This page should redirect to LDAP Configuration.
It is possible to use an LDAP server for authentication in LAMS 2.0, but it requires substantial knowledge on the part of the system administrator. It is functioning, but not friendly. The following is a brief overview of how it is currently set up. It has been tested using OpenLDAP 2.2.26.
LDAP is used to authenticate a user (i.e. username and password), but that's as far as it goes. For authorisation purposes (roles/permissions), LAMS' own database is used.
User accounts need to be created as usual by a sysadmin or group admin, the only change is that authentication_method_id needs to be set to 3 (i.e. MQ-LDAP in the lams_authentication_method table).
The password sent by LAMS to LDAP is in sha1 format, not cleartext. So any encryption of the password on the ldap side must be done on the sha1 version of the password, and not the password itself.
This is because currently the login form sends the encrypted password to LAMS' database (where it is stored in sha1 format).
The LDAP settings are located in $JBOSS_HOME/server/default/conf/lamsauthentication.xml, in the method block titled "MQ-LDAP". The configurable parameters are as follows:
|java.naming.provider.url||ldap://ldap.blah.org:636||URL of your LDAP server; this example is on SSL port|
|java.naming.security.authentication||simple,none,anonymous||Use 'simple' for sending password as cleartext|
|java.naming.security.protocol||ssl||Keep this parameter to communicate with LDAP over ssl (made optional in 2.0.3)|
|principalDNPrefix||uid=||Combines with LAMS username to provide DN for LDAP|
|principalDNSuffix||,dc=blah,dc=org||Combines with LAMS username to provide DN for LDAP|
|dsJndiName||java:/lams-ds||LAMS datasource, don't change|
|rolesQuery||<see file for the SQL query>||Used to retrieve roles from LAMS DB. Don't change|
|truststore.path||D:\path\to\your\LDAP\ssl\cert||Necessary when communicating via SSL|
|truststore.password||somepassword||Necessary when communicating via SSL|
The class org.lamsfoundation.lams.security.LDAPAuthenticator in lams_central handles the set up of the JNDI context. Parameters are read in from lamsauthentication.xml by org.lamsfoundation.lams.security.AuthenticationMethodConfigurer in lams_central.
Currently LAMS accounts must exist before any authentication is even considered. However it would make it easier for admins if LAMS accounts (i.e. rows in lams_user) were created on-the-fly when a user logs in using LDAP credentials for the first time.
Even better if we could also automatically translate any grouping/roles/permissions information into LAMS roles/group/subgroup format. Alternatively, add an LDAP option to the 'add/remove user' screens so that LDAP users are included in the available list of users.
Add support for security measures in communication other than SSL, for security and compatibility.
Currently jboss needs to be restarted when a change is made in lamsauthentication.xml.
(22/12/06) I've tested partially with OpenLDAP 2.2.26, but other implementations such as Active Directory may have their differences.