</pre><p>A snapshot file is similar but doesn't have recstatus, since
it's not a delta but a list of valid records. See the larger
example in the design document for more details.</p><p>(More information: <a href="ims-sync-driver-design" title="IMS Sync driver design">the section called “IMS Sync driver
LDAP/Active Directory with OpenACS</h2></div></div></div><div class="authorblurb">by <a href="http://openacs.org/shared/community-member?user_id=8551" target="_top">John Sequeira</a>, <a href="http://openacs.org/shared/community-member?user_id=8263" target="_top">Michael Steigman</a>, and <a href="http://openacs.org/shared/community-member?user_id=12805" target="_top">Carl Blesius</a>. OpenACS docs are written by the named
authors, and may be edited by OpenACS documentation staff.</div><p>
<b>ToDo: </b>Add/verify information on on-demand sync,
account registration, and batch synchronization. Add section on
ldapsearch.</p><p>
<b>Overview. </b>You do not want to make users remember yet
another password and username. If you can avoid it you do not want
to store their passwords either. This document should help you set
your system up so your users can seamlessly log in to your OpenACS
instance using the password they are accustomed to using for other
things at your institution.</p><p>
<b>Background. </b>The original OpenACS LDAP implementation
(which has been depreciated by this package) treated the LDAP
server as another data store similar to Oracle or Postgresql. It
opened a connection using a priveleged account and read or stored
an encrypted password for the user in question. This password was
independent of the user's operating system or network account, and
had to be synchronized if you wanted the same password for
OpenACS.Save their passwords? Sync passwords? Deal with forgotten
password requests? No Thanks. Using ldap bind, you can delegate
authentication completely to LDAP. This way you can let the IT
department (if you are lucky) worry about password
storage/synchronization/etc. The bind operation takes a username
and password and returns a true of false depending on whether they
match up. This document takes the 'bind' approach so that your
users LDAP/AD password (or whatever else you use) can be used to
login to OpenACS.</p><p>
<b>Note on Account Creation. </b>On the authentication
driver configure screens, you will also see lots of options for
synchronizing users between your directory and OpenACS. This
document takes the approach of provisioning users on demand instead
of ahead-of-time. This means that when they attempt to login to
OpenACS, if they have a valid Windows account, we'll create an
account for them in OpenACS and log them in.</p><div class="orderedlist"><ol type="1">
<li>
<p>
<a name="ext-auth-ldap-setup" id="ext-auth-ldap-setup"></a><b>Installing AOLserver LDAP support
(openldap and nsldap). </b>Install openldap and nsldap using
<a href="http://openacs.org/doc/current/install-ldap-radius.html" target="_top">the document Malte created</a> Next, modify your
config.tcl file as directed in the nsldap README. Here's what the
relevant additions should look like:</p><pre class="screen"><code class="computeroutput">
# LDAP authentication
ns_param nsldap ${bindir}/nsldap.so
...
ns_section "ns/ldap/pool/ldap"
ns_param user "cn=Administrator, cn=Users, dc=mydomain, dc=com"
ns_param password "password"
ns_param host "directory.mydomain.com"
ns_param connections 1
ns_param verbose On
ns_section "ns/ldap/pools"
ns_param ldap ldap
ns_section "ns/server/${server}/ldap"
ns_param pools *
ns_param defaultpool ldap
</code></pre><p>To verify that this is all working, restart Aolserver and ensure
that you see something like this in your error.log:</p><pre class="screen"><code class="computeroutput">
<b>Troubleshooting. </b>If you're having trouble figuring
out some the values for the ldapm, see this useful page on <a href="http://bugzilla.glob.com.au/activedirectory/" target="_top">setting up Active Directory integration with Bugzilla</a>.
It explains how distinguished names are defined in Active
Directory, and how to test that you have the correct values for
connectivity and base DN using the OpenLDAP command-line utility
ldapsearch.John had an issue where nsldap was not loading because
AOLServer couldn't find the openldap client libraries, but he was
able to fix it by adding the openldap libraries to his
<b>Add PAM support to AOLserver. </b>OpenACS supports PAM
support via the PAM AOLserver module. PAM is system of modular
support, and can provide local (unix password), RADIUS, LDAP
(<a href="http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html" target="_top">more information</a>), and other forms of
authentication. Note that due to security issues, the AOLserver PAM
module cannot be used for local password authentication.</p><div class="orderedlist"><ol type="a">
<li>
<p>
<a name="install-nspam" id="install-nspam"></a><b>Compile and
install ns_pam. </b>Download the <a href="/doc/nspam-download" target="_top">tarball</a> to <code class="computeroutput">/tmp</code>.</p><p>Debian users: first do <strong class="userinput"><code>apt-get
<b>Set up a PAM domain. </b>A PAM domain is a set of rules
for granting privileges based on other programs. Each instance of
AOLserver uses a domain; different aolserver instances can use the
same domain but one AOLserver instance cannot use two domains. The
domain describes which intermediate programs will be used to check
permissions. You may need to install software to perform new types
of authentication.</p><div class="itemizedlist"><ul type="disc">
<li>
<p><b>RADIUS in PAM. </b></p><div class="orderedlist"><ol type="i">
<li>
<p>Untar the <a href="/doc/individual-programs" target="_top">pam_radius tarball</a> and compile and install. (<a href="http://www.freeradius.org/pam_radius_auth/" target="_top">more
the nspam module by uncommenting this line:</p><pre class="programlisting">
ns_param nspam ${bindir}/nspam.so
</pre>
</li>
</ol></div>
</li><li><p>
<b>Install auth-pam OpenACS service package. </b><a href="/acs-admin/install/" target="_top">Install</a><code class="computeroutput">auth-pam</code> and restart the server.</p></li><li>
<p>
<a name="ext-auth-create-authority" id="ext-auth-create-authority"></a><b>Create an OpenACS
authorities. The OpenACS server itself is the "Local Authority,"
used by default.</p><div class="orderedlist"><ol type="a">
<li><p>Browse to the authentication administration page, <code class="computeroutput">http://<span class="replaceable"><span class="replaceable">yourserver</span></span><a href="/acs-admin/auth/" target="_top">/acs-admin/auth/</a>
</code>. Create and name an
authority (in the sitewide admin UI)</p></li><li><p>Set Authentication to PAM.</p></li><li><p>If the PAM domain defines a <code class="computeroutput">password</code> command, you can set Password
Management to PAM. If not, the PAM module cannot change the user's
password and you should leave this option Disabled.</p></li><li><p>Leave Account Registration disabed.</p></li><li><p><a href="configure-batch-sync" title="Configure Batch Synchronization">Configure Batch
driver design</h2></div></div></div><div class="authorblurb">by <a href="mailto:lars\@collaboraid.biz" target="_top">Lars Pind</a> OpenACS docs are written by the named
authors, and may be edited by OpenACS documentation staff.</div><div class="sect2" lang="en">
<li><p>We will parse a document in the <a href="http://www.imsglobal.org/enterprise/index.cfm" target="_top">IMS
Enterprise Specification</a> format (<a href="http://www.imsglobal.org/enterprise/entv1p1/imsent_bestv1p1.html#1404584" target="_top">example XML document</a>), and translate it into
calls to the batch user sync API.</p></li><li><p>The document will contain either the complete user listitemst
(IMS: "snapshot"), or an incremental user listitemst (IMS: "Event
Driven" -- contains only adds, edits, and deletes). You could for
example do a complete transfer once a month, and incrementals every
night. The invocation should decide which type is returned.</p></li>
</ol></div><p>The design should favor interoperability, reliability and
-username { $userid if present, otherwise $sourcedid.id } \
-first_names { $name.given if present, otherwise all except last part of $name.fn } \
-last_name { $name.family if present, otherwise last part of $name.fn } \
-email { $person.email ; we require this, even though the specification does not } \
-url { $url, if present } \
-portrait_url { $photo.imgtype/$photo.extref -- grab photo, store in DB }
}
}
</pre><p>Mandatory fields which we can rely on are:</p><div class="orderedlist"><ol type="1">
<li><p>sourcedid: ID as defined by the source system. Used for
username.</p></li><li><p>name.fn (formatted name). Used for first_names, last_name</p></li>
</ol></div><p>Note that we require 'email' attribute, but the IMS Enterprise
spec does not. Hence, unless we change our data model to allow
users without an email address, we will have to throw an error.</p><p>Here's how we map IMS enterprise to OpenACS tables.</p><div class="orderedlist"><ol type="1">
<a href="http://www.cetis.ac.uk/content/20020524162233" target="_top">Consolidation before the leap; IMS Enterprise 1.1</a>: This
article says that IMS Enterprise 1.1 (current version) does not
address the communication model, which is critically missing for
real seamless interoperability. IMS Enterprise 2.0 will address
this, but Blackboard, who's influential in the IMS committee, is
adopting OKI's programming interrfaces for this.</p></li><li><p><a href="http://www.cetis.ac.uk/content/20030717185453" target="_top">IMS and OKI, the wire and the socket</a></p></li>