Index: openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.adp,v diff -u -r1.1.2.6 -r1.1.2.7 --- openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.adp 5 Aug 2016 14:17:34 -0000 1.1.2.6 +++ openacs-4/packages/acs-authentication/www/doc/configure-batch-sync.adp 10 Nov 2016 14:51:18 -0000 1.1.2.7 @@ -10,13 +10,13 @@

Configure Batch Synchronization

    -

  1. Browse to the authentication administration page, http://yourserver/acs-admin/auth/ - and choose an authority for +

  2. Browse to the authentication administration page, http://yourserver/acs-admin/auth/ + and choose an authority for batch sync.

  3. Set Batch sync enabled to Yes. Set GetDocument Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a -few steps.

  4. Click OK.

  5. On the next page, click Configure on the GetDocument Implementation +few steps.

  6. Click OK.

  7. On the next page, click Configure on the GetDocument Implementation line.

  8. Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.

  9. @@ -59,8 +59,8 @@ example in the design document for more details.

    (More information: the section called “IMS Sync driver design”, The IMS 1.1 spec)

    10. -
($‌Id: configure-batch-sync.html,v 1.2 -2004/02/19 14:59:42 joela Exp $)
+
($‌Id: configure-batch-sync.html,v 1.2.22.1 +2016/07/16 17:28:03 gustafn Exp $)
Using LDAP/Active Directory with OpenACS
by John Sequeira, Michael Steigman, and Carl Blesius. OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff.

-ToDo: Add/verify information on on-demand -sync, account registration, and batch synchronization. Add section -on ldapsearch.

-Overview. You do not want to make users -remember yet another password and username. If you can avoid it you -do not want to store their passwords either. This document should -help you set your system up so your users can seamlessly log in to -your OpenACS instance using the password they are accustomed to -using for other things at your institution.

-Background. The original OpenACS LDAP -implementation (which has been depreciated by this package) treated -the LDAP server as another data store similar to Oracle or +ToDo: Add/verify information on +on-demand sync, account registration, and batch synchronization. +Add section on ldapsearch.

+Overview. You do not want to make +users remember yet another password and username. If you can avoid +it you do not want to store their passwords either. This document +should help you set your system up so your users can seamlessly log +in to your OpenACS instance using the password they are accustomed +to using for other things at your institution.

+Background. The original OpenACS +LDAP implementation (which has been depreciated by this package) +treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or @@ -46,8 +46,8 @@

  • Installing AOLserver LDAP support -(openldap and nsldap). Install openldap and nsldap -using the document Malte created Next, modify your config.tcl +(openldap and nsldap). Install openldap and +nsldap using the document Malte created Next, modify your config.tcl file as directed in the nsldap README. Here's what the relevant additions should look like:

    
 # LDAP authentication
@@ -76,11 +76,12 @@
 [10/Jan/2006:11:11:08][22553.3076437088][-main-] Debug: nsldap: Registering LDAPCheckPools (600)

  • -auth-ldap + driver installation. Next, -visit the software installation page in acs-admin and install the -auth-ldap package. Your OpenACS installation now has all the code -required to authenticate using nsldap, so now you need to configure -your site's authentication to take advantage of it. To add the +auth-ldap + driver +installation. Next, visit the software +installation page in acs-admin and install the auth-ldap package. +Your OpenACS installation now has all the code required to +authenticate using nsldap, so now you need to configure your +site's authentication to take advantage of it. To add the authentication driver to your OpenACS instance, go to: Main Site, Site-Wide Administration, and then AuthenticationHere's some sample Authentication Driver values:Name=Active Directory, Short @@ -130,19 +131,19 @@

    • -Troubleshooting. If you're having -trouble figuring out some the values for the ldapm, see this useful -page on setting up Active Directory integration with -Bugzilla. It explains how distinguished names are defined in -Active Directory, and how to test that you have the correct values -for connectivity and base DN using the OpenLDAP command-line -utility ldapsearch.John had an issue where nsldap was not loading -because AOLServer couldn't find the openldap client libraries, -but he was able to fix it by adding the openldap libraries to his +Troubleshooting. If you're +having trouble figuring out some the values for the ldapm, see this +useful page on setting up Active Directory integration with Bugzilla. +It explains how distinguished names are defined in Active +Directory, and how to test that you have the correct values for +connectivity and base DN using the OpenLDAP command-line utility +ldapsearch.John had an issue where nsldap was not loading because +AOLServer couldn't find the openldap client libraries, but he +was able to fix it by adding the openldap libraries to his LD_LIBRARY_PATH (e.g. /usr/local/openldap/lib)

    -Credits. Thanks to Malte Sussdorf for his -help and the Laboratory of Computer Science at Massachusetts General -Hospital for underwriting this work.

    +Credits. Thanks to Malte Sussdorf +for his help and the Laboratory of Computer Science at Massachusetts +General Hospital for underwriting this work.

    1. -Add PAM support to AOLserver. OpenACS -supports PAM support via the PAM AOLserver module. PAM is system of -modular support, and can provide local (unix password), RADIUS, -LDAP (more information), and other forms of +Add PAM support to +AOLserver. OpenACS supports PAM support via +the PAM AOLserver module. PAM is system of modular support, and can +provide local (unix password), RADIUS, LDAP (more information), and other forms of authentication. Note that due to security issues, the AOLserver PAM module cannot be used for local password authentication.

      1. @@ -52,13 +52,13 @@

      2. -Set up a PAM domain. A PAM domain is a set -of rules for granting privileges based on other programs. Each -instance of AOLserver uses a domain; different aolserver instances -can use the same domain but one AOLserver instance cannot use two -domains. The domain describes which intermediate programs will be -used to check permissions. You may need to install software to -perform new types of authentication.

          +Set up a PAM domain. A PAM domain +is a set of rules for granting privileges based on other programs. +Each instance of AOLserver uses a domain; different aolserver +instances can use the same domain but one AOLserver instance cannot +use two domains. The domain describes which intermediate programs +will be used to check permissions. You may need to install software +to perform new types of authentication.

          • RADIUS in PAM. 

            1. @@ -118,9 +118,9 @@ restart the server.

            2. Create an OpenACS -authority. OpenACS supports multiple authentication -authorities. The OpenACS server itself is the "Local -Authority," used by default.

                +authority. OpenACS supports multiple +authentication authorities. The OpenACS server itself is the +"Local Authority," used by default.

                1. Browse to the authentication administration page, http://yourserver/acs-admin/auth/ . Create and name an authority (in the sitewide admin UI)

                2. Set Authentication to PAM.

                3. If the PAM domain defines a password command, you can set Password