Skip to end of metadata
Go to start of metadata

Redirection Notice

This page should redirect to LDAP Configuration.

Implementation as of 2.0

It is possible to use an LDAP server for authentication in LAMS 2.0, but it requires substantial knowledge on the part of the system administrator. It is functioning, but not friendly. The following is a brief overview of how it is currently set up. It has been tested using OpenLDAP 2.2.26.

Authentication and Authorisation

LDAP is used to authenticate a user (i.e. username and password), but that's as far as it goes. For authorisation purposes (roles/permissions), LAMS' own database is used.

User accounts need to be created as usual by a sysadmin or group admin, the only change is that authentication_method_id needs to be set to 3 (i.e. MQ-LDAP in the lams_authentication_method table).

Passwords

The password sent by LAMS to LDAP is in sha1 format, not cleartext. So any encryption of the password on the ldap side must be done on the sha1 version of the password, and not the password itself.

This is because currently the login form sends the encrypted password to LAMS' database (where it is stored in sha1 format).

Configuration

The LDAP settings are located in $JBOSS_HOME/server/default/conf/lamsauthentication.xml, in the method block titled "MQ-LDAP". The configurable parameters are as follows:

param name

examples

explanation

java.naming.provider.url

ldap://ldap.blah.org:636

URL of your LDAP server; this example is on SSL port

java.naming.security.authentication

simple,none,anonymous

Use 'simple' for sending password as cleartext

java.naming.security.protocol

ssl

Keep this parameter to communicate with LDAP over ssl (made optional in 2.0.3)

principalDNPrefix

uid=

Combines with LAMS username to provide DN for LDAP

principalDNSuffix

,dc=blah,dc=org

Combines with LAMS username to provide DN for LDAP

dsJndiName

java:/lams-ds

LAMS datasource, don't change

principalsQuery

 

Not used

rolesQuery

<see file for the SQL query>

Used to retrieve roles from LAMS DB. Don't change

truststore.path

D:\path\to\your\LDAP\ssl\cert

Necessary when communicating via SSL

truststore.password

somepassword

Necessary when communicating via SSL

Relevant Code

The class org.lamsfoundation.lams.security.LDAPAuthenticator in lams_central handles the set up of the JNDI context. Parameters are read in from lamsauthentication.xml by org.lamsfoundation.lams.security.AuthenticationMethodConfigurer in lams_central.

What's Missing (aka Nice to Haves)

Automatic user provisioning

Currently LAMS accounts must exist before any authentication is even considered. However it would make it easier for admins if LAMS accounts (i.e. rows in lams_user) were created on-the-fly when a user logs in using LDAP credentials for the first time.

Automatic roles provisioning

Even better if we could also automatically translate any grouping/roles/permissions information into LAMS roles/group/subgroup format. Alternatively, add an LDAP option to the 'add/remove user' screens so that LDAP users are included in the available list of users.

SASL support for LDAP v3

Add support for security measures in communication other than SSL, for security and compatibility.

GUI-configurable settings

Currently jboss needs to be restarted when a change is made in lamsauthentication.xml.

Compatibility with different implementations

(22/12/06) I've tested partially with OpenLDAP 2.2.26, but other implementations such as Active Directory may have their differences.

  • No labels