LDAP

From EPrints Documentation
Revision as of 09:33, 19 December 2006 by Neilmarj (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

I am hoping that someone will add to this document regarding the importing of users. I decided that importing all users from my LDAP repository was not a good idea, I run Samba and an import would mean setting up 75 computers with access to eprints. I now create each user that requires access and use LDAP for authentication. This means that my users still only need to remember one password.

The recommendation for Eprints is not to allow users to alter email and passwords, as these changes are not at present written back to the LDAP database.

LDAP Configuration

All changes for LDAP authentication can be made in a single file, the file contains useful notes on configuration. Here is an example from my site, I have configured a standard Samba Domain using LDAP for authentication, if you have similar then this config may work for you :

Edit the file :

vi /var/lib/eprints3/archives/yourarchivename/cfg/cfg.d/user_login.pl
# This function allows you to override the default username/password
# authentication. For example, you could apply different authentication rules to 
# different types of user.
#
# Example: LDAP Authentication (Quick Start)
#
# Tip: use the test script to determine your LDAP parameters first!
# Tip: remove the set-password priviledge from users and editors in
# user_roles.pl. Also consider removing edit-own-record and 
# change-email.
#
$c->{check_user_password} = sub {
        my( $session, $username, $password ) = @_;
        my $user = EPrints::DataObj::User::user_with_username( $session, $username );
        return 0 unless $user;
        my $user_type = $user->get_type;
        if( $user_type eq "admin" )
       {
       #       internal authentication for "admin" type
       #       return EPrints::Apache::Login::valid_login( $session, $username, $password );
       return $session->get_database->valid_login( $username, $password );
       }
# LDAP authentication for "user" and "editor" types
#
# LDAP hostname (and port if not the default)
       my $ldap_host = "ldap.yourdomain.ac.uk";
#       #my $ldap_host = "ldap.host.name:1234";
#       #my $ldap_host = "ldaps://ldap.host.name"; # if server supports LDAPS
#
# Distinguished name for this user
# The distinguished name is a unique name for an LDAP entry.
# e.g. "cn=John Smith, ou=staff, dc=eprints, dc=org"
# You will need to derive this from the username or user metadata
        my $ldap_dn = "uid=$username,ou=People,dc=yourdomain,dc=ac,dc=uk";
#
        use Net::LDAP; # IO::Socket::SSL also required
#
        my $ldap = Net::LDAP->new ( $ldap_host, version => 3 );
        unless( $ldap )
        {
                print STDERR "LDAP error: $@\n";
                return 0;
        }
#
# Start secure connection (not needed if using LDAPS)
        my $ssl = $ldap->start_tls( sslversion => "sslv3" );
        if( $ssl->code() )
        {
                print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
                return 0;
       }
# Check password
       my $mesg = $ldap->bind( $ldap_dn, password => $password );
       if( $mesg->code() )
       {
               return 0;
       }
       return 1;
}
# Advanced LDAP Configuration
#
# 1. It is also possible to define additional user types, each with a different
# authentication mechanism. For example, you could keep the default user, 
# editor and admin types and add ldapuser, ldapeditor and ldapadmin types with
# LDAP authentication - this would suit an arrangement where internal staff are 
# authenticated against the LDAP server but user accounts can still be granted 
# to external users.
#
# 2. Sometimes the distinguished name of the user is not computable from the 
# username. You may need to use values from the user metadata (e.g. name_given,
# name_family):
#
#       my $name = $user->get_value( "name" );
#       my $ldap_dn = $name->{family} . ", " . $name->{given} .", ou=yourorg, dc=yourdomain";
#
# or perform an LDAP lookup to determine it (more complicated):
#
#       my $base = "ou=yourorg, dc=yourdomain";
#       my $result = $ldap->search (
#               base    => "$base",
#               scope   => "sub",
#               filter  => "cn=$username",
#               attrs   =>  ['DN'],
#               sizelimit=>1
#       );
#
#       my $entr = $result->pop_entry;
#       unless( defined $entr )
#       {
#               return 0;
#       }
#       my $ldap_dn = $entr->dn
#
# Alternatively, you could store the distinguished name as part of the user 
# metadata when the user account is imported              print STDERR "LDAP SSL error: " . $ssl->error() . "\n";

LDAP Import

This is where I hope someone else may help!