Difference between revisions of "LDAP"

From EPrints Documentation
Jump to: navigation, search
(LDAP Authentication with Create on Demand)
Line 1: Line 1:
 
See [[Integrating EPrints with LDAP]] for instructions for Eprints 2.*
 
See [[Integrating EPrints with LDAP]] for instructions for Eprints 2.*
 +
 +
==LDAP and User Roles==
 +
 +
It is recommended that certain user rights are removed when using LDAP for login. The user should not be allowed to change their password or their email address. It is also suggested that the user not be allowed to edit their profile, however I have found certain fields that I would like the user to edit. To set the rights edit the file :
 +
 +
vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/user_roles.pl
 +
 +
######################################################################
 +
#
 +
# User Roles
 +
#
 +
#  Here you can configure which different types of user are
 +
#  parts of the system they are allowed to use.
 +
#
 +
######################################################################
 +
$c->{user_roles}->{user} = [qw/
 +
        general
 +
        edit-own-record
 +
        saved-searches
 +
        deposit
 +
/],
 +
$c->{user_roles}->{editor} = [qw/
 +
        general
 +
        edit-own-record
 +
        saved-searches
 +
        deposit
 +
        editor
 +
        view-status
 +
        staff-view
 +
/],
 +
$c->{user_roles}->{admin} = [qw/
 +
        general
 +
        edit-own-record
 +
        saved-searches
 +
        set-password
 +
        deposit
 +
        change-email
 +
        editor
 +
        view-status
 +
        staff-view
 +
        admin
 +
/],
 +
#$c->{user_roles}->{minuser} = [qw/
 +
#      saved-searches
 +
#      set-password
 +
#      change-email
 +
#      change-user
 +
#      no_edit_own_record
 +
#      lock-username-to-email
 +
#/];
 +
 +
After editing restart Apache.
  
 
==LDAP Authentication with Bulk Import of Users==
 
==LDAP Authentication with Bulk Import of Users==
  
===Introduction===
+
This recipe enables authenticating passwords against an LDAP directory for all users (including administrators). The users will need to already exist in EPrints, most likely created by a bulk import from your LDAP server.
  
I decided that importing all users from my LDAP repository was not a good idea, I run Samba and an import would mean setting up 75 computers with access to eprints (when not filtering these out). I now create each user that requires access and use LDAP for authentication. This means that my users still only need to remember one password.
+
The recommendation for EPrints is not to allow users to alter email and passwords, as these changes are not at present written back to the LDAP database.
 
 
The recommendation for Eprints is not to allow users to alter email and passwords, as these changes are not at present written back to the LDAP database.
 
  
 
===LDAP Configuration===
 
===LDAP Configuration===
Line 15: Line 65:
 
Edit the file :
 
Edit the file :
  
  vi /var/lib/eprints3/archives/yourarchivename/cfg/cfg.d/user_login.pl
+
  vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/user_login.pl
  
 
  # This function allows you to override the default username/password
 
  # This function allows you to override the default username/password
Line 115: Line 165:
 
After editing restart Apache.
 
After editing restart Apache.
  
===LDAP and User Roles===
 
 
It is recommended that certain user rights are removed when using LDAP for login. The user should not be allowed to change their password or their email address. It is also suggested that the user not be allowed to edit their profile, however I have found certain fields that I would like the user to edit. To set the rights edit the file :
 
 
vi /var/lib/eprints3/archives/yourarchivename/cfg/cfg.d/user_roles.pl
 
 
######################################################################
 
#
 
# User Roles
 
#
 
#  Here you can configure which different types of user are
 
#  parts of the system they are allowed to use.
 
#
 
######################################################################
 
$c->{user_roles}->{user} = [qw/
 
        general
 
        edit-own-record
 
        saved-searches
 
        deposit
 
/],
 
$c->{user_roles}->{editor} = [qw/
 
        general
 
        edit-own-record
 
        saved-searches
 
        deposit
 
        editor
 
        view-status
 
        staff-view
 
/],
 
$c->{user_roles}->{admin} = [qw/
 
        general
 
        edit-own-record
 
        saved-searches
 
        set-password
 
        deposit
 
        change-email
 
        editor
 
        view-status
 
        staff-view
 
        admin
 
/],
 
#$c->{user_roles}->{minuser} = [qw/
 
#      saved-searches
 
#      set-password
 
#      change-email
 
#      change-user
 
#      no_edit_own_record
 
#      lock-username-to-email
 
#/];
 
 
After editing restart Apache.
 
  
 
===LDAP Import===
 
===LDAP Import===
Line 213: Line 212:
 
==LDAP Authentication with On-Demand Creation of Users==
 
==LDAP Authentication with On-Demand Creation of Users==
  
=== LDAP Authentication and Provisioning example ===
 
 
Here's an example of a customized <tt>/opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl</tt>
 
Here's an example of a customized <tt>/opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl</tt>
 +
 
* allowing LDAP accounts to login, using the "Advanced LDAP Configuration" example
 
* allowing LDAP accounts to login, using the "Advanced LDAP Configuration" example
 
* allowing the local eprints admin account to login w/ database authentication
 
* allowing the local eprints admin account to login w/ database authentication
 
* creating eprints accounts for all successfully authenticated LDAP users ''on the fly''
 
* creating eprints accounts for all successfully authenticated LDAP users ''on the fly''
 +
 
Most of the code is from the default <tt>user_login.pl</tt> and from the [http://files.eprints.org/27/1/update_users update_users] script.
 
Most of the code is from the default <tt>user_login.pl</tt> and from the [http://files.eprints.org/27/1/update_users update_users] script.
  
Line 318: Line 318:
  
 
=== things to note ===
 
=== things to note ===
 +
 
* This script uses a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their <tt>uid,givenname,sn,mail</tt> attributes.
 
* This script uses a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their <tt>uid,givenname,sn,mail</tt> attributes.
* It get's this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. <tt>www-data</tt> on Debian).  Use file system permissions to protect this (e.g. <tt>chmod 400 ldap.passwd</tt>).
+
* It gets this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. <tt>www-data</tt> on Debian).  Use file system permissions to protect this (e.g. <tt>chmod 400 ldap.passwd</tt>).
 
* It changes the flow of <tt>user_login.pl</tt> a little to only check for local ''admin'' accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things (which could also be done with a simple SQL <code>update</code> directly in the RDBMS). If you don't need the local admin, remove those lines and just <tt>return 0</tt> since no user was found in LDAP.
 
* It changes the flow of <tt>user_login.pl</tt> a little to only check for local ''admin'' accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things (which could also be done with a simple SQL <code>update</code> directly in the RDBMS). If you don't need the local admin, remove those lines and just <tt>return 0</tt> since no user was found in LDAP.
 
* you could change the default role for generated user accounts from <tt>user</tt>, if you really wanted.
 
* you could change the default role for generated user accounts from <tt>user</tt>, if you really wanted.
  
 
=== possible enhancements ===
 
=== possible enhancements ===
==== removing stale accounts ====
+
 
 
Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.
 
Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.
  
 
Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and <code>$user->remove</code>s all those, which cannot be found in LDAP anymore (except for those where <code>$user_type eq 'admin'</code>, so you don't risk losing your local admins).
 
Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and <code>$user->remove</code>s all those, which cannot be found in LDAP anymore (except for those where <code>$user_type eq 'admin'</code>, so you don't risk losing your local admins).

Revision as of 11:52, 12 August 2009

See Integrating EPrints with LDAP for instructions for Eprints 2.*

LDAP and User Roles

It is recommended that certain user rights are removed when using LDAP for login. The user should not be allowed to change their password or their email address. It is also suggested that the user not be allowed to edit their profile, however I have found certain fields that I would like the user to edit. To set the rights edit the file :

vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/user_roles.pl
######################################################################
#
# User Roles
#
#  Here you can configure which different types of user are 
#  parts of the system they are allowed to use.
#
######################################################################
$c->{user_roles}->{user} = [qw/
       general
       edit-own-record
       saved-searches
       deposit
/],
$c->{user_roles}->{editor} = [qw/
       general
       edit-own-record
       saved-searches
       deposit
       editor
       view-status
       staff-view
/],
$c->{user_roles}->{admin} = [qw/
       general
       edit-own-record
       saved-searches
       set-password
       deposit
       change-email
       editor
       view-status
       staff-view
       admin
/],
#$c->{user_roles}->{minuser} = [qw/
#       saved-searches
#       set-password
#       change-email
#       change-user
#       no_edit_own_record
#       lock-username-to-email
#/];

After editing restart Apache.

LDAP Authentication with Bulk Import of Users

This recipe enables authenticating passwords against an LDAP directory for all users (including administrators). The users will need to already exist in EPrints, most likely created by a bulk import from your LDAP server.

The recommendation for EPrints is not to allow users to alter email and passwords, as these changes are not at present written back to the LDAP database.

LDAP Configuration

All changes for LDAP authentication can be made in a single file, the file contains useful notes on configuration. Here is an example from my site, I have configured a standard Samba Domain using LDAP for authentication, if you have similar then this config may work for you :

Edit the file :

vi /opt/eprints3/archives/yourarchivename/cfg/cfg.d/user_login.pl
# This function allows you to override the default username/password
# authentication. For example, you could apply different authentication rules to 
# different types of user.
#
# Example: LDAP Authentication (Quick Start)
#
# Tip: use the test script to determine your LDAP parameters first!
# Tip: remove the set-password priviledge from users and editors in
# user_roles.pl. Also consider removing edit-own-record and 
# change-email.
#
$c->{check_user_password} = sub {
        my( $session, $username, $password ) = @_;
        my $user = EPrints::DataObj::User::user_with_username( $session, $username );
        return 0 unless $user;
        my $user_type = $user->get_type;
        if( $user_type eq "admin" )
       {
       #       internal authentication for "admin" type
       #       return EPrints::Apache::Login::valid_login( $session, $username, $password );
       return $session->get_database->valid_login( $username, $password );
       }
# LDAP authentication for "user" and "editor" types
#
# LDAP hostname (and port if not the default)
       my $ldap_host = "ldap.yourdomain.ac.uk";
#       #my $ldap_host = "ldap.host.name:1234";
#       #my $ldap_host = "ldaps://ldap.host.name"; # if server supports LDAPS
#
# Distinguished name for this user
# The distinguished name is a unique name for an LDAP entry.
# e.g. "cn=John Smith, ou=staff, dc=eprints, dc=org"
# You will need to derive this from the username or user metadata
        my $ldap_dn = "uid=$username,ou=People,dc=yourdomain,dc=ac,dc=uk";
#
        use Net::LDAP; # IO::Socket::SSL also required
#
        my $ldap = Net::LDAP->new ( $ldap_host, version => 3 );
        unless( $ldap )
        {
                print STDERR "LDAP error: $@\n";
                return 0;
        }
#
# Start secure connection (not needed if using LDAPS)
        my $ssl = $ldap->start_tls( sslversion => "sslv3" );
        if( $ssl->code() )
        {
                print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
                return 0;
       }
# Check password
       my $mesg = $ldap->bind( $ldap_dn, password => $password );
       if( $mesg->code() )
       {
               return 0;
       }
       return 1;
}
# Advanced LDAP Configuration
#
# 1. It is also possible to define additional user types, each with a different
# authentication mechanism. For example, you could keep the default user, 
# editor and admin types and add ldapuser, ldapeditor and ldapadmin types with
# LDAP authentication - this would suit an arrangement where internal staff are 
# authenticated against the LDAP server but user accounts can still be granted 
# to external users.
#
# 2. Sometimes the distinguished name of the user is not computable from the 
# username. You may need to use values from the user metadata (e.g. name_given,
# name_family):
#
#       my $name = $user->get_value( "name" );
#       my $ldap_dn = $name->{family} . ", " . $name->{given} .", ou=yourorg, dc=yourdomain";
#
# or perform an LDAP lookup to determine it (more complicated):
#
#       my $base = "ou=yourorg, dc=yourdomain";
#       my $result = $ldap->search (
#               base    => "$base",
#               scope   => "sub",
#               filter  => "cn=$username",
#               attrs   =>  ['DN'],
#               sizelimit=>1
#       );
#
#       my $entr = $result->pop_entry;
#       unless( defined $entr )
#       {
#               return 0;
#       }
#       my $ldap_dn = $entr->dn
#
# Alternatively, you could store the distinguished name as part of the user 
# metadata when the user account is imported              print STDERR "LDAP SSL error: " . $ssl->error() . "\n";

After editing restart Apache.


LDAP Import

You can use the update_users script and apply the following patch to make it work with eprints3:

--- update_users.orig   2007-04-23 16:22:26.000000000 +0200
+++ update_users    2007-04-24 21:16:40.000000000 +0200
@@ -1,6 +1,6 @@
-#!/usr/bin/perl -w -I/opt/eprints2/perl_lib
+#!/usr/bin/perl -w -I/opt/eprints3/perl_lib

-use EPrints::User;
+use EPrints::DataObj::User;
 use EPrints::Session;
 use Net::LDAP;
 use strict;
@@ -16,6 +16,7 @@

 # Start connection
 my $ldap = Net::LDAP->new( "ldap.host.name", version => 3 );
+$ldap->start_tls();
 unless( $ldap )
 {
    print STDERR "LDAP error: $@\n";
@@ -74,7 +75,7 @@
        # New account
        if( $forreal )
        {
-           $user = EPrints::User::create_user( $session, "ldapuser" );
+           $user = EPrints::DataObj::User::create( $session, "user" );
            $user->set_value( "username", $username );
            print "CREATING: $username\n";
        }
@@ -118,7 +119,7 @@
        print "FAMILY = " . $entr->get_value( "sn" ) . "\n";
        print "GIVEN = " . $entr->get_value( "givenName" ) . "\n";
        print "EMAIL = " . $entr->get_value( "mail" ) . "\n";
-       print "DN = " . $entr->get_value( "distinguishedName" ) . "\n";
+       print "DN = " . $entr->dn . "\n";

    }

LDAP Authentication with On-Demand Creation of Users

Here's an example of a customized /opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl

  • allowing LDAP accounts to login, using the "Advanced LDAP Configuration" example
  • allowing the local eprints admin account to login w/ database authentication
  • creating eprints accounts for all successfully authenticated LDAP users on the fly

Most of the code is from the default user_login.pl and from the update_users script.

Be sure to only use this over HTTPS!

$c->{check_user_password} = sub {
   my( $session, $username, $password ) = @_;
   
   # LDAP authentication for "user", "editor" and "admin" types (roles)
   
   use Net::LDAP; # IO::Socket::SSL also required
   
   # LDAP tunables
   my $ldap_host = "ldap.example.org";
   my $base      = "dc=example,dc=org";
   my $dn        = "cn=someProxyAccount,ou=accounts,$base";
   
   my $ldap      = Net::LDAP->new ( $ldap_host, version => 3 );
   unless( $ldap )
   {
       print STDERR "LDAP error: $@\n";
       return 0;
   }
   
   # Start secure connection (not needed if using LDAPS)
   my $ssl = $ldap->start_tls();
   if( $ssl->code() )
   {
       print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
       return 0;
   }
   
   # Get password for the search-bind-account
   my $repository = $session->get_repository;
   my $id         = $repository->get_id;
   my $ldappass   = `cat /opt/eprints3/archives/$id/cfg/ldap.passwd`;
   chomp($ldappass);
   
   my $mesg = $ldap->bind( $dn, password=>$password );
   if( $mesg->code() )
   {
       print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
       return 0;
   }
   
   # Distinguished name (and attribues needed later on) for this user
   my $result = $ldap->search (
       base    => "$base",
       scope   => "sub",
       filter  => "(&(uid=$username)(objectclass=inetOrgPerson))",
       attrs   =>  ['1.1', 'uid', 'sn', 'givenname', 'mail'],
       sizelimit=>1
   );
   my $entr = $result->pop_entry;
   unless( defined $entr )
   {
       # Allow local EPrints authentication for admins (accounts not found in LDAP)
       my $user = EPrints::DataObj::User::user_with_username( $session, $username );
       return 0 unless $user;
       
       my $user_type = $user->get_type;
       if( $user_type eq "admin" )
       {
           # internal authentication for "admin" type
           return $session->get_database->valid_login( $username, $password );
       }
       return 0;
   }
   my $ldap_dn = $entr->dn;
   
   # Check password
   my $mesg = $ldap->bind( $ldap_dn, password => $password );
   if( $mesg->code() )
   {
       return 0;
   }
   
   # Does account already exist?
   my $user = EPrints::DataObj::User::user_with_username( $session, $username );
   if( !defined $user )
   {
       # New account
       $user = EPrints::DataObj::User::create( $session, "user" );
       $user->set_value( "username", $username );
   }
   
   # Set metadata
   my $name = {};
   $name->{family} = $entr->get_value( "sn" );
   $name->{given} = $entr->get_value( "givenName" );
   $user->set_value( "name", $name );
   $user->set_value( "username", $username );
   $user->set_value( "email", $entr->get_value( "mail" ) );
   $user->commit();
   
   $ldap->unbind if $ldap;
   
   return 1;
}

things to note

  • This script uses a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their uid,givenname,sn,mail attributes.
  • It gets this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. www-data on Debian). Use file system permissions to protect this (e.g. chmod 400 ldap.passwd).
  • It changes the flow of user_login.pl a little to only check for local admin accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things (which could also be done with a simple SQL update directly in the RDBMS). If you don't need the local admin, remove those lines and just return 0 since no user was found in LDAP.
  • you could change the default role for generated user accounts from user, if you really wanted.

possible enhancements

Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.

Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and $user->removes all those, which cannot be found in LDAP anymore (except for those where $user_type eq 'admin', so you don't risk losing your local admins).