LDAP

Redirection Notice
This page should redirect to LDAP Configuration.

Implementation as of 2.0

It is possible to use an LDAP server for authentication in LAMS 2.0, but it requires substantial knowledge on the part of the system administrator. It is functioning, but not friendly. The following is a brief overview of how it is currently set up. It has been tested using OpenLDAP 2.2.26.

Authentication and Authorisation

LDAP is used to authenticate a user (i.e. username and password), but that's as far as it goes. For authorisation purposes (roles/permissions), LAMS' own database is used.

User accounts need to be created as usual by a sysadmin or group admin, the only change is that authentication_method_id needs to be set to 3 (i.e. MQ-LDAP in the lams_authentication_method table).

Passwords
The password sent by LAMS to LDAP is in sha1 format, not cleartext. So any encryption of the password on the ldap side must be done on the sha1 version of the password, and not the password itself.

This is because currently the login form sends the encrypted password to LAMS' database (where it is stored in sha1 format).

Configuration

The LDAP settings are located in $JBOSS_HOME/server/default/conf/lamsauthentication.xml, in the method block titled "MQ-LDAP". The configurable parameters are as follows:

param name examples explanation
java.naming.provider.url ldap://ldap.blah.org:636 URL of your LDAP server; this example is on SSL port
java.naming.security.authentication simple,none,anonymous Use 'simple' for sending password as cleartext
java.naming.security.protocol ssl Keep this parameter to communicate with LDAP over ssl (made optional in 2.0.3)
principalDNPrefix uid= Combines with LAMS username to provide DN for LDAP
principalDNSuffix ,dc=blah,dc=org Combines with LAMS username to provide DN for LDAP
dsJndiName java:/lams-ds LAMS datasource, don't change
principalsQuery   Not used
rolesQuery <see file for the SQL query> Used to retrieve roles from LAMS DB. Don't change
truststore.path D:\path\to\your\LDAP\ssl\cert Necessary when communicating via SSL
truststore.password somepassword Necessary when communicating via SSL

Relevant Code

The class org.lamsfoundation.lams.security.LDAPAuthenticator in lams_central handles the set up of the JNDI context. Parameters are read in from lamsauthentication.xml by org.lamsfoundation.lams.security.AuthenticationMethodConfigurer in lams_central.

What's Missing (aka Nice to Haves)

Automatic user provisioning

Currently LAMS accounts must exist before any authentication is even considered. However it would make it easier for admins if LAMS accounts (i.e. rows in lams_user) were created on-the-fly when a user logs in using LDAP credentials for the first time.

Automatic roles provisioning

Even better if we could also automatically translate any grouping/roles/permissions information into LAMS roles/group/subgroup format. Alternatively, add an LDAP option to the 'add/remove user' screens so that LDAP users are included in the available list of users.

SASL support for LDAP v3

Add support for security measures in communication other than SSL, for security and compatibility.

GUI-configurable settings

Currently jboss needs to be restarted when a change is made in lamsauthentication.xml.

Compatibility with different implementations

(22/12/06) I've tested partially with OpenLDAP 2.2.26, but other implementations such as Active Directory may have their differences.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.