LDAP in Sakai 2.5

Introduction

The way LDAP is configured in Sakai 2.4 and 2.5 has changed quite radically. Sakai 2.4 had a verbose configuration method and you had to edit different files in different modules. Sakai 2.5 has a managed Spring bean approach which means its more configurable and you only need to touch one part of the providers project.

This article will walk you through configuring LDAP for Sakai 2.5 (Using the JLDAP Provider) in an easy to read fashion, as I found the resources available somewhat over-technical for the first time user looking to get a tiny bit of integration into their Sakai environment by the way of LDAP.

This also works for all Sakai versions > 2.5

I have recently reviewed this document and can confirm this procedure still works fine for Sakai 2.6, 2.7, 2.8 and 2.9.

Edit the pom.xml

Open for editing:

SAKAI-SRC/providers/component/pom.xml

And uncomment the JLDAP dependency:

<!-- Needed for the JLDAP Provider -->
          	<dependency>
                        <groupId>org.sakaiproject</groupId>
                        <artifactId>sakai-jldap-provider</artifactId>
                        <version>${sakai.version}</version>
                </dependency>

                <dependency>
                        <groupId>openldap</groupId>
                        <artifactId>ldap</artifactId>
                        <version>2005.03.29</version>
                </dependency>
<!--    -->

Edit components.xml

Open for editing:

SAKAI-SRC/providers/component/src/webapp/WEB-INF/components.xml

And uncomment the JLDAP include statement:

<!-- Uncomment and configure to use the JLDAPDirectoryProvider -->
        <import resource="jldap-beans.xml" />

Edit jldap-beans.xml

Open for editing:

SAKAI-SRC/providers/component/src/webapp/WEB-INF/jldap-beans.xml

And configure the properties for your LDAP environment.

At a minimum you will need to setup:

  • the ldapHost (Host name or address of your LDAP server):
    <property name="ldapHost">
    	<value>ldap.server.ac.uk</value>
    </property>
    
  • the basePath (Base DN for directory searches):
    <property name="basePath">
    	<value>ou=users,ou=university,dc=something,dc=somethingelse</value>
    </property>
    

If you require an authenticated bind to your LDAP server, you will also need the following properties setup:

  • the ldapUser (DN to which to bind for directory searches):
    <property name="ldapUser">
    	<value>cn=username,ou=staff,ou=users,ou=university,dc=something,dc=somethingelse</value>
    </property>
    
  • the ldapPassword (Password for ldapUser defined above):
    <property name="ldapPassword">
    	<value>somepassword</value>
    </property>
    
  • autoBind (Indicate if connection allocation should implicitly bind as the ldapUser above):
    <property name="autoBind">
           <value>true</value>
    </property>
    

You will also need to uncomment and review some of the settings that map LDAP attributes to Sakai attributes:

<property name="attributeMappings">
	<map>
		<entry key="login"><value>cn</value></entry>
		<entry key="distinguishedName"><value>distinguishedName</value></entry>
		<entry key="firstName"><value>givenName</value></entry>
		<entry key="lastName"><value>sn</value></entry>
		<entry key="email"><value>mail</value></entry>
		<!--
		<entry key="groupMembership"><value>groupMembership</value></entry>
		-->
	</map>
</property>

Rebuild and redeploy the providers project

Navigate to:

SAKAI-SRC/providers

And rebuild:

mvn clean install sakai:deploy

Test!

Restart Tomcat and see if you can login using a username and password combination that would come from LDAP. Especially try using a username and password that has NEVER logged into Sakai to test it really is working.
Also try a user account that exists only in Sakai, ie create a user 'testuser1' and try to login with that. It should also work (as Sakai will fall through LDAP to its internal database if no user is found in LDAP that matches) .

You should also test that the Mailtool in Sakai works and can send an email to a member of a site, as well as all parameters resolving to their mapped parameters from LDAP in the Site Info tool where it lists the users of a Site.

You don't need to create users in Sakai when using this LDAP integration (except for extra users)

 Please note that you DO NOT (and should not) create user accounts in Sakai when using the LDAP integration for user accounts that can authenticate from LDAP. You should only create accounts in Sakai for those users who do not have an LDAP entry, ie guest accounts or other miscellaneous users. You may run into problems if you have user accounts in both LDAP and Sakai for the same user, ie which password should Sakai authenticate from? What if they change their name in Sakai only, it won't be reflected properly. Keep your data centralised and only create accounts in Sakai if you absolutely need to.