Author: jfthomps
Date: Fri Jul 27 20:43:28 2012
New Revision: 1366527
URL: http://svn.apache.org/viewvc?rev=1366527&view=rev
Log:
adding ldap authentication docs
Added:
vcl/site/trunk/content/docs/ldap-ca-bundle-ex.mdtext (with props)
vcl/site/trunk/content/docs/ldap-showhostname.mdtext (with props)
vcl/site/trunk/content/docs/ldapauth.mdtext (with props)
Added: vcl/site/trunk/content/docs/ldap-ca-bundle-ex.mdtext
URL:
http://svn.apache.org/viewvc/vcl/site/trunk/content/docs/ldap-ca-bundle-ex.mdtext?rev=1366527&view=auto
==============================================================================
--- vcl/site/trunk/content/docs/ldap-ca-bundle-ex.mdtext (added)
+++ vcl/site/trunk/content/docs/ldap-ca-bundle-ex.mdtext Fri Jul 27 20:43:28
2012
@@ -0,0 +1,19 @@
+Title: Example ca-bundle.crt File
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+stub page
\ No newline at end of file
Propchange: vcl/site/trunk/content/docs/ldap-ca-bundle-ex.mdtext
------------------------------------------------------------------------------
svn:eol-style = native
Added: vcl/site/trunk/content/docs/ldap-showhostname.mdtext
URL:
http://svn.apache.org/viewvc/vcl/site/trunk/content/docs/ldap-showhostname.mdtext?rev=1366527&view=auto
==============================================================================
--- vcl/site/trunk/content/docs/ldap-showhostname.mdtext (added)
+++ vcl/site/trunk/content/docs/ldap-showhostname.mdtext Fri Jul 27 20:43:28
2012
@@ -0,0 +1,19 @@
+Title: Viewing the hostname in an SSL certificate
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+stub page
\ No newline at end of file
Propchange: vcl/site/trunk/content/docs/ldap-showhostname.mdtext
------------------------------------------------------------------------------
svn:eol-style = native
Added: vcl/site/trunk/content/docs/ldapauth.mdtext
URL:
http://svn.apache.org/viewvc/vcl/site/trunk/content/docs/ldapauth.mdtext?rev=1366527&view=auto
==============================================================================
--- vcl/site/trunk/content/docs/ldapauth.mdtext (added)
+++ vcl/site/trunk/content/docs/ldapauth.mdtext Fri Jul 27 20:43:28 2012
@@ -0,0 +1,127 @@
+Title: LDAP Authentication
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+# Adding LDAP Authenciation
+
+## Prerequisites for your LDAP server:
+
+* SSL must be enabled on your LDAP server
+* An LDAP account that can look up these items for users:
+ * first name
+ * last name
+ * user id
+ * email (optional)
+
+ This will be referred to as 'vcllookup' on
+this page. You can skip this step if anonymous binds are enabled on your LDAP
server
+and an anonymous bind will be able to look up the listed items.
+* If your LDAP server is behind a firewall, you will need to allow your VCL
web
+server to access tcp port 636 on your LDAP server
+
+## Prerequisites for your VCL web server:
+
+* **php-ldap** needs to be installed
+* **SSL certificate** - If your LDAP server's SSL certificate is self-signed,
your VCL web server needs
+to have the root CA certificate that was used to sign the LDAP server
certificate
+installed. The PEM formatted certificate needs to be added to the
ca-bundle.crt file.
+On CentOS, the file is located at /etc/pki/tls/certs/ca-bundle.crt
+([example](/docs/ldap-ca-bundle-ex.html)). The hostname in
+the certificate must match the hostname entered in the conf.php file further
down.
+If your certificate does not have the correct hostname in it, you must put an
entry
+in /etc/hosts for the hostname in the certificate ([viewing the hostname in
the
+certificate](/docs/ldap-showhostname.html)).
+
+* After adding the certificate, restart httpd:
+
+ service httpd restart
+
+* You can verify that the certificate is properly installed using this command:
+
+ openssl s_client -showcerts -CAfile /etc/pki/tls/certs/ca-bundle.crt
-connect
+your.ldap.server.here:636
+
+ If you see "Verify return code: 0 (ok)" at the end of the output then it
is
+installed correctly. If you see a different return code, then you'll need to
+troubleshoot the problem.
+* You may need to add a line to */etc/openldap/ldap.conf* to point to the
+ca-bundle.crt file. If so, add the following:
+
+ TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
+
+
+## Adding LDAP Authentication to the Web Code
+
+* You will need to manually add an entry to the affiliation table in the VCL
+database. Choose a name for the affiliation. This will be appended to all
userids
+for the affiliation to distinguish them from other affiliations you may
configure
+later. *Do not* use the Global affiliation for this. Initials or a short name
of
+your organization are a good idea. The affiliation name cannot contain spaces.
Use
+the following to add the affiliation, replacing 'EXAMPLE' with the name you
chose.
+Take note of the id from the 2nd SQL statement as you will need it later. It
is the
+numerical id for this affiliation.
+
+ mysql vcl
+
+ INSERT INTO affiliation (name) VALUES ('EXAMPLE');
+
+ SELECT id FROM affiliation WHERE name = 'EXAMPLE';
+
+ exit
+
+* Edit *conf.php* and search for "EXAMPLE1 LDAP"
+* Uncomment the "EXAMPLE1 LDAP" section by removing the '/\*' before it and
the '\*/'
+at the end of 'to use this login mechanism'
+* Change 'EXAMPLE1 LDAP' to something to match your location, for example at
NCSU,
+it is 'NCSU LDAP'. This string is what users will see where they select the
+authentication mechanism to use when logging in.
+* Modify the following fields:
+ * **server** - this is the hostname of your LDAP server - this must match
the
+hostname in the certificate.
+ * **binddn** - typically, you'll want to use the base DN of your LDAP
server; for
+Active Directory, this is usually dc= for each of your domain name components.
For
+example, your your domain name was ad.example.org, it would be
+"dc=ad,dc=example,dc=org"
+ * **userid** - this is a string that is added to the userid a user enters
on the
+login page. Place a '%s' where the entered userid should go. Some examples are:
+ * %[email protected]
+ * %[email protected]
+ * uid=%s,ou=accounts,dc=example,dc=org'
+ * **unityid** \- this is the ldap field that contains a user's login id
(for Active
+Directory, this is usually sAMAccountName)
+ * **firstname** \- this is the ldap field that contains a user's first name
+ * **lastname** \- this is the ldap field that contains a user's last name
+ * **email** \- this is the ldap field that contains a user's email address
+ * **defaultemail** \- if an email address is not provided by the ldap
server, this
+will be appended to the end of the userid to create an email address. In this
case,
+email notifications will be disabled by default.
+ * **masterlogin** \- this is the vcllookup account referred to in the
"Prerequisites
+for your LDAP server" section - comment out this line if using anonymous binds
+ * **masterpwd** \- password for the masterlogin account - comment out this
line if
+using anonymous binds
+ * **affiliationid** \- this is the id from the SELECT statement in the
first step
+ * **lookupuserbeforeauth** \- Some LDAP servers will only allow the full
DN of a
+user to be used when authenticating. If this is the case, you will need to set
this
+to 1 and set a value for *lookupuserfield*. You can probably start out with
this set
+to 0. If your LDAP server has users in multiple containers, you will probably
need
+to set this to 1.
+ * **lookupuserfield** \- If you need to set *lookupuserbeforeauth* to 1,
set
+this to the attribute to use to search for the user in ldap. Typical values
are 'cn',
+'uid', and 'samaccountname'.
+ * **help** \- this is some text that will show up on the page where users
select the
+authentication method explaining why they would select this option
+* Uncomment the *require_once* line for *ldapauth.php* toward the bottom of
the file
\ No newline at end of file
Propchange: vcl/site/trunk/content/docs/ldapauth.mdtext
------------------------------------------------------------------------------
svn:eol-style = native
