<licenseurl="http://www.gnu.org/copyleft/gpl.html">GPL version 2</license>
<descriptionformat="text/html">Implements authentication-related security functions for OpenACS, including password, account and session management, bulk account creation etc. Provides a contract based interface for different authentication methods such as PAM or LDAP based authentication.</description>
@@ -54,13 +54,13 @@ incremental file record looks like:</p><pre class="programlisting">
</sourcedid>
</person>
</enterprise>
</pre><p>A snapshot file is similar but doesn't have recstatus, since
it's not a delta but a list of valid records. See the larger
</pre><p>A snapshot file is similar but doesn't have recstatus, since
it's not a delta but a list of valid records. See the larger
example in the design document for more details.</p><p>(More information: <a href="ims-sync-driver-design" title="IMS Sync driver design">the section called “IMS Sync driver
and choose an authority for batch sync.</p></li><li><p>Set Batch sync enabled to Yes. Set GetDocument
Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.</p></li><li><p>Click OK.</p></li><li><p>On the next page, click <ttclass="computeroutput">Configure</tt> on the GetDocument Implementation line.</p></li><li><p>Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.</p></li><li><p>Configure your Authority (RADIUS server, etc) to
Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.</p></li><li><p>Click OK.</p></li><li><p>On the next page, click <ttclass="computeroutput">Configure</kbd> on the GetDocument Implementation line.</p></li><li><p>Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.</p></li><li><p>Configure your Authority (RADIUS server, etc) to
supply XML files to the URLs IncrementalURL and
SnapshotURL. A typical set of incremental file record
<b>Add PAM support to AOLserver. </b>OpenACS supports PAM
support via the PAM AOLserver module. PAM is system of modular
support, and can provide local (unix password), RADIUS, LDAP
(<a href="http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html" target="_top">more information</a>), and other forms of
<strong>Add PAM support to
AOLserver. </strong>OpenACS supports PAM support via
the PAM AOLserver module. PAM is system of modular support, and can
provide local (unix password), RADIUS, LDAP (<a href="http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html" target="_top">more information</a>), and other forms of
authentication. Note that due to security issues, the AOLserver PAM
module cannot be used for local password authentication.</p><div class="orderedlist"><ol type="a">
<li>
<p>
<a name="install-nspam" id="install-nspam"></a><b>Compile and
install ns_pam. </b>Download the <a href="/doc/nspam-download" target="_top">tarball</a> to <code class="computeroutput">/tmp</code>.</p><p>Debian users: first do <strong class="userinput"><code>apt-get
and install ns_pam. </strong>Download the <a href="/doc/nspam-download" target="_top">tarball</a> to <code class="computeroutput">/tmp</code>.</p><p>Debian users: first do <strong class="userinput"><code>apt-get
<b>Set up a PAM domain. </b>A PAM domain is a set of rules
for granting privileges based on other programs. Each instance of
AOLserver uses a domain; different aolserver instances can use the
same domain but one AOLserver instance cannot use two domains. The
domain describes which intermediate programs will be used to check
permissions. You may need to install software to perform new types
of authentication.</p><div class="itemizedlist"><ul type="disc">
<strong>Set up a PAM domain. </strong>A PAM domain
is a set of rules for granting privileges based on other programs.
Each instance of AOLserver uses a domain; different aolserver
instances can use the same domain but one AOLserver instance cannot
use two domains. The domain describes which intermediate programs
will be used to check permissions. You may need to install software
to perform new types of authentication.</p><div class="itemizedlist"><ul type="disc">
<li>
<p><b>RADIUS in PAM. </b></p><div class="orderedlist"><ol type="i">
<p><strong>RADIUS in PAM. </strong></p><div class="orderedlist"><ol type="i">
<li>
<p>Untar the <a href="/doc/individual-programs" target="_top">pam_radius tarball</a> and compile and install. (<a href="http://www.freeradius.org/pam_radius_auth/" target="_top">more
information</a>)</p><pre class="screen">
...
...
@@ -101,29 +101,31 @@ file name, not the fully pathed name) of the domain file in</p><pre class="progr
</li>
</ol></div>
</li><li><p>
<b>LDAP in PAM. </b><a href="http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html#AEN110" target="_top">more information</a>
<strong>LDAP in PAM. </strong><a href="http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html#AEN110" target="_top">more information</a>
</p></li>
</ul></div>
</li><li>
<p><b>Modify the AOLserver configuration file to support
the nspam module by uncommenting this line:</p><pre class="programlisting">
ns_param nspam ${bindir}/nspam.so
</pre>
</li>
</ol></div>
</li><li><p>
<b>Install auth-pam OpenACS service package. </b><a href="/acs-admin/install/" target="_top">Install</a><code class="computeroutput">auth-pam</code> and restart the server.</p></li><li>
<strong>Install auth-pam OpenACS service
package. </strong><a href="/acs-admin/install/" target="_top">Install</a><code class="computeroutput">auth-pam</code> and
restart the server.</p></li><li>
<p>
<a name="ext-auth-create-authority" id="ext-auth-create-authority"></a><b>Create an OpenACS
authorities. The OpenACS server itself is the "Local Authority,"
used by default.</p><div class="orderedlist"><ol type="a">
<a name="ext-auth-create-authority" id="ext-auth-create-authority"></a><strong>Create an OpenACS
authority. </strong>OpenACS supports multiple
authentication authorities. The OpenACS server itself is the
"Local Authority," used by default.</p><div class="orderedlist"><ol type="a">
<li><p>Browse to the authentication administration page, <code class="computeroutput">http://<span class="replaceable"><span class="replaceable">yourserver</span></span><a href="/acs-admin/auth/" target="_top">/acs-admin/auth/</a>
</code>. Create and name an
authority (in the sitewide admin UI)</p></li><li><p>Set Authentication to PAM.</p></li><li><p>If the PAM domain defines a <code class="computeroutput">password</code> command, you can set Password
Management to PAM. If not, the PAM module cannot change the user's
password and you should leave this option Disabled.</p></li><li><p>Leave Account Registration disabed.</p></li><li><p><a href="configure-batch-sync" title="Configure Batch Synchronization">Configure Batch
Management to PAM. If not, the PAM module cannot change the
user's password and you should leave this option Disabled.</p></li><li><p>Leave Account Registration disabed.</p></li><li><p><a href="configure-batch-sync" title="Configure Batch Synchronization">Configure Batch
<html><head><metahttp-equiv="Content-Type"content="text/html; charset=ISO-8859-1"><title>Using Pluggable Authentication Modules (PAM) with OpenACS</title><metaname="generator"content="DocBook XSL Stylesheets V1.68.1"><linkrel="home"href="index.html"title="External Authentication"><linkrel="up"href="ext-auth-install.html"title="Installation"><linkrel="previous"href="ext-auth-install.html"title="Installation"><linkrel="next"href="ext-auth-ldap-install.html"title="Using LDAP/Active Directory with OpenACS"><linkrel="stylesheet"href="openacs.css"type="text/css"></head><bodybgcolor="white"text="black"link="#0000FF"vlink="#840084"alink="#0000FF"><divclass="navheader"><ahref="http://openacs.org"><imgsrc="/doc/images/alex.jpg"border="0"alt="Alex logo"></a><tablewidth="100%"summary="Navigation header"border="0"><tr><tdwidth="20%"align="left"><aaccesskey="p"href="ext-auth-install.html">Prev</a></td><thwidth="60%"align="center">Installation</th><tdwidth="20%"align="right"><aaccesskey="n"href="ext-auth-ldap-install.html">Next</a></td></tr></table><hr></div><divclass="sect1"lang="en"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aname="ext-auth-pam-install"></a>Using Pluggable Authentication Modules (PAM) with OpenACS</h2></div></div></div><p>OpenACS supports PAM authetication via the ns_pam module in AOLserver.</p><divclass="orderedlist"><oltype="1"><li><p><b>Add PAM support to AOLserver.</b>OpenACS supports PAM support via the PAM AOLserver
<html><head><metahttp-equiv="Content-Type"content="text/html; charset=ISO-8859-1"><title>Using Pluggable Authentication Modules (PAM) with OpenACS</title><metaname="generator"content="DocBook XSL Stylesheets V1.68.1"><linkrel="home"href="index.html"title="External Authentication"><linkrel="up"href="ext-auth-install.html"title="Installation"><linkrel="previous"href="ext-auth-install.html"title="Installation"><linkrel="next"href="ext-auth-ldap-install.html"title="Using LDAP/Active Directory with OpenACS"><linkrel="stylesheet"href="openacs.css"type="text/css"></head><bodybgcolor="white"text="black"link="#0000FF"vlink="#840084"alink="#0000FF"><divclass="navheader"><ahref="http://openacs.org"><imgsrc="/doc/images/alex.jpg"border="0"alt="Alex logo"></a><tablewidth="100%"summary="Navigation header"border="0"><tr><tdwidth="20%"align="left"><aaccesskey="p"href="ext-auth-install.html">Prev</a></td><thwidth="60%"align="center">Installation</th><tdwidth="20%"align="right"><aaccesskey="n"href="ext-auth-ldap-install.html">Next</a></td></tr></table><hr></div><divclass="sect1"lang="en"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aname="ext-auth-pam-install"></a>Using Pluggable Authentication Modules (PAM) with OpenACS</h2></div></div></div><p>OpenACS supports PAM authetication via the ns_pam module in AOLserver.</p><divclass="orderedlist"><oltype="1"><li><p><strong>Add PAM support to AOLserver. </strong>OpenACS supports PAM support via the PAM AOLserver
module. PAM is system of modular support, and can provide
local (unix password), RADIUS, LDAP (<ahref="http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html"target="_top">more
local (unix password), RADIUS, LDAP (<ahref="http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html"target="_top">more
information</a>), and other forms of
authentication. Note that due to security issues, the
AOLserver PAM module cannot be used for local password
authentication. </p><divclass="orderedlist"><oltype="a"><li><p><aname="install-nspam"></a><b>Compile and install ns_pam.</b>Download the <ahref="/doc/nspam-download"target="_top">tarball</a> to
authentication. </p><divclass="orderedlist"><oltype="a"><li><p><aname="install-nspam"></a><strong>Compile and install ns_pam. </strong>Download the <ahref="/doc/nspam-download"target="_top">tarball</a> to
<codeclass="computeroutput">/tmp</code>.</p><p>Debian users: first do <strongclass="userinput"><code>apt-get install libpam-dev</code></strong></p><preclass="screen">[root@yourserver root]# <strongclass="userinput"><code>cd /usr/local/src/aolserver</code></strong>
make install</span></span></pre></li><li><p><b>Set up a PAM domain.</b>A PAM domain is a set of rules for granting
make install</span></span></pre></li><li><p><strong>Set up a PAM domain. </strong>A PAM domain is a set of rules for granting
privileges based on other programs. Each instance of
AOLserver uses a domain; different aolserver instances
can use the same domain but one AOLserver instance
...
...
@@ -34,7 +34,7 @@ make install</span></span></pre></li><li><p><b>Set up a PAM domain.
which intermediate programs will be used to check
permissions. You may need to install software to
perform new types of authentication.
</p><divclass="itemizedlist"><ultype="disc"><li><p><b>RADIUS in PAM.</b></p><divclass="orderedlist"><oltype="i"><li><p>Untar the <ahref="/doc/individual-programs.html#pam-radius-download"target="_top">pam_radius
</p><divclass="itemizedlist"><ultype="disc"><li><p><strong>RADIUS in PAM. </strong></p><divclass="orderedlist"><oltype="i"><li><p>Untar the <ahref="/doc/individual-programs.html#pam-radius-download"target="_top">pam_radius
tarball</a> and compile and install. (<ahref="http://www.freeradius.org/pam_radius_auth/"target="_top">more
with these contents:</p><preclass="programlisting">auth sufficient /lib/security/pam_radius_auth.so
</pre></li><li><p>Modify the AOLserver configuration file to use
this PAM domain. Edit the line</p><preclass="programlisting">ns_param PamDomain "<spanclass="replaceable"><spanclass="replaceable">service0</span></span>"</pre><p>So that the value of the parameter matches the name (just the file name, not the fully pathed name) of the domain file in </p><preclass="programlisting">/etc/pam.d/</pre></li></ol></div></li><li><p><b>LDAP in PAM.</b><ahref="http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html#AEN110"target="_top">more information</a></p></li></ul></div></li><li><p><b>Modify the AOLserver configuration file to support ns_pam.</b></p><p>In
<codeclass="computeroutput">/var/lib/aolserver/<spanclass="replaceable"><spanclass="replaceable">service0</span></span>/etc/config.tcl</code>, enable the nspam module by uncommenting this line:</p><preclass="programlisting">ns_param nspam ${bindir}/nspam.so</pre></li></ol></div></li><li><p><b>Install auth-pam OpenACS service package.</b><ahref="/acs-admin/install/"target="_top">Install</a><codeclass="computeroutput">auth-pam</code> and restart the server.</p></li><li><p><aname="ext-auth-create-authority"></a><b>Create an OpenACS authority.</b>OpenACS supports multiple authentication authorities.
this PAM domain. Edit the line</p><preclass="programlisting">ns_param PamDomain "<spanclass="replaceable"><spanclass="replaceable">service0</span></span>"</pre><p>So that the value of the parameter matches the name (just the file name, not the fully pathed name) of the domain file in </p><preclass="programlisting">/etc/pam.d/</pre></li></ol></div></li><li><p><strong>LDAP in PAM. </strong><ahref="http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html#AEN110"target="_top">more information</a></p></li></ul></div></li><li><p><strong>Modify the AOLserver configuration file to support ns_pam. </strong></p><p>In
<codeclass="computeroutput">/var/lib/aolserver/<spanclass="replaceable"><spanclass="replaceable">service0</span></span>/etc/config.tcl</code>, enable the nspam module by uncommenting this line:</p><preclass="programlisting">ns_param nspam ${bindir}/nspam.so</pre></li></ol></div></li><li><p><strong>Install auth-pam OpenACS service package. </strong><ahref="/acs-admin/install/"target="_top">Install</a><codeclass="computeroutput">auth-pam</code> and restart the server.</p></li><li><p><aname="ext-auth-create-authority"></a><strong>Create an OpenACS authority. </strong>OpenACS supports multiple authentication authorities.
The OpenACS server itself is the "Local Authority," used by
default.</p><divclass="orderedlist"><oltype="a"><li><p>Browse to the authentication administration page,
<li><p>We will parse a document in the <a href="http://www.imsglobal.org/enterprise/index.cfm" target="_top">IMS
Enterprise Specification</a> format (<a href="http://www.imsglobal.org/enterprise/entv1p1/imsent_bestv1p1.html#1404584" target="_top">example XML document</a>), and translate it into
calls to the batch user sync API.</p></li><li><p>The document will contain either the complete user listitemst
(IMS: "snapshot"), or an incremental user listitemst (IMS: "Event
Driven" -- contains only adds, edits, and deletes). You could for
example do a complete transfer once a month, and incrementals every
night. The invocation should decide which type is returned.</p></li>
(IMS: "snapshot"), or an incremental user listitemst
(IMS: "Event Driven" -- contains only adds, edits, and
deletes). You could for example do a complete transfer once a
month, and incrementals every night. The invocation should decide
which type is returned.</p></li>
</ol></div><p>The design should favor interoperability, reliability and
robustness.</p><pre class="programlisting">
<enterprise>
...
...
@@ -148,9 +149,10 @@ for { ... loop over persons in the document ... } {
</pre><p>Mandatory fields which we can rely on are:</p><div class="orderedlist"><ol type="1">
<li><p>sourcedid: ID as defined by the source system. Used for
username.</p></li><li><p>name.fn (formatted name). Used for first_names, last_name</p></li>
</ol></div><p>Note that we require 'email' attribute, but the IMS Enterprise
spec does not. Hence, unless we change our data model to allow
users without an email address, we will have to throw an error.</p><p>Here's how we map IMS enterprise to OpenACS tables.</p><div class="orderedlist"><ol type="1">
</ol></div><p>Note that we require 'email' attribute, but the IMS
Enterprise spec does not. Hence, unless we change our data model to
allow users without an email address, we will have to throw an
error.</p><p>Here's how we map IMS enterprise to OpenACS tables.</p><div class="orderedlist"><ol type="1">
article says that IMS Enterprise 1.1 (current version) does not
address the communication model, which is critically missing for
real seamless interoperability. IMS Enterprise 2.0 will address
this, but Blackboard, who's influential in the IMS committee, is
adopting OKI's programming interrfaces for this.</p></li><li><p><a href="http://www.cetis.ac.uk/content/20030717185453" target="_top">IMS and OKI, the wire and the socket</a></p></li>
this, but Blackboard, who's influential in the IMS committee,
is adopting OKI's programming interrfaces for this.</p></li><li><p><a href="http://www.cetis.ac.uk/content/20030717185453" target="_top">IMS and OKI, the wire and the socket</a></p></li>
<para>You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution.</para></formalpara>
<formalpara>
<title>Background</title>
<para>The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.</para>
<para>The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a privileged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.</para>
<para>Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS.</para></formalpara>
<para>If you're having trouble figuring out some the values for the ldapm, see this useful page on <ulinkurl="http://bugzilla.glob.com.au/activedirectory/">setting up Active Directory integration with Bugzilla</ulink>. It explains how distinguished names are defined in Active Directory, and how to test that you have the correct values for connectivity and base DN using the OpenLDAP command-line utility ldapsearch.</para>
<para>If you're having trouble figuring out some the values for the ldapm, see this useful page on <ulinkurl="https://www.rhyous.com/2009/11/10/how-to-configure-bugzilla-to-authenticate-to-active-directory/">setting up Active Directory integration with Bugzilla</ulink>. It explains how distinguished names are defined in Active Directory, and how to test that you have the correct values for connectivity and base DN using the OpenLDAP command-line utility ldapsearch.</para>
<para>John had an issue where nsldap was not loading because AOLServer couldn't find the openldap client libraries, but he was able to fix it by adding the openldap libraries to his LD_LIBRARY_PATH (e.g. /usr/local/openldap/lib)</para></formalpara>