Index: openacs-4/packages/acs-authentication/www/doc/xml/install.xml =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/xml/install.xml,v diff -u -r1.5 -r1.6 --- openacs-4/packages/acs-authentication/www/doc/xml/install.xml 4 Jun 2006 00:45:21 -0000 1.5 +++ openacs-4/packages/acs-authentication/www/doc/xml/install.xml 7 Aug 2017 23:47:46 -0000 1.6 @@ -22,7 +22,7 @@ OpenACS supports PAM support via the PAM AOLserver module. PAM is system of modular support, and can provide local (unix password), RADIUS, LDAP (more + url="http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html">more information), and other forms of authentication. Note that due to security issues, the AOLserver PAM module cannot be used for local password @@ -125,7 +125,7 @@ LDAP in PAM - more information + more information @@ -190,7 +190,7 @@ You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution. Background - The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS. + The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a privileged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS. Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS. Note on Account Creation @@ -303,7 +303,7 @@ Troubleshooting - If you're having trouble figuring out some the values for the ldapm, see this useful page on setting up Active Directory integration with Bugzilla. It explains how distinguished names are defined in Active Directory, and how to test that you have the correct values for connectivity and base DN using the OpenLDAP command-line utility ldapsearch. + If you're having trouble figuring out some the values for the ldapm, see this useful page on setting up Active Directory integration with Bugzilla. It explains how distinguished names are defined in Active Directory, and how to test that you have the correct values for connectivity and base DN using the OpenLDAP command-line utility ldapsearch. John had an issue where nsldap was not loading because AOLServer couldn't find the openldap client libraries, but he was able to fix it by adding the openldap libraries to his LD_LIBRARY_PATH (e.g. /usr/local/openldap/lib) Credits