Index: openacs-4/packages/acs-subsite/sql/postgresql/upgrade/upgrade-4.6b-4.6.1b.sql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/sql/postgresql/upgrade/upgrade-4.6b-4.6.1b.sql,v diff -u -r1.2 -r1.2.24.1 --- openacs-4/packages/acs-subsite/sql/postgresql/upgrade/upgrade-4.6b-4.6.1b.sql 12 Oct 2003 22:12:14 -0000 1.2 +++ openacs-4/packages/acs-subsite/sql/postgresql/upgrade/upgrade-4.6b-4.6.1b.sql 21 Apr 2017 15:27:49 -0000 1.2.24.1 @@ -7,7 +7,7 @@ -- Moving primary key constraint on host_node_map from node_id column -- to host column. Fortunately, nothing references the table, so a --- simple drop-rebuild is feasable +-- simple drop-rebuild is feasible alter table host_node_map rename to host_node_map_old; create table host_node_map ( Index: openacs-4/packages/acs-subsite/tcl/email-image-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/email-image-procs.tcl,v diff -u -r1.14.2.5 -r1.14.2.6 --- openacs-4/packages/acs-subsite/tcl/email-image-procs.tcl 27 Mar 2017 10:49:05 -0000 1.14.2.5 +++ openacs-4/packages/acs-subsite/tcl/email-image-procs.tcl 21 Apr 2017 15:27:49 -0000 1.14.2.6 @@ -40,7 +40,7 @@ {-bgcolor "" } {-transparent "" } } { - Returns the email in differnet diferent ways (text level 4, image or text and image level 3, link level 2, ...) + Returns the email in differnet different ways (text level 4, image or text and image level 3, link level 2, ...) according to the priv_email field in the users table. To create an image the ImageMagick software is required, if ImageMagick is not present then the @ symbol in the email will be shown as an image. When creating an image you can choose the background color (In this format \#xxxxxx). Also you can make the background color transparent Index: openacs-4/packages/acs-subsite/tcl/group-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/group-procs.tcl,v diff -u -r1.39.2.8 -r1.39.2.9 --- openacs-4/packages/acs-subsite/tcl/group-procs.tcl 17 Mar 2017 15:38:20 -0000 1.39.2.8 +++ openacs-4/packages/acs-subsite/tcl/group-procs.tcl 21 Apr 2017 15:27:49 -0000 1.39.2.9 @@ -640,7 +640,7 @@ {-group_id:required} {-user_id:required} } { - @return 1 if user_id is in teh admin_rel for group_id + @return 1 if user_id is in the admin_rel for group_id } { set admin_rel_id [relation::get_id \ -object_id_one $group_id \ Index: openacs-4/packages/acs-subsite/tcl/rel-segments-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/rel-segments-procs.tcl,v diff -u -r1.5.2.2 -r1.5.2.3 --- openacs-4/packages/acs-subsite/tcl/rel-segments-procs.tcl 28 Oct 2015 09:38:34 -0000 1.5.2.2 +++ openacs-4/packages/acs-subsite/tcl/rel-segments-procs.tcl 21 Apr 2017 15:27:49 -0000 1.5.2.3 @@ -48,8 +48,8 @@ @creation-date 1/12/2001 } { - # First delete dependant constraints. - db_foreach select_dependant_constraints { + # First delete dependent constraints. + db_foreach select_dependent_constraints { select c.constraint_id from rel_constraints c where c.required_rel_segment = :segment_id Index: openacs-4/packages/acs-subsite/tcl/rel-segments-procs.xql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/rel-segments-procs.xql,v diff -u -r1.1 -r1.1.30.1 --- openacs-4/packages/acs-subsite/tcl/rel-segments-procs.xql 6 May 2001 21:40:21 -0000 1.1 +++ openacs-4/packages/acs-subsite/tcl/rel-segments-procs.xql 21 Apr 2017 15:27:49 -0000 1.1.30.1 @@ -1,7 +1,7 @@ - + select c.constraint_id Index: openacs-4/packages/acs-subsite/tcl/relation-procs-oracle.xql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/relation-procs-oracle.xql,v diff -u -r1.4.12.1 -r1.4.12.2 --- openacs-4/packages/acs-subsite/tcl/relation-procs-oracle.xql 28 Oct 2015 09:38:34 -0000 1.4.12.1 +++ openacs-4/packages/acs-subsite/tcl/relation-procs-oracle.xql 21 Apr 2017 15:27:49 -0000 1.4.12.2 @@ -33,7 +33,7 @@ - + select case when exists Index: openacs-4/packages/acs-subsite/tcl/relation-procs-postgresql.xql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/relation-procs-postgresql.xql,v diff -u -r1.6 -r1.6.30.1 --- openacs-4/packages/acs-subsite/tcl/relation-procs-postgresql.xql 4 Dec 2001 00:20:47 -0000 1.6 +++ openacs-4/packages/acs-subsite/tcl/relation-procs-postgresql.xql 21 Apr 2017 15:27:49 -0000 1.6.30.1 @@ -19,7 +19,7 @@ - + select case when exists Index: openacs-4/packages/acs-subsite/tcl/relation-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/relation-procs.tcl,v diff -u -r1.16.2.3 -r1.16.2.4 --- openacs-4/packages/acs-subsite/tcl/relation-procs.tcl 28 Oct 2015 09:38:34 -0000 1.16.2.3 +++ openacs-4/packages/acs-subsite/tcl/relation-procs.tcl 21 Apr 2017 15:27:49 -0000 1.16.2.4 @@ -157,7 +157,7 @@ # acs_rels to find the group and rel_type for this relation. if { $segment_id ne "" } { - if { [relation_segment_has_dependant -segment_id $segment_id -party_id $party_id] } { + if { [relation_segment_has_dependent -segment_id $segment_id -party_id $party_id] } { error "Relational constraints violated by removing this relation" } } @@ -169,13 +169,13 @@ -ad_proc -public relation_segment_has_dependant { +ad_proc -public relation_segment_has_dependent { { -rel_id "" } { -segment_id "" } { -party_id "" } } { Returns 1 if the specified segment/party combination has a - dependant (meaning a constraint would be violated if we removed this + dependent (meaning a constraint would be violated if we removed this relation). 0 otherwise. Either rel_id or segment_id and party_id must be specified. rel_id takes precedence. @@ -187,13 +187,13 @@ if { $rel_id ne "" } { if { ![db_0or1row select_rel_info {}] } { - # There is either no relation or no segment... thus no dependants + # There is either no relation or no segment... thus no dependents return 0 } } if { $segment_id eq "" || $party_id eq "" } { - error "Both of segment_id and party_id must be specified in call to relation_segment_has_dependant" + error "Both of segment_id and party_id must be specified in call to relation_segment_has_dependent" } return [db_string others_depend_p {}] Index: openacs-4/packages/acs-subsite/tcl/relation-procs.xql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/relation-procs.xql,v diff -u -r1.5.18.1 -r1.5.18.2 --- openacs-4/packages/acs-subsite/tcl/relation-procs.xql 28 Oct 2015 09:38:35 -0000 1.5.18.1 +++ openacs-4/packages/acs-subsite/tcl/relation-procs.xql 21 Apr 2017 15:27:49 -0000 1.5.18.2 @@ -15,7 +15,7 @@ - + select s.segment_id, r.object_id_two as party_id from rel_segments s, acs_rels r Index: openacs-4/packages/acs-subsite/tcl/subsite-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/subsite-procs.tcl,v diff -u -r1.44.2.13 -r1.44.2.14 --- openacs-4/packages/acs-subsite/tcl/subsite-procs.tcl 11 Feb 2017 21:54:38 -0000 1.44.2.13 +++ openacs-4/packages/acs-subsite/tcl/subsite-procs.tcl 21 Apr 2017 15:27:49 -0000 1.44.2.14 @@ -394,7 +394,7 @@ object_type {ancestor_type acs_object} } { - @return the object type heirarchy for the given object type from ancestor_type to object_type + @return the object type hierarchy for the given object type from ancestor_type to object_type } { set path_list [list] Index: openacs-4/packages/acs-subsite/tcl/test/acs-subsite-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/test/acs-subsite-procs.tcl,v diff -u -r1.7.2.3 -r1.7.2.4 --- openacs-4/packages/acs-subsite/tcl/test/acs-subsite-procs.tcl 27 Feb 2017 15:33:36 -0000 1.7.2.3 +++ openacs-4/packages/acs-subsite/tcl/test/acs-subsite-procs.tcl 21 Apr 2017 15:27:49 -0000 1.7.2.4 @@ -107,7 +107,7 @@ aa_register_case -cats smoke acs_subsite_check_composite_group { - Build a 3-level hierachy of composite groups and check memberships. This test case covers the membership and composition rel insertion triggers and composability of basic membership and admin rels. + Build a 3-level hierarchy of composite groups and check memberships. This test case covers the membership and composition rel insertion triggers and composability of basic membership and admin rels. @author Michael Steigman } { Index: openacs-4/packages/acs-subsite/www/admin/parties/new.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/admin/parties/new.tcl,v diff -u -r1.9.2.5 -r1.9.2.6 --- openacs-4/packages/acs-subsite/www/admin/parties/new.tcl 10 Jun 2016 12:14:44 -0000 1.9.2.5 +++ openacs-4/packages/acs-subsite/www/admin/parties/new.tcl 21 Apr 2017 15:27:49 -0000 1.9.2.6 @@ -91,7 +91,7 @@ set object_type_pretty_name $party_type_pretty_name # We're going to have to pass the required_group_rel_type_list to the - # next page. The easiest way I see to do this is jsut encode the list + # next page. The easiest way I see to do this is just encode the list # in a variable, since the list is just a string anyways. # We don't care about the first group/rel_type combo, because we'll pass Fisheye: Tag 1.6.2.1 refers to a dead (removed) revision in file `openacs-4/packages/acs-subsite/www/admin/relations/remove-dependants-exist.adp'. Fisheye: No comparison available. Pass `N' to diff? Fisheye: Tag 1.1 refers to a dead (removed) revision in file `openacs-4/packages/acs-subsite/www/admin/relations/remove-dependents-exist.adp'. Fisheye: No comparison available. Pass `N' to diff? Index: openacs-4/packages/acs-subsite/www/admin/relations/remove-oracle.xql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/admin/relations/Attic/remove-oracle.xql,v diff -u -r1.1 -r1.1.30.1 --- openacs-4/packages/acs-subsite/www/admin/relations/remove-oracle.xql 15 May 2001 16:59:01 -0000 1.1 +++ openacs-4/packages/acs-subsite/www/admin/relations/remove-oracle.xql 21 Apr 2017 15:27:49 -0000 1.1.30.1 @@ -16,7 +16,7 @@ - + select r.viol_rel_id as rel_id, Index: openacs-4/packages/acs-subsite/www/admin/relations/remove-postgresql.xql =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/admin/relations/Attic/remove-postgresql.xql,v diff -u -r1.1 -r1.1.30.1 --- openacs-4/packages/acs-subsite/www/admin/relations/remove-postgresql.xql 15 May 2001 16:59:01 -0000 1.1 +++ openacs-4/packages/acs-subsite/www/admin/relations/remove-postgresql.xql 21 Apr 2017 15:27:49 -0000 1.1.30.1 @@ -16,7 +16,7 @@ - + select r.viol_rel_id as rel_id, Index: openacs-4/packages/acs-subsite/www/admin/relations/remove.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/admin/relations/remove.tcl,v diff -u -r1.3.2.4 -r1.3.2.5 --- openacs-4/packages/acs-subsite/www/admin/relations/remove.tcl 20 May 2016 20:02:44 -0000 1.3.2.4 +++ openacs-4/packages/acs-subsite/www/admin/relations/remove.tcl 21 Apr 2017 15:27:49 -0000 1.3.2.5 @@ -13,7 +13,7 @@ context:onevalue export_vars:onevalue rel:onerow - dependants:multirow + dependents:multirow } -validate { permission_p -requires {rel_id:notnull} { if { ![relation_permission_p -privilege delete $rel_id] } { @@ -38,15 +38,15 @@ # Now let's see if removing this relation would violate some # constraint. -if { [relation_segment_has_dependant -rel_id $rel_id] } { +if { [relation_segment_has_dependent -rel_id $rel_id] } { set return_url "[ad_conn url]?[ad_conn query]" # We can't remove this relation - display the violations - template::multirow create dependants rel_id rel_type_pretty_name object_id_one_name object_id_two_name export_vars + template::multirow create dependents rel_id rel_type_pretty_name object_id_one_name object_id_two_name export_vars - db_foreach select_dependants {} { - template::multirow append dependants $rel_id $rel_type_pretty_name $object_id_one_name $object_id_two_name [export_vars {rel_id return_url}] + db_foreach select_dependents {} { + template::multirow append dependents $rel_id $rel_type_pretty_name $object_id_one_name $object_id_two_name [export_vars {rel_id return_url}] } - ad_return_template remove-dependants-exist + ad_return_template remove-dependents-exist return } Index: openacs-4/packages/acs-subsite/www/permissions/index.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/index.tcl,v diff -u -r1.4.2.3 -r1.4.2.4 --- openacs-4/packages/acs-subsite/www/permissions/index.tcl 5 Apr 2017 16:47:47 -0000 1.4.2.3 +++ openacs-4/packages/acs-subsite/www/permissions/index.tcl 21 Apr 2017 15:27:49 -0000 1.4.2.4 @@ -2,7 +2,7 @@ ad_page_contract { Display all objects that the user has admin on. - Templated and changed to browse heirarchy by davis@xarg.net + Templated and changed to browse hierarchy by davis@xarg.net since all objects can be a *lot* of objects. @author rhs@mit.edu Index: openacs-4/packages/acs-api-browser/www/proc-search.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-api-browser/www/proc-search.tcl,v diff -u -r1.15.2.9 -r1.15.2.10 --- openacs-4/packages/acs-api-browser/www/proc-search.tcl 6 Feb 2017 12:44:41 -0000 1.15.2.9 +++ openacs-4/packages/acs-api-browser/www/proc-search.tcl 21 Apr 2017 15:35:24 -0000 1.15.2.10 @@ -3,7 +3,7 @@ ad_page_contract { Searches for procedures with containing query_string if lucky redirects to best match - Weight the different hits with the propper weights + Weight the different hits with the proper weights Shows a list of returned procs with links to proc-view Index: openacs-4/packages/acs-authentication/lib/search.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/lib/search.tcl,v diff -u -r1.6.2.1 -r1.6.2.2 --- openacs-4/packages/acs-authentication/lib/search.tcl 10 Sep 2015 08:21:12 -0000 1.6.2.1 +++ openacs-4/packages/acs-authentication/lib/search.tcl 21 Apr 2017 15:35:24 -0000 1.6.2.2 @@ -11,7 +11,7 @@ To add a member of a group add_to_subsite (list of label url) add_to_main_site (optional) (list of label url) - group_id (optional default to subsite applicaiton group) + group_id (optional default to subsite application group) rel_type (default to membership_rel) } { Index: openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl,v diff -u -r1.89.2.9 -r1.89.2.10 --- openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl 7 Mar 2017 19:56:34 -0000 1.89.2.9 +++ openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl 21 Apr 2017 15:35:24 -0000 1.89.2.10 @@ -389,7 +389,7 @@ } { set parameter_value [parameter::get_from_package_key -parameter RegisterAuthority -package_key "acs-authentication"] - # Catch the case where somebody has set the parameter to some non-existant authority + # Catch the case where somebody has set the parameter to some non-existent authority if {$parameter_value in [auth::authority::get_short_names]} { # The authority exists set authority_id [auth::authority::get_id -short_name $parameter_value] Index: openacs-4/packages/acs-authentication/tcl/password-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/tcl/password-procs.tcl,v diff -u -r1.19.2.4 -r1.19.2.5 --- openacs-4/packages/acs-authentication/tcl/password-procs.tcl 12 Sep 2016 11:06:41 -0000 1.19.2.4 +++ openacs-4/packages/acs-authentication/tcl/password-procs.tcl 21 Apr 2017 15:35:24 -0000 1.19.2.5 @@ -512,7 +512,7 @@ {-body_msg_key "acs-subsite.email_body_Forgotten_password"} {-from ""} } { - Send an email to ther user with given username and authority with the new password. + Send an email to the user with given username and authority with the new password. @param from The email's from address. Can be in email@foo.com format. Defaults to ad_system_owner. Index: openacs-4/packages/acs-authentication/www/doc/acs-authentication.htm =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/Attic/acs-authentication.htm,v diff -u -r1.2 -r1.2.18.1 --- openacs-4/packages/acs-authentication/www/doc/acs-authentication.htm 13 Jan 2005 13:54:42 -0000 1.2 +++ openacs-4/packages/acs-authentication/www/doc/acs-authentication.htm 21 Apr 2017 15:35:24 -0000 1.2.18.1 @@ -1,138 +1,138 @@ - - - - -OpenACS Authentication - - - - -
Alex logo - - - - - - -
Prev IntroductionNext
-
-
-

acs-authentication -

-

This document aims to help you understand how it works and how you can use it for your own purpouses. By Rocael Hernández R.

-

Main functionality: It is used to authenticate any user in an openacs installations.

-

So far, you can use it to authenticate against LDAP & PAM, and of course, locally. You can implement your own based on your needs, processes, etc.

-

Definition: SC = service-contract

-

 

-

Authorities

-

acs-authentication can have multiple authorities, each one represent an specific configuration of authenticatication. For instance, in your openacs installation you can have users related to different authorities, some of them might authenticate locally since they are external or invited, others belongs to your corporate network and already have users, so might authenticate against LDAP and others in your own work office might use PAM for authentication because your local system authentication. Plus you might define an specific implementation (using the set of SC) to connect to your client DB, which is in another DB, and allow your clients login to certain parts of your website. Then, this is right way to handle all those set of users, that already might have an account in another place and you just want them to authenticate against that external system.
-

-

The idea is: each user belongs to a given authority, and just one .

-

To add an authority in your installation go to /acs-admin/auth/ and click on "Create new authority".

-

When adding the authority you need to configure:

-
    -
  • Authentication method (where to authenticate, i.e. check user/password)
    • -
  • Password Management (where to update passwords)
    • -
  • Account Registration (where to create new accounts)
    • -
  • On-Demand Sync (to get user info from the source in real time)
    • -
-

Those configurations simply will perform the tcl proc that is defined in the SC above described for the given SC implementation that you choose. In other words:

-
    -
  • For using LDAP, you need to install auth-ldap, on its installation, this package will create an implementation of the above mentioned SC definitions (look at "specs" that define which proc needs to be called for each alias).
    • -
  • PAM package is auth-pam.
    • -
  • Probably, for any new authentication method you'll need to create your own package in the same style of auth-ldap or auth-pam.
    • -
-

 

-

Note: "Batch Synchronization" will not be administered there anymore in the future, everything will go to ims-ent.

-

Also, depending on each implementation, it has a set of parameters that will require for the configuration to work. And those parameters are set independently by authority / authentication method, so for LDAP you'll be able to configure the next set of parameters:

-
    -
  • DNPattern
    • -
  • UsernameAttribute
    • -
  • Elements
    • -
  • BaseDN
    • -
  • Attributes
    • -
  • PasswordHash
    • -
-

Then you can enter your specific values for your server, is likely that the recomemded ones will work fine.

-

Hint: nssha (SSHA) doesn't work well with LDAP use ns_passwd or another encription method (MD5...)

-

You can make your users to loging using the email or username, by changing the paramenter at the kernel named: UseEmailForLoginP under Security section. If username is used for loging, it will ask for the authority to use, since username is unique by authority but not for the entire openacs installation (can exists several identic usernames but each one belongs to a different authority).

-

 

-

acs-authentication defines a set of SC to interact with the different authentication implementations (LDAP or PAM):

-
    -
  1. auth_authentication "Authenticate users and retrieve their account status.", with the operations:
    2. -
      -
    • Authenticate
      • -
    • GetParameters
      • -
    -
  2. auth_password "Update, reset, and retrieve passwords for authentication.", with the operations: -
      -
    • CanChangePassword
      • -
    • ChangePassword
      • -
    • CanRetrievePassword
      • -
    • RetrievePassword
      • -
    • CanResetPassword
      • -
    • ResetPassword
      • -
    • GetParameters
      • -
    -
    3. -
  3. auth_registration "Registering accounts for authentication", with the operations:
    4. -
      -
    • GetElements
      • -
    • Register
      • -
    • GetParameters
      • -
    -
  4. auth_sync_retrieve
    5. -
  5. auth_sync_process
    6. -
  6. auth_user_info -
      -
    • GetUserInfo
      • -
    • GetParameters
      • -
    -
    7. -
-

Note: #4 & #5 will be taken out from authentication and moved to the package ims-ent.

-

The SC definitions are quite straightforward, then worth to look at them for better understanding.

-

 

-

Login process

-

In an openacs site the login is managed through acs-authentication. It happens like this:
-

-
    -
  1. The user enters the email/user & password
    2. -
  2. It will search the user in the users table and return the authority_id
    3. -
  3. With that authority_id it will find the respective SC implementation which contains the adecuate tcl proc for the authentication process
    4. -
  4. That proc will check the identity of the user based on the password (right now could be locally, pam or ldap authenticated, though this model supports N methods of authentication)
    5. -
-
-
- - - - - - - - - - - -
Prev HomeNext
Up Installation
-
-
- docs@openacs.org -
-
-

 

- - + + + + +OpenACS Authentication + + + + +
Alex logo + + + + + + +
Prev IntroductionNext
+
+
+

acs-authentication +

+

This document aims to help you understand how it works and how you can use it for your own purpouses. By Rocael Hernández R.

+

Main functionality: It is used to authenticate any user in an openacs installations.

+

So far, you can use it to authenticate against LDAP & PAM, and of course, locally. You can implement your own based on your needs, processes, etc.

+

Definition: SC = service-contract

+

 

+

Authorities

+

acs-authentication can have multiple authorities, each one represent an specific configuration of authenticatication. For instance, in your openacs installation you can have users related to different authorities, some of them might authenticate locally since they are external or invited, others belongs to your corporate network and already have users, so might authenticate against LDAP and others in your own work office might use PAM for authentication because your local system authentication. Plus you might define an specific implementation (using the set of SC) to connect to your client DB, which is in another DB, and allow your clients login to certain parts of your website. Then, this is right way to handle all those set of users, that already might have an account in another place and you just want them to authenticate against that external system.
+

+

The idea is: each user belongs to a given authority, and just one .

+

To add an authority in your installation go to /acs-admin/auth/ and click on "Create new authority".

+

When adding the authority you need to configure:

+
    +
  • Authentication method (where to authenticate, i.e. check user/password)
    • +
  • Password Management (where to update passwords)
    • +
  • Account Registration (where to create new accounts)
    • +
  • On-Demand Sync (to get user info from the source in real time)
    • +
+

Those configurations simply will perform the tcl proc that is defined in the SC above described for the given SC implementation that you choose. In other words:

+
    +
  • For using LDAP, you need to install auth-ldap, on its installation, this package will create an implementation of the above mentioned SC definitions (look at "specs" that define which proc needs to be called for each alias).
    • +
  • PAM package is auth-pam.
    • +
  • Probably, for any new authentication method you'll need to create your own package in the same style of auth-ldap or auth-pam.
    • +
+

 

+

Note: "Batch Synchronization" will not be administered there anymore in the future, everything will go to ims-ent.

+

Also, depending on each implementation, it has a set of parameters that will require for the configuration to work. And those parameters are set independently by authority / authentication method, so for LDAP you'll be able to configure the next set of parameters:

+
    +
  • DNPattern
    • +
  • UsernameAttribute
    • +
  • Elements
    • +
  • BaseDN
    • +
  • Attributes
    • +
  • PasswordHash
    • +
+

Then you can enter your specific values for your server, is likely that the recomemded ones will work fine.

+

Hint: nssha (SSHA) doesn't work well with LDAP use ns_passwd or another encription method (MD5...)

+

You can make your users to loging using the email or username, by changing the paramenter at the kernel named: UseEmailForLoginP under Security section. If username is used for loging, it will ask for the authority to use, since username is unique by authority but not for the entire openacs installation (can exists several identic usernames but each one belongs to a different authority).

+

 

+

acs-authentication defines a set of SC to interact with the different authentication implementations (LDAP or PAM):

+
    +
  1. auth_authentication "Authenticate users and retrieve their account status.", with the operations:
    2. +
      +
    • Authenticate
      • +
    • GetParameters
      • +
    +
  2. auth_password "Update, reset, and retrieve passwords for authentication.", with the operations: +
      +
    • CanChangePassword
      • +
    • ChangePassword
      • +
    • CanRetrievePassword
      • +
    • RetrievePassword
      • +
    • CanResetPassword
      • +
    • ResetPassword
      • +
    • GetParameters
      • +
    +
    3. +
  3. auth_registration "Registering accounts for authentication", with the operations:
    4. +
      +
    • GetElements
      • +
    • Register
      • +
    • GetParameters
      • +
    +
  4. auth_sync_retrieve
    5. +
  5. auth_sync_process
    6. +
  6. auth_user_info +
      +
    • GetUserInfo
      • +
    • GetParameters
      • +
    +
    7. +
+

Note: #4 & #5 will be taken out from authentication and moved to the package ims-ent.

+

The SC definitions are quite straightforward, then worth to look at them for better understanding.

+

 

+

Login process

+

In an openacs site the login is managed through acs-authentication. It happens like this:
+

+
    +
  1. The user enters the email/user & password
    2. +
  2. It will search the user in the users table and return the authority_id
    3. +
  3. With that authority_id it will find the respective SC implementation which contains the adequate tcl proc for the authentication process
    4. +
  4. That proc will check the identity of the user based on the password (right now could be locally, pam or ldap authenticated, though this model supports N methods of authentication)
    5. +
+
+
+ + + + + + + + + + + +
Prev HomeNext
Up Installation
+
+
+ docs@openacs.org +
+
+

 

+ + Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp,v diff -u -r1.1.2.5 -r1.1.2.6 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp 10 Nov 2016 14:51:18 -0000 1.1.2.5 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.adp 21 Apr 2017 15:35:24 -0000 1.1.2.6 @@ -23,7 +23,7 @@ Background. The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or -Postgresql. It opened a connection using a priveleged account and +Postgresql. It opened a connection using a privileged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html,v diff -u -r1.5.14.1 -r1.5.14.2 --- openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html 16 Jul 2016 17:28:03 -0000 1.5.14.1 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-ldap-install.html 21 Apr 2017 15:35:24 -0000 1.5.14.2 @@ -1,7 +1,7 @@ Using LDAP/Active Directory with OpenACS
Alex logo
Prev Installation Next

Using LDAP/Active Directory with OpenACS

by John Sequeira, Michael Steigman, and Carl Blesius. OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff. -

ToDo: Add/verify information on on-demand sync, account registration, and batch synchronization. Add section on ldapsearch.

Overview. You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution.

Background. The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS.

Note on Account Creation. On the authentication driver configure screens, you will also see lots of options for synchronizing users between your directory and OpenACS. This document takes the approach of provisioning users on demand instead of ahead-of-time. This means that when they attempt to login to OpenACS, if they have a valid Windows account, we'll create an account for them in OpenACS and log them in.

  1. Installing AOLserver LDAP support (openldap and nsldap). Install openldap and nsldap using +

ToDo: Add/verify information on on-demand sync, account registration, and batch synchronization. Add section on ldapsearch.

Overview. You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution.

Background. The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a privileged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS.

Note on Account Creation. On the authentication driver configure screens, you will also see lots of options for synchronizing users between your directory and OpenACS. This document takes the approach of provisioning users on demand instead of ahead-of-time. This means that when they attempt to login to OpenACS, if they have a valid Windows account, we'll create an account for them in OpenACS and log them in.

  1. Installing AOLserver LDAP support (openldap and nsldap). Install openldap and nsldap using the document Malte created Next, modify your config.tcl file as directed in the nsldap README. Here's what the relevant additions should look like:

       
 # LDAP authentication
Index: openacs-4/packages/acs-authentication/www/doc/xml/install.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/xml/install.xml,v
diff -u -r1.5 -r1.5.14.1
--- openacs-4/packages/acs-authentication/www/doc/xml/install.xml	4 Jun 2006 00:45:21 -0000	1.5
+++ openacs-4/packages/acs-authentication/www/doc/xml/install.xml	21 Apr 2017 15:35:24 -0000	1.5.14.1
@@ -190,7 +190,7 @@
     You do not want to make users remember yet another password and username. If you can avoid it you do not want to store their passwords either. This document should help you set your system up so your users can seamlessly log in to your OpenACS instance using the password they are accustomed to using for other things at your institution.
     
     Background
-     The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a priveleged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.
+     The original OpenACS LDAP implementation (which has been depreciated by this package) treated the LDAP server as another data store similar to Oracle or Postgresql. It opened a connection using a privileged account and read or stored an encrypted password for the user in question. This password was independent of the user's operating system or network account, and had to be synchronized if you wanted the same password for OpenACS.
      Save their passwords? Sync passwords? Deal with forgotten password requests? No Thanks. Using ldap bind, you can delegate authentication completely to LDAP. This way you can let the IT department (if you are lucky) worry about password storage/synchronization/etc. The bind operation takes a username and password and returns a true of false depending on whether they match up. This document takes the 'bind' approach so that your users LDAP/AD password (or whatever else you use) can be used to login to OpenACS.
     
      Note on Account Creation