LDAP Authentication

From WeBWorK
(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
WeBWorK contains support for authenticating WeBWorK logins against an LDAP database.
+
WeBWorK contains support for authenticating WeBWorK logins against an LDAP database.  The WeBWorK LDAP authentication module supports vanilla LDAP as well as Bind accounts and Active Directory search.
  
== Requirements ==
+
== Configuring WeBWorK to use LDAP authentication ==
  
WeBWorK 2.3.x or newer.
+
LDAP authentication may be enabled for all WeBWorK courses on a server, or for individual courses on a server.  The latter may be useful when a single WeBWorK installation is being used to host courses at multiple institutions.
  
For WeBWorK 2.3.0, the <code>Net::LDAPS</code> Perl module and access to an LDAPS server.
+
To use LDAP authentication for all courses, in <code>global.conf</code> you must edit the <code>$authen{user_module}</code> hash to enable the LDAP authentication module and then edit the <code>$authen{ldap_options}</code> hash to configure the LDAP module for your specific environment.
  
For later versions of WeBWorK, the <code>Net::LDAP</code> Perl module and access to an LDAP or LDAPS server.
+
To enable, LDAP authentication modify <code>$authen{user_module}</code> to read:
  
== Usage ==
+
<nowiki>
 +
$authen{user_module} = {
 +
        sql_moodle => "WeBWorK::Authen::Moodle",
 +
        "*" => "WeBWorK::Authen::LDAP",
 +
};
 +
</nowiki>
  
  
If you are using 2.3.1 or later If you are using WeBWorK 2.3.0 all configuration is now done in <code>global.conf</code>, using the <code>$authen{ldap_options}</code> hash. The items in this hash are as follows:
+
Configuration of the LDAP authentication module is now done in <code>global.conf</code>, using the <code>$authen{ldap_options}</code> hash. The items in this hash are as follows:
  
 
{| border="1"
 
{| border="1"
Line 22: Line 27:
 
| <code>net_ldap_options</code> || Options passed to Net::LDAP's constructor. See [http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod#CONSTRUCTOR Net::LDAP#CONSTRUCTOR] for details.  
 
| <code>net_ldap_options</code> || Options passed to Net::LDAP's constructor. See [http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod#CONSTRUCTOR Net::LDAP#CONSTRUCTOR] for details.  
 
|-
 
|-
| <code>net_ldap_base</code> || LDAP base to use when searching for the user's DN. Site-specific.  
+
| <code>net_ldap_base</code> || Tells the WeBWorK server which part of the external directory tree to search. This is site-specific and may be something equivalent to the organization, group, or domain name (AD) of external directory; e.g. <code>"ou=people,dc=myschool,dc=edu"</code>
 
|-
 
|-
| <code>failover</code> || If this is true, the WeBWorK password database will be consulted if the LDAP server rejects the user's password. The is necessary if you want to allow users to log in who are not listed in the LDAP server's database.  
+
| <code>bindAccount</code> || Set <code>bindAccount = 1</code> to authenticate to LDAP server. Must set <code>searchDN</code> and <code>bindPassword</code>.
 
+
|-
 +
| <code>searchDN</code> || For use when <code>bindAccount = 1</code> The <code>searchDN</code> represents the user on the external LDAP server permitted to search the LDAP directory within the defined search base;
 +
e.g <code>searchDN = "cn=administrator,dc=myschool,dc=edu"</code>.
 +
|-
 +
| <code>bindPassword</code> || Password for Bind user identified by <code>searchDN</code>.
 +
|-
 +
| <code>net_ldap_rdn</code> || The LDAP module searches for a DN whose RDN matches the username entered by the user.  The <code>net_ldap_rdn</code> will depend on your LDAP setup. By default <code>net_ldap_rdn = "sAMAccountName</code> for use with Active Directory.  If you schema uses UID as RDN set <code>net_ldap_rdn = "uid"</code>
 +
|-
 +
| <code>failover</code> || If <code>failover = "all"</code>, then LDAP failures will be checked against the WeBWorK database.  If  <code>failover = "local"</code>, then only users who don't exist in the LDAP
 +
database will be checked against the WeBWorK database. If <code>failover = 0</code>, then no atempts will be checked against the WeBWorK database. The setting <code>failover = 1</code> is equivalent to <code>failover="all"</code>.
 
|}
 
|}
  
The following instructions apply to 2.3.0 and later versions of WeBWorK.
 
 
To use LDAP authentication with one course, add this to the course's <code>course.conf</code> file:
 
<nowiki>
 
$authen{user_module}{"*"} = "WeBWorK::Authen::LDAP";
 
</nowiki>
 
 
To use LDAP authentication with all courses, change the <code>$authen{user_module}</code> hash in <code>global.conf</code> to look like this:
 
<nowiki>
 
$authen{user_module} = {
 
        sql_moodle => "WeBWorK::Authen::Moodle",
 
        "*" => "WeBWorK::Authen::LDAP",
 
};
 
</nowiki>
 
 
If you are using a bind user to connect to LDAP, Mark Hamrick (mmhamric@uncc.edu) has modified the ldap_authen_uid subroutine in the LDAP.PM file to handle the bind user authentication.  The file is available at the link http://www.math.uncc.edu/~mmhamric/RevisedLDAP.pm  It is not known if this change will be included in future versions of WebWork.
 
  
 
===Legacy===
 
===Legacy===
Line 71: Line 69:
 
You must make sure that each accounts in your WeBWorK course "belongs" to the same person as the LDAP account with the same user ID. User ID mapping is not supported.
 
You must make sure that each accounts in your WeBWorK course "belongs" to the same person as the LDAP account with the same user ID. User ID mapping is not supported.
  
In WeBWorK 2.3.0, the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails.
+
With <code>failover = "all"</code>, the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails.
  
 
It is suggested to run the authentication over SSL so that the password is encrypted and not sent in plain text.
 
It is suggested to run the authentication over SSL so that the password is encrypted and not sent in plain text.
Line 77: Line 75:
 
== Limitations ==
 
== Limitations ==
  
The code is slanted towards University of Rochester's <nop>NetID implementation and hasn't been tested with other systems.
+
Users must still be added to WeBWorK manually. The LDAP module itself does not do this for you.
 
+
Only LDAPS is supported in WeBWorK 2.3.0. Both LDAP and LDAPS servers are supported in later versions.
+
 
+
You still have to add users to WeBWorK manually.
+
  
 
Gateway test proctors cannot authenticate with LDAP. They will have to have valid passwords in the WeBWorK database.
 
Gateway test proctors cannot authenticate with LDAP. They will have to have valid passwords in the WeBWorK database.

Revision as of 15:41, 31 August 2011

WeBWorK contains support for authenticating WeBWorK logins against an LDAP database. The WeBWorK LDAP authentication module supports vanilla LDAP as well as Bind accounts and Active Directory search.

Contents

Configuring WeBWorK to use LDAP authentication

LDAP authentication may be enabled for all WeBWorK courses on a server, or for individual courses on a server. The latter may be useful when a single WeBWorK installation is being used to host courses at multiple institutions.

To use LDAP authentication for all courses, in global.conf you must edit the $authen{user_module} hash to enable the LDAP authentication module and then edit the $authen{ldap_options} hash to configure the LDAP module for your specific environment.

To enable, LDAP authentication modify $authen{user_module} to read:

$authen{user_module} = { sql_moodle => "WeBWorK::Authen::Moodle", "*" => "WeBWorK::Authen::LDAP", };


Configuration of the LDAP authentication module is now done in global.conf, using the $authen{ldap_options} hash. The items in this hash are as follows:

key description
net_ldap_hosts A reference to an array listing hosts to attempt to connect to. Examples:
auth.myschool.edu (uses LDAP scheme and port 389)
ldap://auth.myschool.edu:666 (non-standard port)
ldaps://auth.myschool.edu (uses LDAPS scheme and port 636)
ldaps://auth.myschool.edu:389 (SSL on non-SSL port)
net_ldap_options Options passed to Net::LDAP's constructor. See Net::LDAP#CONSTRUCTOR for details.
net_ldap_base Tells the WeBWorK server which part of the external directory tree to search. This is site-specific and may be something equivalent to the organization, group, or domain name (AD) of external directory; e.g. "ou=people,dc=myschool,dc=edu"
bindAccount Set bindAccount = 1 to authenticate to LDAP server. Must set searchDN and bindPassword.
searchDN For use when bindAccount = 1 The searchDN represents the user on the external LDAP server permitted to search the LDAP directory within the defined search base;

e.g searchDN = "cn=administrator,dc=myschool,dc=edu".

bindPassword Password for Bind user identified by searchDN.
net_ldap_rdn The LDAP module searches for a DN whose RDN matches the username entered by the user. The net_ldap_rdn will depend on your LDAP setup. By default net_ldap_rdn = "sAMAccountName for use with Active Directory. If you schema uses UID as RDN set net_ldap_rdn = "uid"
failover If failover = "all", then LDAP failures will be checked against the WeBWorK database. If failover = "local", then only users who don't exist in the LDAP

database will be checked against the WeBWorK database. If failover = 0, then no atempts will be checked against the WeBWorK database. The setting failover = 1 is equivalent to failover="all".


Legacy

If you are using WeBWorK 2.3.0 you should upgrade!!!  :-)

If you insist on using WeBWorK 2.3.0, you'll have to set the following configuration options in webwork2/lib/WeBWorK/Authen/LDAP.pm:

constant description
$TIMEOUT Seconds to wait for LDAP server.
$PORT TCP port to connect to on LDAP server.
$VERSION LDAP protocol version to use.
$BASE LDAP base string.
@HOST This is kind of confusing. This is a one-element array, containing an arrayref. The arrayref is a list of servers to attempt to connect to. You'll see what to do when you look at the file. (Yes, this is a bug.)

Security Considerations

You must make sure that each accounts in your WeBWorK course "belongs" to the same person as the LDAP account with the same user ID. User ID mapping is not supported.

With failover = "all", the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails.

It is suggested to run the authentication over SSL so that the password is encrypted and not sent in plain text.

Limitations

Users must still be added to WeBWorK manually. The LDAP module itself does not do this for you.

Gateway test proctors cannot authenticate with LDAP. They will have to have valid passwords in the WeBWorK database.

Forum Discussions

Development

Bug Reports

IDPStatusSeverityVersionProductSummary (2 tasks)  
1926*P5RESOLVEDenhancementtrunk (SVN)WeBWorK 2feature request: more granular LDAP failover 
1927*
1927

The code I run locally (probably changed after I ran into that warning) uses eq for all of the checks on line 39 of LDAP.pm. I think that'd also solve the issue and allow the use of "local". Your call, though -- using 0, 1, and 2 would also solve the issue. Sorry about that -- I guess I posted the wrong diff.

(I think this is in reference to the patch attached to #1926?)
P5RESOLVEDnormaltrunk (SVN)WeBWorK 2Active Directory specific LDAP search breaks on other systems 
follow us