[ckan-dev] CKAN - LDAP intergration
Divilly, David
ddivilly at qti.qualcomm.com
Thu Oct 2 16:22:13 UTC 2014
Hi Alice
I managed to get the LDAP integration working with NHM plugin.
I was wondering about handling groups from LDAP, in terms of adding groups of users based on their group membership.
Does the plugin facilitate this?
Thanks,
David Divilly
From: ckan-dev [mailto:ckan-dev-bounces at lists.okfn.org] On Behalf Of Divilly, David
Sent: Tuesday, September 30, 2014 3:01 PM
To: CKAN Development Discussions
Subject: Re: [ckan-dev] CKAN - LDAP intergration
Hi Alice
Thanks for your feedback. I will review the below and try the Natural History Museum plugin.
Regards,
David Divilly
From: ckan-dev [mailto:ckan-dev-bounces at lists.okfn.org] On Behalf Of Alice Heaton
Sent: Tuesday, September 30, 2014 2:38 PM
To: ckan-dev at lists.okfn.org<mailto:ckan-dev at lists.okfn.org>
Subject: Re: [ckan-dev] CKAN - LDAP intergration
Hello,
We have developed, and are using:
https://github.com/NaturalHistoryMuseum/ckanext-ldap
The available options are well documented. Ldap is always tricky to configure - but that depends on your system, not on the plugin.
To configure LDAP, you will need to ask the ldap server administrator for the following:
- Your Ldap server address/name (eg. ldap.example.com) ;
- The 'base domain name' under which users are in the Ldap directory. If using Active Directory, this would look something like 'ou=USERS,dc=example,dc=com' where example.com is your domain name, and USERS the group under which your users stored;
- What identifier to use to perform the search. Again, for Active Directory you might want to use 'sAMAccountName';
- The Ldap fields that should map the CKAN username and email address (eg. sAMAccountName and mail)
In addition if your server requires authentication for performing queries, you will need to know:
- The 'base domain name' of the user used for authentication (eg. 'CN=ldapuser,OU=Service Accounts,OU=ADMINS,DC=example,DC=com')
- The password!
So given these, a typical configuration for an Active Directory LDAP server would be:
ckan.plugins = .... ldap ......
ldap.uri = ldap://ldap.example.com
ldap.auth.dn = CN=ldapuser,OU=Service Accounts,OU=ADMINS,DC=example,DC=com
ldap.auth.password = supersecretpasswordhahaha
ldap.base_dn = OU=USERS,DC=example,DC=com
ldap.search_filter = sAMAccountName={login}
ldap.username = sAMAccountName
ldap.email = mail
The ldap plugin has many more options - it can use both ldap and ckan authentication at the same time, it can be configured to use both short and long user name when login to active directory, it can add users to an organization automatically, etc.
I didn't know of the whythawk one (Looks like we developed them pretty much at the same time, so we wouldn't have found each other!)
I will contact them to suggest we merge the two projects.
Best,
Alice
On 30/09/14 13:35, Divilly, David wrote:
Hi All
Has anyone on this list successfully integrated CKAN with their corporate LDAP?
Were the extensions available on GitHub used:
Eg. https://github.com/whythawk/ckanext-ldap
And if so could anyone provide and example config used. Many thanks for your response.
Regards,
David Divilly
_______________________________________________
ckan-dev mailing list
ckan-dev at lists.okfn.org<mailto:ckan-dev at lists.okfn.org>
https://lists.okfn.org/mailman/listinfo/ckan-dev
Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20141002/86c8ec45/attachment-0002.html>
More information about the ckan-dev
mailing list