[ckan-dev] CKAN - LDAP intergration
Alice Heaton
a.heaton at nhm.ac.uk
Thu Oct 2 16:58:11 UTC 2014
Hello,
On 02/10/14 17:22, Divilly, David wrote:
>
> Hi Alice
>
> I managed to get the LDAP integration working with NHM plugin.
>
> I was wondering about handling groups from LDAP, in terms of adding
> groups of users based on their group membership.
>
I'm not entirely sure what you mean.
- The plugin creates CKAN users when needed. Each CKAN user is created
when the corresponding
LDAP user first logs in. As such you cannot add groups of users in a
batch.
- If you want to restrict the functionality to a certain group of LDAP
users, you can use
'ldap.search.filter' to add any restrictions. 'ldap.search.filter' is
the search sent to the
LDAP server used to match users. Again, you'll need to check with
your LDAP administrator -
something like:
(&(objectClass=user)(sAMAccountName={login})(memberof=CN=YOURGROUP,OU=USERS,DC=example,DC=com))
should work with Active Directory - though I have not tested it myself,
and I am not an LDAP expert.
If you have further questions, maybe you can report them on the GitHub
issue page rather than on this list :-)
Best,
Alice
> Does the plugin facilitate this?
>
> Thanks,
>
> David Divilly
>
> *From:*ckan-dev [mailto:ckan-dev-bounces at lists.okfn.org] *On Behalf Of
> *Divilly, David
> *Sent:* Tuesday, September 30, 2014 3:01 PM
> *To:* CKAN Development Discussions
> *Subject:* Re: [ckan-dev] CKAN - LDAP intergration
>
> Hi Alice
>
> Thanks for your feedback. I will review the below and try the Natural
> History Museum plugin.
>
> Regards,
>
> David Divilly
>
> *From:*ckan-dev [mailto:ckan-dev-bounces at lists.okfn.org] *On Behalf Of
> *Alice Heaton
> *Sent:* Tuesday, September 30, 2014 2:38 PM
> *To:* ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
> *Subject:* Re: [ckan-dev] CKAN - LDAP intergration
>
> Hello,
>
> We have developed, and are using:
>
> https://github.com/NaturalHistoryMuseum/ckanext-ldap
>
> The available options are well documented. Ldap is always tricky to
> configure - but that depends on your system, not on the plugin.
>
> To configure LDAP, you will need to ask the ldap server administrator
> for the following:
>
> - Your Ldap server address/name (eg. ldap.example.com) ;
> - The 'base domain name' under which users are in the Ldap directory.
> If using Active Directory, this would look something like
> 'ou=USERS,dc=example,dc=com' where example.com is your domain name,
> and USERS the group under which your users stored;
> - What identifier to use to perform the search. Again, for Active
> Directory you might want to use 'sAMAccountName';
> - The Ldap fields that should map the CKAN username and email address
> (eg. sAMAccountName and mail)
>
> In addition if your server requires authentication for performing
> queries, you will need to know:
> - The 'base domain name' of the user used for authentication (eg.
> 'CN=ldapuser,OU=Service Accounts,OU=ADMINS,DC=example,DC=com')
> - The password!
>
> So given these, a typical configuration for an Active Directory LDAP
> server would be:
>
> ckan.plugins = .... ldap ......
>
> ldap.uri = ldap://ldap.example.com
> ldap.auth.dn = CN=ldapuser,OU=Service Accounts,OU=ADMINS,DC=example,DC=com
> ldap.auth.password = supersecretpasswordhahaha
> ldap.base_dn = OU=USERS,DC=example,DC=com
> ldap.search_filter = sAMAccountName={login}
> ldap.username = sAMAccountName
> ldap.email = mail
>
> The ldap plugin has many more options - it can use both ldap and ckan
> authentication at the same time, it can be configured to use both
> short and long user name when login to active directory, it can add
> users to an organization automatically, etc.
>
> I didn't know of the whythawk one (Looks like we developed them pretty
> much at the same time, so we wouldn't have found each other!)
> I will contact them to suggest we merge the two projects.
>
> Best,
> Alice
>
> On 30/09/14 13:35, Divilly, David wrote:
>
> Hi All
>
> Has anyone on this list successfully integrated CKAN with their
> corporate LDAP?
>
> Were the extensions available on GitHub used:
>
> Eg. https://github.com/whythawk/ckanext-ldap
>
> And if so could anyone provide and example config used. Many
> thanks for your response.
>
> Regards,
>
> David Divilly
>
>
>
> _______________________________________________
>
> ckan-dev mailing list
>
> ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>
> https://lists.okfn.org/mailman/listinfo/ckan-dev
>
> Unsubscribe:https://lists.okfn.org/mailman/options/ckan-dev
>
>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20141002/d8660e05/attachment-0003.html>
More information about the ckan-dev
mailing list