Difference between revisions of "LDAP"

From EPrints Documentation
Jump to: navigation, search
(Kerberos Authentication on AD with On-Demand Creation of Users using LDAP)
m (LDAP Import)
 
(17 intermediate revisions by 4 users not shown)
Line 2: Line 2:
  
 
==LDAP Authentication==
 
==LDAP Authentication==
 +
 +
Complete HOW-TO is available [http://wiki.unimas.my/unimaswiki/bin/view/HOW-TO%2C+Tutorial+%26+User+Manual/HOW-TO+%3A+Install+Eprints+v3.3.12++on+Ubuntu+14.04+With+LDAP+Authentication here]
 +
  
 
===LDAP and User Roles===
 
===LDAP and User Roles===
Line 54: Line 57:
  
 
After editing restart Apache.
 
After editing restart Apache.
 +
 +
===LDAP Testing===
 +
Below is test script to check whether you can connect to the LDAP server and get attributes back for a particular user.  This should generall be saved in ''/opt/eprints3/archives/ARCHIVE/bin/ldaplookup''  It can be called as follows:
 +
 +
/opt/eprints3/archives/ARCHIVE/bin/ldaplookup USERNAME
 +
 +
#!/usr/bin/perl -w
 +
 +
# EPrints Services LDAP test script
 +
use Net::LDAP;
 +
use Net::LDAP::Constant;
 +
use strict;
 +
 +
my ($user_sent) = $ARGV[0];
 +
 +
# Params
 +
my $ldap_host = "ldaps://ad.example.org"; # Active Directory server on example.org domain
 +
my $bind_dn = "cn=USERNAME,ou=root,dc=example,dc=org"; # one or more 'ou's may need to be set
 +
my $bind_pword = "PASSWORD";
 +
my $base = "dc=example,dc=org"; # Likely the same domain as the AD server itself
 +
 +
# Connect to server
 +
my $ldap = Net::LDAP->new( $ldap_host, version => 3, port => 636 ); # Version and port may need changing
 +
 +
die "LDAP connect error: $@\n" unless defined $ldap;
 +
 +
# Try to bind
 +
my $mesg;
 +
if( $bind_dn eq "" && $bind_pword eq "" )
 +
{
 +
        $mesg = $ldap->bind; # anonymous bind
 +
}
 +
else
 +
{
 +
        $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
 +
}
 +
die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();
 +
 +
# Search for an account and get all available attributes (by not setting attrs)
 +
$mesg = $ldap->search (
 +
        base    => $base,
 +
        scope  => "sub",
 +
        filter => "uid=$user_sent", # Most likely cn, uid or sAMAccountName
 +
        sizelimit => 1,
 +
);
 +
if( $mesg->code() )
 +
{
 +
        print STDERR "LDAP search error: ".$mesg->error."\n";
 +
        exit;
 +
}
 +
 +
my $entr = $mesg->pop_entry;
 +
unless( defined $entr )
 +
{
 +
        print STDERR "LDAP no search results returned\n";
 +
        exit 1;
 +
}
 +
 +
# See what attributes are set for this user
 +
print $entr->dump;
 +
 +
$ldap->unbind;
 +
  
 
===LDAP Authentication with Bulk Import of Users===
 
===LDAP Authentication with Bulk Import of Users===
Line 62: Line 128:
  
 
====LDAP Configuration====
 
====LDAP Configuration====
 +
Both the scripts for LDAP user login and import/update of users from LDAP require a number of parameters these are best saved in the archive's cfg/cfg.d/ldap.pl file.
 +
 +
  vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/ldap.pl
 +
 +
  # Configuration required to manage users who can login / be imported to the repository.
 +
 
 +
  $c->{ldap_hostname} = "ldaps://ldap.example.org";
 +
 +
  # Leave empty for anonymous bind to LDAP
 +
  $c->{ldap_bind_username} = "CN=username,OU=Staff,OU=ROOT,DC=example,DC=org";
 +
  $c->{ldap_bind_password} = "CHANGEME";
 +
 +
  # Typically used in bin/update_users
 +
  $c->{ldap_import_base} = "DC=example.org";
 +
  $c->{ldap_import_filter} = "(&(objectClass=person)(memberOf=CN=Staff,OU=Groups,OU=ROOT,DC=example.org))";
 +
 +
  # Typically used in cfg/cfg.d/user_login.pl
 +
  $c->{ldap_login_base} = $c->{ldap_import_base};
 +
  $c->{ldap_login_filter} = "(&(objectClass=person)(memberOf=CN=AdminStaff,OU=Groups,OU=ROOT,DC=example.org))";
 +
 +
====LDAP Authentication ====
  
 
All changes for LDAP authentication can be made in a single file, the file contains useful notes on configuration. Here is an example from my site, I have configured a standard Samba Domain using LDAP for authentication, if you have similar then this config may work for you :
 
All changes for LDAP authentication can be made in a single file, the file contains useful notes on configuration. Here is an example from my site, I have configured a standard Samba Domain using LDAP for authentication, if you have similar then this config may work for you :
Line 77: Line 164:
 
  # Example: LDAP Authentication (Quick Start)
 
  # Example: LDAP Authentication (Quick Start)
 
  #
 
  #
  # Tip: use the test script to determine your LDAP parameters first!
+
  # Tip: use the test script to determine your LDAP parameters first! Then put the
  # Tip: remove the set-password priviledge from users and editors in
+
# following parameters in ldap.pl or similarly name file in your archive's
 +
# cfg/cfg.d directory:  ldap_hostname, ldap_bind_username, ldap_bind_password
 +
# ldap_import_base, ldap_import_filter, ldap_login_base, ldap_login_filter
 +
  # Tip: remove the set-password privilege from users and editors in
 
  # user_roles.pl. Also consider removing edit-own-record and  
 
  # user_roles.pl. Also consider removing edit-own-record and  
 
  # change-email.
 
  # change-email.
#
 
use Net::LDAP; # IO::Socket::SSL also required
 
use Net::LDAP::Util;
 
 
   
 
   
 
  $c->{check_user_password} = sub {
 
  $c->{check_user_password} = sub {
  my( $repo, $username, $password ) = @_;
+
  my( $session, $username, $password ) = @_;
 
   
 
   
  my $user = $repo->user_by_username( $username );
+
  # Cannot login with a username
  return unless $user;
+
  return 0 if $username =~ /[^a-zA-Z0-9._\-@]/;
 
   
 
   
  $username = $user->value( "username" );
+
  # See if user already exists in EPrints.  .
 +
  my $user = EPrints::DataObj::User::user_with_username( $session, $username );
 
   
 
   
  my $user_type = $user->get_type;
+
  # You may wish fail login if the user does not already have an account.
  if( $user_type eq "admin" )
+
   # return 0 unless defined $user;
  {
+
   # internal authentication for "admin" type
+
  return $repo->database->valid_login( $username, $password );
+
  }
+
 
   
 
   
  # LDAP authentication for "user" and "editor" types
+
  # Get user type from database or assume standard user if no user / user type is set.
  #
+
  my $usertype = defined $user ? $user->get_type : "user";
  # LDAP hostname (and port if not the default)
+
  my $ldap_host = "ldap.yourdomain.ac.uk";
+
  #my $ldap_host = "ldap.host.name:1234";
+
  #my $ldap_host = "ldaps://ldap.host.name"; # if server supports LDAPS
+
 
   
 
   
  # Distinguished name for this user
+
  # minuser and local_admin types have local database logins.      
  # The distinguished name is a unique name for an LDAP entry.
+
  if( $usertype eq "minuser" || $usertype eq "local_admin" )
  # e.g. "cn=John Smith, ou=staff, dc=eprints, dc=org"
+
   {
  # You will need to derive this from the username or user metadata
+
    return $session->get_database->valid_login( $username, $password );
  my $ldap_dn = sprintf("uid=%s,ou=People,dc=example,dc=org",
+
  }
   Net::LDAP::Util::escape_dn_value($username)
+
  );
+
 
   
 
   
  my $ldap = Net::LDAP->new ( $ldap_host, version => 3 );
+
  # Connect to the LDAP hostname configured for this repositiory
  unless( $ldap )
+
  use Net::LDAP;
  {
+
  my $ldap_host = $session->get_repository->get_conf( "ldap_hostname" );
  $repo->log( "LDAP error: $@" );
+
  my $ldap = Net::LDAP->new ( $ldap_host, version => 3 );
  return;
+
  unless( $ldap )
  }
+
  {
 +
    $session->get_repository->log( "LDAP connect error: $@\n" );
 +
    return 0;
 +
  }
 
   
 
   
  # Start secure connection (not needed if using LDAPS)
+
  # Bind using username and password configured for this repository
  my $ssl = $ldap->start_tls( sslversion => "sslv3" );
+
  my $bind_dn = $session->get_repository->get_conf( "ldap_bind_username" ) || "";
  if( $ssl->code() )
+
  my $bind_pword = $session->get_repository->get_conf( "ldap_bind_password" ) || "";
  {
+
   my $mesg;
   $repo->log( "LDAP SSL error: " . $ssl->error() );
+
  if( $bind_dn eq "" && $bind_pword eq "" )
   return;
+
   {
  }
+
    $mesg = $ldap->bind; # anonymous bind
  # Check password
+
  }
  my $mesg = $ldap->bind( $ldap_dn, password => $password );
+
  else
  if( $mesg->code() )
+
  {
  {
+
    $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
  return;
+
  }
  }
+
  if( $mesg->code() )
 +
  {
 +
    $session->get_repository->log( "LDAP bind error: " . $mesg->error . "\n" );
 +
    return 0;
 +
  }
 
   
 
   
  return $username;
+
  # Lookup the user based on the username they provided when logging in.  It is assume this is
 +
  # the sAMAccountName attribute on your Active Directory LDAP server, it may be uid or cn.
 +
  my $base = $session->get_repository->get_conf( "ldap_login_base" );
 +
  my $filter = $session->get_repository->get_conf( "ldap_login_filter" );
 +
  $mesg = $ldap->search(
 +
    base => $base,
 +
    attrs => [qw( sAMAccountName givenName sn mail displayname description memberOf )],
 +
    scope => "sub",
 +
    filter => "&(sAMAccountName=$username) $filter",
 +
    sizelimit => 2,
 +
    timelimit => 30,
 +
  );
 +
  if( $mesg->code() )
 +
  {
 +
    $session->get_repository->log( "LDAP search error: ".$mesg->error."\n" );
 +
    return 0;
 +
  }
 +
  if( $mesg->count() != 1 )
 +
  {
 +
      return 0;
 +
  }
 +
 +
  # If user could be found in LDAP check the password they provided when logging in is correct.
 +
  my $entr = $mesg->entry(0);
 +
  my $user_dn = $entr->dn();
 +
  $mesg = $ldap->bind( $user_dn, password => $password );
 +
  if( $mesg->code )
 +
  {
 +
    $session->get_repository->log( "Failed authentication for $user_dn: ".$mesg->error."\n" );
 +
    return 0;
 +
  }
 +
 +
  # Uncomment to allow on-demand creation of users
 +
  #unless( defined $user )
 +
  #{
 +
  #  my $data = {
 +
  #    username => $username,
 +
  #    usertype => $usertype, # This will be a standard user
 +
  #  };
 +
  #  my $name;
 +
  #  $name->{given} = $entr->get_value( "givenName" ) if defined $entr->get_value( "givenName" );
 +
  #  $name->{family} = $entr->get_value( "sn" ) if defined $entr->get_value( "sn" );
 +
  #  $data->{name} = $name if defined $name;
 +
  #  $data->{email} = $entr->get_value( "mail" ) if defined $entr->get_value( "mail" );
 +
  #  $data->{dept} = $entr->get_value( "ou" ) if defined $entr->get_value( "ou" );
 +
  #
 +
  #  $user = EPrints::DataObj::User->create_from_data(
 +
  #    $session,
 +
  #    $data,
 +
  #    $session->get_repository->get_dataset( "user" )
 +
  #  );
 +
  #}
 +
 +
    return 1;
 
  }
 
  }
# Advanced LDAP Configuration
 
#
 
# 1. It is also possible to define additional user types, each with a different
 
# authentication mechanism. For example, you could keep the default user,
 
# editor and admin types and add ldapuser, ldapeditor and ldapadmin types with
 
# LDAP authentication - this would suit an arrangement where internal staff are
 
# authenticated against the LDAP server but user accounts can still be granted
 
# to external users.
 
#
 
# 2. Sometimes the distinguished name of the user is not computable from the
 
# username. You may need to use values from the user metadata (e.g. name_given,
 
# name_family):
 
#
 
#      my $name = $user->get_value( "name" );
 
#      my $ldap_dn = $name->{family} . ", " . $name->{given} .", ou=yourorg, dc=yourdomain";
 
#
 
# or perform an LDAP lookup to determine it (more complicated):
 
#
 
#      my $base = "ou=yourorg, dc=yourdomain";
 
#      my $result = $ldap->search (
 
#              base    => "$base",
 
#              scope  => "sub",
 
#              filter  => "cn=$username",
 
#              attrs  =>  ['DN'],
 
#              sizelimit=>1
 
#      );
 
#
 
#      my $entr = $result->pop_entry;
 
#      unless( defined $entr )
 
#      {
 
#              return 0;
 
#      }
 
#      my $ldap_dn = $entr->dn
 
#
 
# Alternatively, you could store the distinguished name as part of the user
 
# metadata when the user account is imported              print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
 
  
 
After editing restart Apache.
 
After editing restart Apache.
Line 180: Line 282:
 
====LDAP Import====
 
====LDAP Import====
  
You can use the [http://files.eprints.org/27/1/update_users update_users script] and apply the following patch to make it work with eprints3:
+
Below is an example of a script to import/update users from LDAP based on them being founder under the ldap_import_filter set in ldap.pl above. Typically you would edit this files as follows:
  
<pre>
+
vi /opt/eprints3/archives/myarchivename/bin/update_users
--- update_users.orig  2007-04-23 16:22:26.000000000 +0200
+
+++ update_users    2007-04-24 21:16:40.000000000 +0200
+
@@ -1,6 +1,6 @@
+
-#!/usr/bin/perl -w -I/opt/eprints2/perl_lib
+
+#!/usr/bin/perl -w -I/opt/eprints3/perl_lib
+
  
-use EPrints::User;
+
Before you can run this you will need to change permissions sot it can be run:
+use EPrints::DataObj::User;
+
use EPrints::Session;
+
use Net::LDAP;
+
use strict;
+
@@ -16,6 +16,7 @@
+
  
  # Start connection
+
  chmod u+x /opt/eprints3/archives/myarchivename/bin/update_users
my $ldap = Net::LDAP->new( "ldap.host.name", version => 3 );
+
+$ldap->start_tls();
+
unless( $ldap )
+
{
+
    print STDERR "LDAP error: $@\n";
+
@@ -74,7 +75,7 @@
+
        # New account
+
        if( $forreal )
+
        {
+
-          $user = EPrints::User::create_user( $session, "ldapuser" );
+
+          $user = EPrints::DataObj::User::create( $session, "user" );
+
            $user->set_value( "username", $username );
+
            print "CREATING: $username\n";
+
        }
+
@@ -118,7 +119,7 @@
+
        print "FAMILY = " . $entr->get_value( "sn" ) . "\n";
+
        print "GIVEN = " . $entr->get_value( "givenName" ) . "\n";
+
        print "EMAIL = " . $entr->get_value( "mail" ) . "\n";
+
-      print "DN = " . $entr->get_value( "distinguishedName" ) . "\n";
+
+      print "DN = " . $entr->dn . "\n";
+
 
+
    }
+
 
+
</pre>
+
 
+
===LDAP Authentication with On-Demand Creation of Users===
+
 
+
Here's an example of a customized <tt>/opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl</tt>
+
 
+
* allowing LDAP accounts to login, using the "Advanced LDAP Configuration" example
+
* allowing the local eprints admin account to login w/ database authentication
+
* creating eprints accounts for all successfully authenticated LDAP users ''on the fly''
+
  
Most of the code is from the default <tt>user_login.pl</tt> and from the [http://files.eprints.org/27/1/update_users update_users] script (which does not seem to exist anymore, but code & text below seem to have been written by [[User:Sp]] not later than May 7th 2007).
+
Then to run the script use the following:
  
Be sure to only use this over [[HTTPS]]!
+
/opt/eprints3/archives/myarchivename/bin/update_users myarchivename
 
+
 
  $c->{check_user_password} = sub {
+
  #!/usr/bin/perl -w
    my( $session, $username, $password ) = @_;
+
   
+
# EPrints LDAP example user import/update script
    # LDAP authentication for "user", "editor" and "admin" types (roles)
+
   
+
use FindBin;
    use Net::LDAP; # IO::Socket::SSL also required
+
use lib "$FindBin::Bin/../../../perl_lib";
   
+
    # LDAP tunables
+
use EPrints;
    my $ldap_host = "ldap.example.org";
+
use Getopt::Long;
    my $base      = "dc=example,dc=org";
+
use Net::LDAP;
    my $dn        = "cn=someProxyAccount,ou=accounts,$base";
+
use Net::LDAP::Control::Paged;
   
+
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
    my $ldap      = Net::LDAP->new ( $ldap_host, version => 3 );
+
use strict;
    unless( $ldap )
+
    {
+
my $verbose = 0;
        print STDERR "LDAP error: $@\n";
+
GetOptions(
        return 0;
+
  'verbose+' => \$verbose,
    }
+
);
   
+
    # Start secure connection (not needed if using LDAPS)
+
my $session = EPrints::Session->new( 1 , $ARGV[0] );
    my $ssl = $ldap->start_tls();
+
exit( 1 ) unless defined $session;
    if( $ssl->code() )
+
    {
+
# Params
        print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
+
my $ldap_host = $session->get_repository->get_conf( "ldap_hostname" );
        return 0;
+
my $bind_dn = $session->get_repository->get_conf( "ldap_bind_username" );
    }
+
my $bind_pword = $session->get_repository->get_conf( "ldap_bind_password" );
   
+
my $base = $session->get_repository->get_conf( "ldap_import_base" );
    # Get password for the search-bind-account
+
my $filter = $session->get_repository->get_conf( "ldap_import_filter" );
    my $repository = $session->get_repository;
+
    my $id        = $repository->get_id;
+
# Connect to server
    my $ldappass  = `cat /opt/eprints3/archives/$id/cfg/ldap.passwd`;
+
my $ldap = Net::LDAP->new( $ldap_host, version => 3 );
    chomp($ldappass);
+
die "LDAP connect error: $@\n" unless defined $ldap;
   
+
    my $mesg = $ldap->bind( $dn, password=>$ldappass );
+
# Try to bind
    if( $mesg->code() )
+
my $mesg;
    {
+
if( $bind_dn eq "" && $bind_pword eq "" )
        print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
+
{
        return 0;
+
  $mesg = $ldap->bind; # anonymous bind
    }
+
}
   
+
else
    # Distinguished name (and attribues needed later on) for this user
+
{
    my $result = $ldap->search (
+
  $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
        base   => "$base",
+
}
        scope   => "sub",
+
die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();
        filter => "(&(uid=$username)(objectclass=inetOrgPerson))",
+
        attrs  => ['1.1', 'uid', 'sn', 'givenname', 'mail'],
+
my $updated_counter = 0;
        sizelimit=>1
+
my $created_counter = 0;
    );
+
    my $entr = $result->pop_entry;
+
# Create paging control
    unless( defined $entr )
+
my $page = Net::LDAP::Control::Paged->new( size => 100 );
    {
+
        # Allow local EPrints authentication for admins (accounts not found in LDAP)
+
# Build args for the search
        my $user = EPrints::DataObj::User::user_with_username( $session, $username );
+
my @args = (
        return 0 unless $user;
+
   base => $base,
       
+
  scope => "sub",
        my $user_type = $user->get_type;
+
  filter => $filter,
        if( $user_type eq "admin" )
+
  callback => \&process_entry,
        {
+
  control => [ $page ],
            # internal authentication for "admin" type
+
);
            return $session->get_database->valid_login( $username, $password );
+
        }
+
print "\n$created_counter user(s) created.\n $updated_counter user(s) updated.\n" if $verbose;
        return 0;
+
    }
+
my $cookie;
    my $ldap_dn = $entr->dn;
+
while( 1 )
   
+
{
    # Check password
+
  # Perform search
    my $mesg = $ldap->bind( $ldap_dn, password => $password );
+
  my $result = $ldap->search( @args );
    if( $mesg->code() )
+
    {
+
  # Only continue on LDAP_SUCCESS
        return 0;
+
  $result->code and last;
    }
+
   
+
  # Get cookie from paged control
    # Does account already exist?
+
  my( $resp ) = $result->control( LDAP_CONTROL_PAGED ) or last;
    my $user = EPrints::DataObj::User::user_with_username( $session, $username );
+
  $cookie = $resp->cookie or last;
    if( !defined $user )
+
    {
+
  # Set cookie in paged control
        # New account
+
  $page->cookie( $cookie );
        $user = EPrints::DataObj::User::create( $session, "user" );
+
}
        $user->set_value( "username", $username );
+
    }
+
if( $cookie )
   
+
{
    # Set metadata
+
  # We had an abnormal exit, so let the server know we do not want any more
    my $name = {};
+
  $page->cookie( $cookie );
    $name->{family} = $entr->get_value( "sn" );
+
  $page->size( 0 );
    $name->{given} = $entr->get_value( "givenName" );
+
  $ldap->search( @args );
    $user->set_value( "name", $name );
+
}
    $user->set_value( "username", $username );
+
    $user->set_value( "email", $entr->get_value( "mail" ) );
+
$ldap->unbind;
    $user->commit();
+
$session->terminate;
   
+
    $ldap->unbind if $ldap;
+
# Process entry
   
+
sub process_entry
    return 1;
+
{
 +
  my( $mesg, $entr ) = @_;
 +
 +
  return unless defined $entr and $entr->can("get_value");
 +
 +
  my $username = $entr->get_value( "sAMAccountName" ); # This may need to be changed to uid or cn rather than sAMAccountName
 +
  my $given = $entr->get_value( "givenName" );
 +
  my $family = $entr->get_value( "sn" );
 +
  my $email = $entr->get_value( "mail" );
 +
  my $dept = $entr->get_value( "department" );
 +
 +
  # Assumes that the user account will have a given name, family name, username and email address
 +
  return unless defined $username && defined $given && defined $family && defined $email;
 +
 +
  # Can we find this user already in EPrints by username
 +
  my $user = EPrints::DataObj::User::user_with_username( $session, $username );
 +
  # If not maybe we can find them by email address.
 +
  if( !defined $user )
 +
  {
 +
    my $user = EPrints::DataObj::User::user_with_email( $session, $email );
 +
  }
 +
  if( !defined $user )
 +
  {
 +
    print "Creating for username: $username\n" if $verbose;
 +
    $user = EPrints::DataObj::User::create( $session, "user" );
 +
    $created_counter = $created_counter +1;
 +
  }
 +
  else
 +
  {
 +
    print "Updating for username: $username with ID: ".$user->id."\n" if $verbose;
 +
    $updated_counter = $updated_counter+1;
 +
  }
 +
  my $name = {
 +
    family => $family,
 +
    given => $given,
 +
  };
 +
  my $usertype = "user";
 +
  $user->set_value( "usertype", $usertype );
 +
  $user->set_value( "username", $username );
 +
  $user->set_value( "name", $name );
 +
  $user->set_value( "email", $email );
 +
  $user->set_value( "dept", $dept );
 +
  $user->commit();
 
  }
 
  }
  
 
====Things to note====
 
====Things to note====
  
* This script uses a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their <tt>uid,givenname,sn,mail</tt> attributes.
+
* These scripts use a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their <tt>uid,givenname,sn,mail</tt> attributes.
 
* It gets this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. <tt>www-data</tt> on Debian).  Use file system permissions to protect this (e.g. <tt>chmod 400 ldap.passwd</tt>).
 
* It gets this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. <tt>www-data</tt> on Debian).  Use file system permissions to protect this (e.g. <tt>chmod 400 ldap.passwd</tt>).
 
* It changes the flow of <tt>user_login.pl</tt> a little to only check for local ''admin'' accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things (which could also be done with a simple SQL <code>update</code> directly in the RDBMS). If you don't need the local admin, remove those lines and just <tt>return 0</tt> since no user was found in LDAP.
 
* It changes the flow of <tt>user_login.pl</tt> a little to only check for local ''admin'' accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things (which could also be done with a simple SQL <code>update</code> directly in the RDBMS). If you don't need the local admin, remove those lines and just <tt>return 0</tt> since no user was found in LDAP.
Line 361: Line 463:
 
   my $proxy_user ="ad_read";
 
   my $proxy_user ="ad_read";
 
   my $dn        = "CN=$proxy_user,$base";
 
   my $dn        = "CN=$proxy_user,$base";
 
+
 
 
   # Kerberos tunables
 
   # Kerberos tunables
 
   my $krb_host = "example.org";
 
   my $krb_host = "example.org";
 
+
     
 
   my $krb   = Authen::Krb5::Simple->new(realm => $krb_host);
 
   my $krb   = Authen::Krb5::Simple->new(realm => $krb_host);
 
   unless ( $krb )
 
   unless ( $krb )
 
   {
 
   {
print STDERR "Kerberos error: $@\n";
+
  print STDERR "Kerberos error: $@\n";
return 0;
+
  return 0;
 
   }
 
   }
 
+
 
 
   my $ldap      = Net::LDAP->new ( $ldap_host );
 
   my $ldap      = Net::LDAP->new ( $ldap_host );
 
   unless( $ldap )
 
   unless( $ldap )
Line 383: Line 485:
 
           callback => { user => 'ad_read' }
 
           callback => { user => 'ad_read' }
 
         ) or die "$@";
 
         ) or die "$@";
 
+
 
 
   my $mesg = $ldap->bind(sasl => $sasl);
 
   my $mesg = $ldap->bind(sasl => $sasl);
 
+
 
 
   if( $mesg->code() )
 
   if( $mesg->code() )
 
   {
 
   {
Line 391: Line 493:
 
       return 0;
 
       return 0;
 
   }
 
   }
 
+
 
 
   # Distinguished name (and attribues needed later on) for this user
 
   # Distinguished name (and attribues needed later on) for this user
 
   my $result = $ldap->search (
 
   my $result = $ldap->search (
Line 399: Line 501:
 
       sizelimit=>1
 
       sizelimit=>1
 
   );
 
   );
 
+
 
 
   my $entr = $result->pop_entry;
 
   my $entr = $result->pop_entry;
 
   unless( defined $entr )
 
   unless( defined $entr )
Line 406: Line 508:
 
       my $user = EPrints::DataObj::User::user_with_username( $session, $username );
 
       my $user = EPrints::DataObj::User::user_with_username( $session, $username );
 
       return 0 unless $user;
 
       return 0 unless $user;
 
+
 
 
       my $user_type = $user->get_type;
 
       my $user_type = $user->get_type;
 
       if( $user_type eq "admin" )
 
       if( $user_type eq "admin" )
Line 415: Line 517:
 
       return 0;
 
       return 0;
 
   }
 
   }
 
 
    
 
    
 
   # Check password
 
   # Check password
 
   if( !$krb->authenticate( $username, $password ) )
 
   if( !$krb->authenticate( $username, $password ) )
 
   {
 
   {
print STDERR "$username authentication failed: ", $krb->errstr(), "\n";
+
  print STDERR "$username authentication failed: ", $krb->errstr(), "\n";
 
       return 0;
 
       return 0;
 
   }
 
   }
Line 447: Line 548:
 
    
 
    
 
   return 1;
 
   return 1;
}
+
  }
  
====Possible enhancements====
+
===Possible enhancements===
  
 
Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.
 
Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.
  
 
Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and <code>$user->remove</code>s all those, which cannot be found in LDAP anymore (except for those where <code>$user_type eq 'admin'</code>, so you don't risk losing your local admins).
 
Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and <code>$user->remove</code>s all those, which cannot be found in LDAP anymore (except for those where <code>$user_type eq 'admin'</code>, so you don't risk losing your local admins).

Latest revision as of 13:05, 12 June 2017


LDAP Authentication

Complete HOW-TO is available here


LDAP and User Roles

It is recommended that certain user rights are removed when using LDAP for login. The user should not be allowed to change their password or their email address. It is also suggested that the user not be allowed to edit their profile, however I have found certain fields that I would like the user to edit. To set the rights edit the file :

vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/user_roles.pl
######################################################################
#
# User Roles
#
#  Here you can configure which different types of user are 
#  parts of the system they are allowed to use.
#
######################################################################
$c->{user_roles}->{user} = [qw/
       general
       edit-own-record
       saved-searches
       deposit
/],
$c->{user_roles}->{editor} = [qw/
       general
       edit-own-record
       saved-searches
       deposit
       editor
       view-status
       staff-view
/],
$c->{user_roles}->{admin} = [qw/
       general
       edit-own-record
       saved-searches
       set-password
       deposit
       change-email
       editor
       view-status
       staff-view
       admin
/],
#$c->{user_roles}->{minuser} = [qw/
#       saved-searches
#       set-password
#       change-email
#       change-user
#       no_edit_own_record
#       lock-username-to-email
#/];

After editing restart Apache.

LDAP Testing

Below is test script to check whether you can connect to the LDAP server and get attributes back for a particular user. This should generall be saved in /opt/eprints3/archives/ARCHIVE/bin/ldaplookup It can be called as follows:

/opt/eprints3/archives/ARCHIVE/bin/ldaplookup USERNAME
#!/usr/bin/perl -w

# EPrints Services LDAP test script
use Net::LDAP;
use Net::LDAP::Constant;
use strict;

my ($user_sent) = $ARGV[0];

# Params
my $ldap_host = "ldaps://ad.example.org"; # Active Directory server on example.org domain
my $bind_dn = "cn=USERNAME,ou=root,dc=example,dc=org"; # one or more 'ou's may need to be set
my $bind_pword = "PASSWORD";
my $base = "dc=example,dc=org"; # Likely the same domain as the AD server itself

# Connect to server
my $ldap = Net::LDAP->new( $ldap_host, version => 3, port => 636 ); # Version and port may need changing

die "LDAP connect error: $@\n" unless defined $ldap;

# Try to bind
my $mesg;
if( $bind_dn eq "" && $bind_pword eq "" )
{
       $mesg = $ldap->bind; # anonymous bind
}
else
{
       $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
}
die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();

# Search for an account and get all available attributes (by not setting attrs)
$mesg = $ldap->search (
       base    => $base,
       scope   => "sub",
       filter => "uid=$user_sent", # Most likely cn, uid or sAMAccountName
       sizelimit => 1,
);
if( $mesg->code() )
{
       print STDERR "LDAP search error: ".$mesg->error."\n";
       exit;
}

my $entr = $mesg->pop_entry;
unless( defined $entr )
{
       print STDERR "LDAP no search results returned\n";
       exit 1;
}

# See what attributes are set for this user
print $entr->dump;

$ldap->unbind;


LDAP Authentication with Bulk Import of Users

This recipe enables authenticating passwords against an LDAP directory for all users (including administrators). The users will need to already exist in EPrints, most likely created by a bulk import from your LDAP server.

The recommendation for EPrints is not to allow users to alter email and passwords, as these changes are not at present written back to the LDAP database.

LDAP Configuration

Both the scripts for LDAP user login and import/update of users from LDAP require a number of parameters these are best saved in the archive's cfg/cfg.d/ldap.pl file.

 vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/ldap.pl
 # Configuration required to manage users who can login / be imported to the repository.
 
 $c->{ldap_hostname} = "ldaps://ldap.example.org";

 # Leave empty for anonymous bind to LDAP
 $c->{ldap_bind_username} = "CN=username,OU=Staff,OU=ROOT,DC=example,DC=org";
 $c->{ldap_bind_password} = "CHANGEME";

 # Typically used in bin/update_users
 $c->{ldap_import_base} = "DC=example.org";
 $c->{ldap_import_filter} = "(&(objectClass=person)(memberOf=CN=Staff,OU=Groups,OU=ROOT,DC=example.org))";

 # Typically used in cfg/cfg.d/user_login.pl
 $c->{ldap_login_base} = $c->{ldap_import_base};
 $c->{ldap_login_filter} = "(&(objectClass=person)(memberOf=CN=AdminStaff,OU=Groups,OU=ROOT,DC=example.org))";

LDAP Authentication

All changes for LDAP authentication can be made in a single file, the file contains useful notes on configuration. Here is an example from my site, I have configured a standard Samba Domain using LDAP for authentication, if you have similar then this config may work for you :

See user_login.pl for general information on check_user_password.

Edit the file :

vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/user_login.pl
# This function allows you to override the default username/password
# authentication. For example, you could apply different authentication rules to 
# different types of user.
#
# Example: LDAP Authentication (Quick Start)
#
# Tip: use the test script to determine your LDAP parameters first! Then put the 
# following parameters in ldap.pl or similarly name file in your archive's 
# cfg/cfg.d directory:  ldap_hostname, ldap_bind_username, ldap_bind_password
# ldap_import_base, ldap_import_filter, ldap_login_base, ldap_login_filter
# Tip: remove the set-password privilege from users and editors in
# user_roles.pl. Also consider removing edit-own-record and 
# change-email.

$c->{check_user_password} = sub {
  my( $session, $username, $password ) = @_;

  # Cannot login with a username
  return 0 if $username =~ /[^a-zA-Z0-9._\-@]/;

  # See if user already exists in EPrints.  .
  my $user = EPrints::DataObj::User::user_with_username( $session, $username );

  # You may wish fail login if the user does not already have an account.
  # return 0 unless defined $user;

  # Get user type from database or assume standard user if no user / user type is set.
  my $usertype = defined $user ? $user->get_type : "user";

  # minuser and local_admin types have local database logins.        
  if( $usertype eq "minuser" || $usertype eq "local_admin" )
  {
    return $session->get_database->valid_login( $username, $password );
  }

  # Connect to the LDAP hostname configured for this repositiory
  use Net::LDAP;
  my $ldap_host = $session->get_repository->get_conf( "ldap_hostname" );
  my $ldap = Net::LDAP->new ( $ldap_host, version => 3 );
  unless( $ldap )
  {
    $session->get_repository->log( "LDAP connect error: $@\n" );
    return 0;
  }

  # Bind using username and password configured for this repository
  my $bind_dn = $session->get_repository->get_conf( "ldap_bind_username" ) || "";
  my $bind_pword = $session->get_repository->get_conf( "ldap_bind_password" ) || "";
  my $mesg;
  if( $bind_dn eq "" && $bind_pword eq "" )
  {
    $mesg = $ldap->bind; # anonymous bind
  }
  else
  {
    $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
  }
  if( $mesg->code() )
  {
    $session->get_repository->log( "LDAP bind error: " . $mesg->error . "\n" );
    return 0;
  }

  # Lookup the user based on the username they provided when logging in.  It is assume this is 
  # the sAMAccountName attribute on your Active Directory LDAP server, it may be uid or cn.
  my $base = $session->get_repository->get_conf( "ldap_login_base" );
  my $filter = $session->get_repository->get_conf( "ldap_login_filter" );
  $mesg = $ldap->search(
    base => $base,
    attrs => [qw( sAMAccountName givenName sn mail displayname description memberOf )],
    scope => "sub",
    filter => "&(sAMAccountName=$username) $filter",
    sizelimit => 2,
    timelimit => 30,
  );
  if( $mesg->code() )
  {
    $session->get_repository->log( "LDAP search error: ".$mesg->error."\n" );
    return 0;
  }
  if( $mesg->count() != 1 )
  {
     return 0;
  }

  # If user could be found in LDAP check the password they provided when logging in is correct.
  my $entr = $mesg->entry(0);
  my $user_dn = $entr->dn();
  $mesg = $ldap->bind( $user_dn, password => $password );
  if( $mesg->code )
  {
    $session->get_repository->log( "Failed authentication for $user_dn: ".$mesg->error."\n" );
    return 0;
  }

  # Uncomment to allow on-demand creation of users
  #unless( defined $user )
  #{
  #  my $data = {
  #    username => $username,
  #    usertype => $usertype, # This will be a standard user
  #  };
  #  my $name;
  #  $name->{given} = $entr->get_value( "givenName" ) if defined $entr->get_value( "givenName" );
  #  $name->{family} = $entr->get_value( "sn" ) if defined $entr->get_value( "sn" );
  #  $data->{name} = $name if defined $name;
  #  $data->{email} = $entr->get_value( "mail" ) if defined $entr->get_value( "mail" );
  #  $data->{dept} = $entr->get_value( "ou" ) if defined $entr->get_value( "ou" );
  # 
  #  $user = EPrints::DataObj::User->create_from_data(
  #    $session,
  #    $data,
  #    $session->get_repository->get_dataset( "user" ) 
  #  );
  #}

    return 1;
}

After editing restart Apache.


LDAP Import

Below is an example of a script to import/update users from LDAP based on them being founder under the ldap_import_filter set in ldap.pl above. Typically you would edit this files as follows:

vi /opt/eprints3/archives/myarchivename/bin/update_users

Before you can run this you will need to change permissions sot it can be run:

chmod u+x /opt/eprints3/archives/myarchivename/bin/update_users

Then to run the script use the following:

/opt/eprints3/archives/myarchivename/bin/update_users myarchivename
 
#!/usr/bin/perl -w

# EPrints LDAP example user import/update script

use FindBin;
use lib "$FindBin::Bin/../../../perl_lib"; 

use EPrints;
use Getopt::Long;
use Net::LDAP;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
use strict;

my $verbose = 0;
GetOptions(
  'verbose+' => \$verbose,
);

my $session = EPrints::Session->new( 1 , $ARGV[0] );
exit( 1 ) unless defined $session;

# Params
my $ldap_host = $session->get_repository->get_conf( "ldap_hostname" );
my $bind_dn = $session->get_repository->get_conf( "ldap_bind_username" );
my $bind_pword = $session->get_repository->get_conf( "ldap_bind_password" );
my $base = $session->get_repository->get_conf( "ldap_import_base" );
my $filter = $session->get_repository->get_conf( "ldap_import_filter" );

# Connect to server
my $ldap = Net::LDAP->new( $ldap_host, version => 3 );
die "LDAP connect error: $@\n" unless defined $ldap;

# Try to bind
my $mesg;
if( $bind_dn eq "" && $bind_pword eq "" )
{
  $mesg = $ldap->bind; # anonymous bind
} 
else
{
  $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
}
die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();

my $updated_counter = 0;
my $created_counter = 0;

# Create paging control
my $page = Net::LDAP::Control::Paged->new( size => 100 );

# Build args for the search
my @args = (
  base => $base,
  scope => "sub",
  filter => $filter,
  callback => \&process_entry,
  control => [ $page ],
);

print "\n$created_counter user(s) created.\n $updated_counter user(s) updated.\n" if $verbose;

my $cookie;
while( 1 )
{
  # Perform search
  my $result = $ldap->search( @args );

  # Only continue on LDAP_SUCCESS
  $result->code and last;

  # Get cookie from paged control
  my( $resp ) = $result->control( LDAP_CONTROL_PAGED ) or last;
  $cookie = $resp->cookie or last;

  # Set cookie in paged control
  $page->cookie( $cookie );
}

if( $cookie )
{
  # We had an abnormal exit, so let the server know we do not want any more
  $page->cookie( $cookie );
  $page->size( 0 );
  $ldap->search( @args );
}

$ldap->unbind;
$session->terminate; 

# Process entry
sub process_entry
{
  my( $mesg, $entr ) = @_;

  return unless defined $entr and $entr->can("get_value");

  my $username = $entr->get_value( "sAMAccountName" ); # This may need to be changed to uid or cn rather than sAMAccountName
  my $given = $entr->get_value( "givenName" );
  my $family = $entr->get_value( "sn" );
  my $email = $entr->get_value( "mail" );
  my $dept = $entr->get_value( "department" );

  # Assumes that the user account will have a given name, family name, username and email address
  return unless defined $username && defined $given && defined $family && defined $email;

  # Can we find this user already in EPrints by username
  my $user = EPrints::DataObj::User::user_with_username( $session, $username );
  # If not maybe we can find them by email address.
  if( !defined $user )
  {
    my $user = EPrints::DataObj::User::user_with_email( $session, $email );
  }
  if( !defined $user )
  {
    print "Creating for username: $username\n" if $verbose;
    $user = EPrints::DataObj::User::create( $session, "user" );
    $created_counter = $created_counter +1;
  }
  else
  {
    print "Updating for username: $username with ID: ".$user->id."\n" if $verbose;
    $updated_counter = $updated_counter+1;
  }
  my $name = {
    family => $family,
    given => $given,
  }; 
  my $usertype = "user";
  $user->set_value( "usertype", $usertype );
  $user->set_value( "username", $username );
  $user->set_value( "name", $name );
  $user->set_value( "email", $email );
  $user->set_value( "dept", $dept );
  $user->commit();
}

Things to note

  • These scripts use a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their uid,givenname,sn,mail attributes.
  • It gets this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. www-data on Debian). Use file system permissions to protect this (e.g. chmod 400 ldap.passwd).
  • It changes the flow of user_login.pl a little to only check for local admin accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things (which could also be done with a simple SQL update directly in the RDBMS). If you don't need the local admin, remove those lines and just return 0 since no user was found in LDAP.
  • you could change the default role for generated user accounts from user, if you really wanted.

Kerberos Authentication on AD with On-Demand Creation of Users using LDAP

Tested on 3.3.8

Here's another example of a customized /opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl:

  • allowing LDAP accounts to login, using the following example
  • allowing the local eprints admin account to login w/ database authentication
  • creating eprints accounts for all successfully authenticated LDAP users on the fly


$c->{check_user_password} = sub {
  my( $session, $username, $password ) = @_;
  
  # Kerberos authentication for "user", "editor" and "admin" types (roles)
  
  use Net::LDAP; # IO::Socket::SSL also required
  use Authen::Krb5::Simple;
  use Authen::SASL;
  
  # LDAP tunables
  my $ldap_host = "ldap.example.org";
  my $base      = "OU=people,DC=example,DC=org";
  my $proxy_user ="ad_read";
  my $dn        = "CN=$proxy_user,$base";
  
  # Kerberos tunables
  my $krb_host = "example.org";
     
  my $krb 	  = Authen::Krb5::Simple->new(realm => $krb_host);
  unless ( $krb )
  {
  	print STDERR "Kerberos error: $@\n";
  	return 0;
  }
  
  my $ldap      = Net::LDAP->new ( $ldap_host );
  unless( $ldap )
  {
      print STDERR "LDAP error: $@\n";
      return 0;
  }
  
  my $sasl = Authen::SASL->new(
         mechanism => 'GSSAPI', 
         callback => { user => 'ad_read' }
       ) or die "$@";
  
  my $mesg = $ldap->bind(sasl => $sasl);
  
  if( $mesg->code() )
  {
      print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
      return 0;
  }
  
  # Distinguished name (and attribues needed later on) for this user
  my $result = $ldap->search (
      base    => "$base",
      filter  => "(&(sAMAccountName=$username))",
      attrs   =>  ['1.1', 'uid', 'sn', 'givenname', 'mail', 'department', 'title'],
      sizelimit=>1
  );
  
  my $entr = $result->pop_entry;
  unless( defined $entr )
  {
      # Allow local EPrints authentication for admins (accounts not found in LDAP)
      my $user = EPrints::DataObj::User::user_with_username( $session, $username );
      return 0 unless $user;
  
      my $user_type = $user->get_type;
      if( $user_type eq "admin" )
      {
          # internal authentication for "admin" type
          return $session->get_database->valid_login( $username, $password );
      }
      return 0;
  }
  
  # Check password
  if( !$krb->authenticate( $username, $password ) )
  {
  	print STDERR "$username authentication failed: ", $krb->errstr(), "\n";
      return 0;
  }
  
  # Does account already exist?
  my $user = EPrints::DataObj::User::user_with_username( $session, $username );
  if( !defined $user )
  {
      # New account
      $user = EPrints::DataObj::User::create( $session, "user" );
      $user->set_value( "username", $username );
  }
  
  # Set metadata
  my $name = {};
  $name->{family} = $entr->get_value( "sn" );
  $name->{given} = $entr->get_value( "givenName" );
  $name->{honourific} = $entr->get_value( "title");
  $user->set_value( "name", $name );
  $user->set_value( "username", $username );
  $user->set_value( "email", $entr->get_value( "mail" ) );
  $user->set_value( "dept", $entr->get_value("department")  );
  $user->commit();
  
  $ldap->unbind if $ldap;
  
  return 1;
 }

Possible enhancements

Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.

Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and $user->removes all those, which cannot be found in LDAP anymore (except for those where $user_type eq 'admin', so you don't risk losing your local admins).