Difference between revisions of "LDAP Authentication"
Line 85: | Line 85: | ||
== Development == |
== Development == |
||
− | *[http://webwork.maa.org/viewvc/system/trunk/webwork2/lib/WeBWorK/Authen.pm?view=markup WeBWorK::Authen source code] |
+ | *[http://webwork.maa.org/viewvc/system/trunk/webwork2/lib/WeBWorK/Authen/LDAP.pm?view=markup WeBWorK::Authen::LDAP source code] |
=== Bug Reports === |
=== Bug Reports === |
Revision as of 19:08, 31 August 2011
WeBWorK contains support for authenticating WeBWorK logins against an LDAP database. The WeBWorK LDAP authentication module supports vanilla LDAP as well as Bind accounts and Active Directory search.
Contents
Configuring WeBWorK to use LDAP authentication
LDAP authentication may be enabled for all WeBWorK courses on a server, or for individual courses on a server. The latter may be useful when a single WeBWorK installation is being used to host courses at multiple institutions.
To use LDAP authentication for all courses, in global.conf
you must edit the $authen{user_module}
hash to enable the LDAP authentication module and then edit the $authen{ldap_options}
hash to configure the LDAP module for your specific environment.
To enable, LDAP authentication modify $authen{user_module}
to read:
$authen{user_module} = { sql_moodle => "WeBWorK::Authen::Moodle", "*" => "WeBWorK::Authen::LDAP", };
Configuration of the LDAP authentication module is now done in global.conf
, using the $authen{ldap_options}
hash. The items in this hash are as follows:
key | description |
net_ldap_hosts |
A reference to an array listing hosts to attempt to connect to. Examples:auth.myschool.edu (uses LDAP scheme and port 389)ldap://auth.myschool.edu:666 (non-standard port)ldaps://auth.myschool.edu (uses LDAPS scheme and port 636)ldaps://auth.myschool.edu:389 (SSL on non-SSL port)
|
net_ldap_options |
Options passed to Net::LDAP's constructor. See Net::LDAP#CONSTRUCTOR for details. |
net_ldap_base |
Tells the WeBWorK server which part of the external directory tree to search. This is site-specific and may be something equivalent to the organization, group, or domain name (AD) of external directory; e.g. "ou=people,dc=myschool,dc=edu"
|
bindAccount |
Set bindAccount = 1 to authenticate to LDAP server. Must set searchDN and bindPassword .
|
searchDN |
For use when bindAccount = 1 The searchDN represents the user on the external LDAP server permitted to search the LDAP directory within the defined search base;
e.g |
bindPassword |
Password for Bind user identified by searchDN .
|
net_ldap_rdn |
The LDAP module searches for a DN whose RDN matches the username entered by the user. The net_ldap_rdn will depend on your LDAP setup. By default net_ldap_rdn = "sAMAccountName for use with Active Directory. If you schema uses UID as RDN set net_ldap_rdn = "uid"
|
failover |
If failover = "all" , then LDAP failures will be checked against the WeBWorK database. If failover = "local" , then only users who don't exist in the LDAP
database will be checked against the WeBWorK database. If |
Legacy
If you are using WeBWorK 2.3.0 you should upgrade!!! :-)
If you insist on using WeBWorK 2.3.0, you'll have to set the following configuration options in webwork2/lib/WeBWorK/Authen/LDAP.pm
:
constant | description |
$TIMEOUT |
Seconds to wait for LDAP server. |
$PORT |
TCP port to connect to on LDAP server. |
$VERSION |
LDAP protocol version to use. |
$BASE |
LDAP base string. |
@HOST |
This is kind of confusing. This is a one-element array, containing an arrayref. The arrayref is a list of servers to attempt to connect to. You'll see what to do when you look at the file. (Yes, this is a bug.) |
Security Considerations
You must make sure that each accounts in your WeBWorK course "belongs" to the same person as the LDAP account with the same user ID. User ID mapping is not supported.
With failover = "all"
, the LDAP module always fails over to checking the WeBWorK password if LDAP authentication fails.
It is suggested to run the authentication over SSL so that the password is encrypted and not sent in plain text.
Limitations
Users must still be added to WeBWorK manually. The LDAP module itself does not do this for you.
Gateway test proctors cannot authenticate with LDAP. They will have to have valid passwords in the WeBWorK database.
Forum Discussions
- LDAP Search 25 May 2011
- ldap failover not working 9 Sept 2010
- Authentication problems 21 Dec 2009
- LDAP credentials 20 Mar 2009
Development
Bug Reports
{{#bugzilla: |id=1926,1927 |lastcomment=1 }}