns_param PamDomain "service0"So that the value of the parameter matches the name (just the file name, not the fully pathed name) of the domain file in
/etc/pam.d/
LDAP in PAM.�more information
Modify the AOLserver configuration file to support ns_pam.�
In -
/var/lib/aolserver/service0/etc/config.tcl, enable the nspam module by uncommenting this line:ns_param nspam ${bindir}/nspam.so
Install auth-pam OpenACS service package.�Install
auth-pamand restart the server.Create an OpenACS authority.�OpenACS supports multiple authentication authorities. + this PAM domain. Edit the line
ns_param PamDomain "service0"So that the value of the parameter matches the name (just the file name, not the fully pathed name) of the domain file in
/etc/pam.d/
LDAP in PAM. more information
Modify the AOLserver configuration file to support ns_pam.
In +
/var/lib/aolserver/service0/etc/config.tcl, enable the nspam module by uncommenting this line:ns_param nspam ${bindir}/nspam.so
Install auth-pam OpenACS service package. Install
auth-pamand restart the server.Create an OpenACS authority. OpenACS supports multiple authentication authorities. The OpenACS server itself is the "Local Authority," used by default.
Browse to the authentication administration page,
http://yourserver/acs-admin/auth/. Index: openacs-4/packages/acs-authentication/www/doc/ims-sync-driver-design.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ims-sync-driver-design.adp,v diff -u -r1.1.2.4 -r1.1.2.5 --- openacs-4/packages/acs-authentication/www/doc/ims-sync-driver-design.adp 5 Jul 2016 08:47:51 -0000 1.1.2.4 +++ openacs-4/packages/acs-authentication/www/doc/ims-sync-driver-design.adp 16 Jul 2016 17:28:03 -0000 1.1.2.5 @@ -195,7 +195,7 @@ address the communication model, which is critically missing for real seamless interoperability. IMS Enterprise 2.0 will address this, but Blackboard, who's influential in the IMS committee, -is adopting OKI's programming interrfaces for this.- +is adopting OKI's programming interrfaces for this.
