[ckan-dev] CKAN - LDAP intergration

• Previous message: [ckan-dev] Not being able to install CKan
• Next message: [ckan-dev] CKAN - LDAP intergration
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Alice

I managed to get the LDAP integration working with NHM plugin.

I was wondering about handling groups from LDAP, in terms of adding groups of users based on their group membership.

Does the plugin facilitate this?

Thanks,

David Divilly

From: ckan-dev [mailto:ckan-dev-bounces at lists.okfn.org] On Behalf Of Divilly, David
Sent: Tuesday, September 30, 2014 3:01 PM
To: CKAN Development Discussions
Subject: Re: [ckan-dev] CKAN - LDAP intergration

Hi Alice

Thanks for your feedback. I will review the below and try the Natural History Museum plugin.

Regards,

David Divilly

From: ckan-dev [mailto:ckan-dev-bounces at lists.okfn.org] On Behalf Of Alice Heaton
Sent: Tuesday, September 30, 2014 2:38 PM
To: ckan-dev at lists.okfn.org<mailto:ckan-dev at lists.okfn.org>
Subject: Re: [ckan-dev] CKAN - LDAP intergration

Hello,

We have developed, and are using:

https://github.com/NaturalHistoryMuseum/ckanext-ldap

The available options are well documented. Ldap is always tricky to configure - but that depends on your system, not on the plugin.

To configure LDAP, you will need to ask the ldap server administrator for the following:

- Your Ldap server address/name (eg. ldap.example.com) ;
- The 'base domain name' under which users are in the Ldap directory. If using Active Directory, this would look something like 'ou=USERS,dc=example,dc=com' where example.com is your domain name, and USERS the group under which your users stored;
- What identifier to use to perform the search. Again, for Active Directory you might want to use 'sAMAccountName';
- The Ldap fields that should map the CKAN username and email address (eg. sAMAccountName and mail)

In addition if your server requires authentication for performing queries, you will need to know:
- The 'base domain name' of the user used for authentication (eg. 'CN=ldapuser,OU=Service Accounts,OU=ADMINS,DC=example,DC=com')
- The password!

So given these, a typical configuration for an Active Directory LDAP server would be:

ckan.plugins = .... ldap ......

ldap.uri = ldap://ldap.example.com
ldap.auth.dn = CN=ldapuser,OU=Service Accounts,OU=ADMINS,DC=example,DC=com
ldap.auth.password = supersecretpasswordhahaha
ldap.base_dn = OU=USERS,DC=example,DC=com
ldap.search_filter = sAMAccountName={login}
ldap.username = sAMAccountName
ldap.email = mail

The ldap plugin has many more options - it can use both ldap and ckan authentication at the same time, it can be configured to use both short and long user name when login to active directory, it can add users to an organization automatically, etc.

I didn't know of the whythawk one (Looks like we developed them pretty much at the same time, so we wouldn't have found each other!)
 I will contact them to suggest we merge the two projects.

Best,
Alice

On 30/09/14 13:35, Divilly, David wrote:
Hi All

Has anyone on this list successfully integrated CKAN with their corporate LDAP?

Were the extensions available on GitHub used:

Eg. https://github.com/whythawk/ckanext-ldap

And if so could anyone provide and example config  used.  Many thanks for your response.

Regards,

David Divilly




_______________________________________________

ckan-dev mailing list

ckan-dev at lists.okfn.org<mailto:ckan-dev at lists.okfn.org>

https://lists.okfn.org/mailman/listinfo/ckan-dev

Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20141002/86c8ec45/attachment-0002.html>

• Previous message: [ckan-dev] Not being able to install CKan
• Next message: [ckan-dev] CKAN - LDAP intergration
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]