Installation

LDAP Active Directory Help

LDAP Active Directory Help

by D VS -
Number of replies: 6

Hi all,

I have installed WebWork on a RHEL 5.5 box. I can get one part of our ldap setup working (student auth) but I am having trouble figuring out how to get WebWork to recognize two distinct trees and authenticate to them using different users.

I.e.,

I have two unique urls with unique base and bind names. Ideally what I'd like is for WebWork to try

student auth info first, if fail, try fac/staff auth info (unique from stu) if fail try local.

# tried

net_ldap_hosts => [
ldaps://auth-student..,
"ldaps://auth-office..",
],

net_ldap_base => ["OU=STUDENTinfo,DC=STUDENTinfo",

"OU=facstaffinfo,DC=facstaffinfo",

],


searchDN => ["CN=binduser,OU=our,DC=info",

"CN=bindfacstaff,OU=our,DC=inf"

],


bindPassword => "password", # same for both above

# end

The above does not work... one or the other individually works but can't

seem to find how to be able to have both

Has anyone figured out a way to do this?

In reply to D VS

Re: LDAP Active Directory Help

by Danny Glin -
I suspect that the ldap search being utilized can't be told to search multiple trees in a single search.

Most likely you will have to edit the code in Authen::LDAP to do a second search if the first one fails.
In reply to Danny Glin

Re: LDAP Active Directory Help

by D VS -

I don't know the webwork code well enough but in general why not just put all the necessary bits on one line then parse them out?

in global.conf we already have an array of urls - then individual vars for the other bits. Why not just do something like this:

%ldapvar=
(
"student" => "ldaps://whatever.school.edu;CN=YOUR,OU=STUFF,DC=HERE;password;OU=MORE,DC=STUFF;displayName=$user;cn",
"facstaff" => "ldaps://different.school.edu;CN=FOO,OU=BAR-USERS,DC=OFFICELDS;password;OU=info,DC=OFFICELDS;displayName=$user;cn",
);

foreach $key (keys %ldapvar) {

($ldurl, $ldbind, $ldpasswd, $ldbase, $ldfilter, $ldattr) = split(/;/,$ldapvar{$key});

$ad = Net::LDAP->new("$ldurl")
or die("Could not connect to LDAP server");

$ad->bind("$ldbind", password=>"$ldpasswd");

# Execute the search

my $results = $ad->search(base=>$ldbase,filter=>$ldfilter,attrs=>$ldattr);

# How many entries returned?

my $count = $results->count;

print "\n";
print "Total entries returned for $ldapvar{$key}: $count\n";
print "\n";

if ($count == 1){
# Display entries
my $entry;
$entry = $results->entry(0);
print "\n";
print $entry->get_value('cn').", ".$entry->get_value('displayName')."\n";
print "Mail: ".$entry->get_value('userPrincipalName')."\n";
print "Password last changed: ".
localtime($entry->get_value('lastAgedChange'))."\n";
print "send to do other stuff here\n";
print "\n";
exit;
}
else{
print "Count not equal to 1 - check other array items\n";
}

- I'm not a perl guru but I have a test script working as I'd like - I just don't know where to plug the pieces into your code.

In reply to D VS

Re: LDAP Active Directory Help

by Mark Hamrick -
Hello,

The file that contains the LDAP package is at the path below in a standard WW install.

/opt/webwork/webwork2/lib/WeBWorK/Authen/LDAP.pm

To my knowledge, I am one of two people to have last touched this code, I added the bind account. I forget the persons name that came back and switched the default back to off since I left it on accidently. I am not the person who wrote the original code.

I am wondering if to save complication and least affect other users if maybe an WebWork::Authen::LDAPMULTI package should be created instead of modifying the LDAP package. I know when I added the bind account to LDAP package it caused some confusion.

Thanks,
Mark
In reply to Mark Hamrick

Re: LDAP Active Directory Help

by D VS -

Sounds perfectly reasonable to me, but I am brand new to this :)

In reply to D VS

Re: LDAP Active Directory Help

by D VS -
We had another idea I wanted to run by you.  What if we created two app servers, 1 for student access one for faculty.  Both would be pointed to the same (separate) mysql box.  That way we could use the existing LDAP auth without worrying about additional tweaks.

Can you think of any problems this might cause?

Also, as  side issue - I have not yet run across instructions for changing the local webwork admin user to an ldap name, is there a way to do that documented?
In reply to D VS

Re: LDAP Active Directory Help

by Jason Aubrey -
I can't think of any problems this might cause.  In fact, I think I have that exact set up on my laptop where i have one webwork db and 3 or 4 different functioning webwork instances (svn trunk, a few github versions).  This hasn't caused me any problems, but this is also not a production server.  

Maybe you can try it out, but have your first round of instructor users create local passwords. Then set the ldap failover to only failover for users not in the ldap database.  If there are no problems, everyone gets authenticated through ldap. If there is a problem, you can shut down the faculty app server and your faculty can still authenticate into the student server.

Regarding the second issue - any user with "professor" permissions in the admin course is a webwork admin.  So, you can add your ldap users as professors to the admin course and then delete the "admin" account.  

Hope this helps,
Jason