OpenInteract2::Manual::LDAP - OpenInteract and LDAP
Discussion of how you can use LDAP with OpenInteract.
With SPOPS 0.50+, you can now use LDAP not only as a datastore for your objects, but also for authenticating users and determining group membership. This document explains how.
If you're thinking about using LDAP for user authentication and group membership, PLEASE READ THIS DOCUMENT FULLY before you install and use OpenInteract. Otherwise you may have some work to undo (like dropping and readding tables) and actions like schema changes can become more difficult.
SPOPS::LDAP provides the serialization logic and behavior
OpenInteract2::Datasource::LDAP provides centralized connection management
OpenInteract2::SPOPS::LDAP will be the parent of any OI LDAP data object class as it provides common behaviors. (This is done autmatically in OI2.)
Additionally, two packages (base_group and base_user) offer options for storing users and groups in LDAP and doing authentication from there. See below for more.
First, install SPOPS version 0.86 or higher and run its tests to ensure that the LDAP portion (SPOPS::LDAP) is functioning properly with your LDAP server.
Next, make the following modifications to the server configuration file:
Add relevant connection information as a datasource. The 'datasource.main_ldap' section is already defined for you as a template. The usual suspects -- host, port, base DN -- are there, and you can provide a standard bind DN and password as well. (Examples below.)
Set the key datasource_config.ldap to the connection to be used when an LDAP object doesn't specify a datasource. By default we define the datasource 'main_ldap' so this is also set to 'main_ldap'. If you define a different datasource name in the previous step you should set it here as well.
datasource_config.ldap
You can test your connection information from oi2_manage:
oi2_manage
$ oi2_manage test_ldap --website_dir=/path/to/mysite
This will go through each of the defined datasources and try to connect and bind given the information in the server configuration file.
Storing users and groups for use in OpenInteract authentication makes things a little trickier. This is supported but still in its infancy, so you might scare up a few gotchas here and there.
You should only need to do the following:
Modify the SPOPS configuration files for both users (base_user-x.xx/conf/spops_user.ini) and groups (base_group-x.xx/conf/spops_group.ini) or use and tweak the ones supplied under the same path but named ldap_spops_user.ini and ldap_spops_group.ini.
base_user-x.xx/conf/spops_user.ini
base_group-x.xx/conf/spops_group.ini
ldap_spops_user.ini
ldap_spops_group.ini
Change the key login.crypt_password to '0' (LDAP takes care of this for you)
login.crypt_password
Modify the server configuration file to set the values for both the id.user_type and id.group_type keys to 'char'. Do this before installing OpenInteract since these keys inform the datatypes of other tables, such as sys_error which stores errors.
id.user_type
id.group_type
sys_error
Modify the server configuration file to set the values for the system users and groups. You can map these to existing users or create new ones. The keys you'll need to modify are:
default_objects.superuser default_objects.supergroup default_objects.public_group default_objects.site_admin_group<
See the discussion about 'Object Security' below for more information about this.
Note that the 'sasl' key in the relevant LDAP datasource configuration section has not yet been tested, primarily because we need to setup a development server that has SASL/CRAM-MD5 support properly compiled in.
If you're having issues authenticating, try the following simple script, setting the variables to appropriate values:
1: #!/usr/bin/perl 2: 3: use strict; 4: use Net::LDAP; 5: 6: my $host = 'localhost'; 7: my $port = 389; 8: my $bind_dn = 'cn=Manager,dc=MyCompany,dc=com'; 9: 10: my $bind_password = 'password'; 11: 12: my $ldap = Net::LDAP->new( $host, port => $port ); 13: die "Cannot make LDAP connection\n" unless ( $ldap ); 14: 15: my $ldap_msg = $ldap->bind( dn => $bind_dn, password => $bind_password ); 16: if ( my $code = $ldap_msg->code ) { 17: die "Error during bind (Code: $code)\n", $ldap_msg->error, "\n"; 18: } 19: print "Connect/bind ok.";
You might be using LDAP because you have a directory of existing information. If you are doing this, then you need to tell OpenInteract about the security for the objects already in the system.
The base_security package has a script for automating this fairly common action. You'll need to run the script create_object_security.pl found in that package. Here's a sample:
base_security
create_object_security.pl
1: $ export OPENINTERACT2=/path/to/mysite 2: $ cd pkg/base_security-2.xx/script 3: $ perl create_object_security.pl \ 4: --class=OpenInteract2::User \ 5: --scope=world \ 6: --level=read 7: $ perl create_object_security.pl \ 8: --class=OpenInteract2::User \ 9: --scope=group \ 10: --scope_id='site admin' \ 11: --level=write 12: $ perl create_object_security.pl \ 13: --class=OpenInteract2::Group \ 14: --scope=world \ 15: --level=read 16: $ perl create_object_security.pl \ 17: --class=OpenInteract2::Group \ 18: --scope=group \ 19: --scope_id='site admin' \ 20: --level=write
You will have to modify 'site admin' to the ID of your site admin group -- whatever you set in the 'default_objects.site_admin_group' key of your server configuration.
These commands will create entries in the security table so that the 'world' security for all users and groups is 'read' and that the site admin group has read/write privileges to all users and groups.
Run the script with the parameter '--help' to get more information about how to run it.
As opposed to OI 1.x you should not need to modify the entry in 'creation_security' for every secured SPOPS object. Instead of hardcoding object IDs you can list a key pointing to the 'default_objects' area of the server configuration. For instance, you'll often see a creation security policy declared like this:
1: [object creation_security] 2: user = 3: group = site_admin_group:WRITE 4: world = READ
The 'site_admin_group' gets replaced at server startup by the server configuration entry 'default_objects.site_admin_group'. So no matter whether you use LDAP or DBI you just need to change that value and restart.
The following defines two connections: 'main_ldap' and 'auth_ldap'. The first describes a connection using an anonymous bind, while the second specifies a bind DN and password. The second also uses a different port than the first.
1: [datasource_type LDAP] 2: connection_manager = OpenInteract2::Datasource::LDAP 3: spops_config = OpenInteract2::SPOPS::LDAP 4: 5: [datasource main_ldap] 6: type = LDAP 7: spops = SPOPS::LDAP 8: host = ldap.myco.com 9: port = 389 10: bind_dn = 11: bind_password = 12: base_dn = dc=MyCo,dc=com 13: timeout = 120 14: version = 2 15: sasl = 0 16: debug = 0 17: 18: [datasource auth_ldap] 19: type = LDAP 20: spops = SPOPS::LDAP 21: host = ldap.myco.com 22: port = 3890 23: bind_dn = cn=Manager,dc=MyCo,dc=com 24: bind_password = crystalline 25: base_dn = dc=MyCo,dc=com 26: timeout = 120 27: version = 2 28: sasl = 0 29: debug = 0
Here's a sample configuration, from the 'base_user' package. One important thing to note: you do not need to use a full DN for ldap_base_dn -- OpenInteract2::SPOPS::LDAP overrides the method base_dn() and prepends the value from ldap_base_dn to the value from base_dn in your datasource.
ldap_base_dn
base_dn()
base_dn
So if we were to use the example below with the 'main' datasource, the base DN of these objects would be:
1: ou=People --> From the object 2: + dc=MyCo,dc=com --> From the 'main' datasource 3: ================ 4: ou=People,dc=MyCo,dc=com --> Base DN used
If you're using multiple datasources, ldap_base_dn needs to be a hashref with the keys as datasources and the values as the partial base DN for that datasource. See SPOPS::LDAP::MultiDatasource for more information.
1: [user] 2: class = OpenInteract2::User 3: code_class = OpenInteract2::User::LDAP 4: isa = OpenInteract2::User 5: is_secure = yes 6: field = cn 7: field = sn 8: field = givenname 9: field = mail 10: field = userpassword 11: field = uid 12: field = objectclass 13: multivalue = objectclass 14: id_field = cn 15: ldap_base_dn = ou=People 16: ldap_object_class = top 17: ldap_object_class = person 18: ldap_object_class = inetOrgPerson 19: ldap_object_class = organizationalPerson 20: ldap_fetch_object_class = person 21: name = full_name 22: object_name = User 23: 24: [user field_map] 25: last_name = sn 26: first_name = givenname 27: password = userpassword 28: login_name = uid 29: email = mail 30: user_id = uid 31: 32: [user links_to] 33: OpenInteract::Group = uniquemember 34: 35: [user creation_security] 36: user = 37: group = site_admin_group:WRITE 38: world = READ 39: 40: [user track] 41: create = 0 42: update = 1 43: remove = 1 44: 45: [user display] 46: ACTION = user 47: TASK = display
You can use multiple datasources in two different ways
Use multiple datasources for the same class. This enables you to search for an entry once and have the search get executed on multiple directories. Read about how this works and how you set it up in SPOPS::LDAP::MultiDatasource
Use a single datasource per class but have multiple directories available. For instance, you might run one LDAP directory for all equipment in your organization and another for all employees and groups.
For this, you simply need to configure all datasources in your server configuration, then tell each SPOPS class which datasource it should use. To tell a class, you need to use the datasource key in its configuration:
datasource
1: [myequipment] 2: class = My::Equipment 3: datasource = equipment 4: ...
This class would use the connection information stored under the key 'equipment' in your server configuration.
There are other configuration details to be aware of -- please see SPOPS::LDAP::MultiDatasource for more infromation.
Copyright (c) 2001-2004 Chris Winters. All rights reserved.
Chris Winters <Chris@cwinters.com>
To install OpenInteract2::URL, copy and paste the appropriate command in to your terminal.
cpanm
cpanm OpenInteract2::URL
CPAN shell
perl -MCPAN -e shell install OpenInteract2::URL
For more information on module installation, please visit the detailed CPAN module installation guide.