Difference between revisions of "LDAP Authentication"
Line 65: | Line 65: | ||
In WeBWorK 2.3.0, the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails. |
In WeBWorK 2.3.0, the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails. |
||
+ | |||
+ | It is suggested to run the authentication over SSL so that the password is encrypted and not sent in plain text. |
||
== Limitations == |
== Limitations == |
Revision as of 10:39, 6 May 2009
WeBWorK 2.3 contains support for authenticating WeBWorK logins against an LDAP database.
Requirements
WeBWorK 2.3.x or newer.
For WeBWorK 2.3.0, the Net::LDAPS
Perl module and access to an LDAPS server.
For later versions of WeBWorK, the Net::LDAP
Perl module and access to an LDAP or LDAPS server.
Usage
If you are using WeBWorK 2.3.0, you'll have to set the following configuration options in webwork2/lib/WeBWorK/Authen/LDAP.pm
:
constant | description |
$TIMEOUT |
Seconds to wait for LDAP server. |
$PORT |
TCP port to connect to on LDAP server. |
$VERSION |
LDAP protocol version to use. |
$BASE |
LDAP base string. |
@HOST |
This is kind of confusing. This is a one-element array, containing an arrayref. The arrayref is a list of servers to attempt to connect to. You'll see what to do when you look at the file. (Yes, this is a bug.) |
If you are using 2.3.1 or later, the configuration process has changed somewhat. Rather than setting options in LDAP.pm
, all configuration is now done in global.conf
, using the $authen{ldap_options}
hash. The items in this hash are as follows:
key | description |
net_ldap_hosts |
A reference to an array listing hosts to attempt to connect to. Examples:auth.myschool.edu (uses LDAP scheme and port 389)ldap://auth.myschool.edu:666 (non-standard port)ldaps://auth.myschool.edu (uses LDAPS scheme and port 636)ldaps://auth.myschool.edu:389 (SSL on non-SSL port)
|
net_ldap_options |
Options passed to Net::LDAP's constructor. See Net::LDAP#CONSTRUCTOR for details. |
net_ldap_base |
LDAP base to use when searching for the user's DN. Site-specific. |
failover |
If this is true, the WeBWorK password database will be consulted if the LDAP server rejects the user's password. The is necessary if you want to allow users to log in who are not listed in the LDAP server's database. |
The following instructions apply both 2.3.0 and post-2.3.0 versions of WeBWorK.
To use LDAP authentication with one course, add this to the course's course.conf
file:
$authen{user_module}{"*"} = "WeBWorK::Authen::LDAP";
To use LDAP authentication with all courses, change the $authen{user_module}
hash in global.conf
to look like this:
$authen{user_module} = {
sql_moodle => "WeBWorK::Authen::Moodle",
"*" => "WeBWorK::Authen::LDAP",
};
Security Considerations
You must make sure that each accounts in your WeBWorK course "belongs" to the same person as the LDAP account with the same user ID. User ID mapping is not supported.
In WeBWorK 2.3.0, the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails.
It is suggested to run the authentication over SSL so that the password is encrypted and not sent in plain text.
Limitations
The code is slanted towards University of Rochester's <nop>NetID implementation and hasn't been tested with other systems.
Only LDAPS is supported in WeBWorK 2.3.0. Both LDAP and LDAPS servers are supported in later versions.
You still have to add users to WeBWorK manually.
Gateway test proctors cannot authenticate with LDAP. They will have to have valid passwords in the WeBWorK database.
Credits
Mike Gage wrote the WeBWorK::Authen::LDAP module. He used sample code written by Christina Plummer of UR ITS.