Presentation is loading. Please wait.

Presentation is loading. Please wait.

of Various FOSS Services for Educational Institutes

Published byRaymond Simon Modified over 7 years ago

Similar presentations

Presentation on theme: "of Various FOSS Services for Educational Institutes"— Presentation transcript:

1 of Various FOSS Services for Educational Institutes
LDAP Based Setup of Various FOSS Services for Educational Institutes Abhijit A. M. College of Engineering Pune (COEP) FOSSMeet, NITC, 11 Mar 2017 (C) Abhijit A.M. FOSSMeet NITC

2 Orientation To introduce FOSS services for educational institutes
configurable using LDAP One login/password for all services FOSSMeet NITC

3 Outline LDAP What is LDAP How to setup open LDAP
Setup at COEP, differences with disroot.org Shell scripts to maintain your LDAP server About disroot.org Configuration Configuration of Moodle, Nextcloud, Mediawiki and Desktop with LDAP Unmet Challenges Possible extensions Requirements for Single Sign On services FOSSMeet NITC

4 disroot.org services FOSSMeet NITC

5 Highlights of disroot implementation
Aims Tools: open, decentralized , federated and respectful towards freedom and privacy LDAP based authentication Nextcloud base , Storage (nextCloud), Chats, Spreadsheet Supports matrix protocol Social network requires separate account No Single Sign On (SSO) yet FOSSMeet NITC

6 LDAP: How it works architecture split between a frontend which handles network access and protocol processing, and a backend which deals strictly with data storage. FOSSMeet NITC

7 LDAP open, vendor-neutral, industry standard application protocol
accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Info about users, systems, networks, services, and applications Any organized set of records often with a hierarchical structure such as a corporate directory FOSSMeet NITC

8 LDAP (2) An LDAP search translated into plain English
"Search in the company directory for all people located in Kozhikode whose name contains 'Abhijit' that have an address. Please return their full name, , title, and description Common use Central place to store usernames and passwords. Many different applications and services connect to the LDAP server to validate users Single user/password for many services FOSSMeet NITC

9 How COEP uses the LDAP server
FOSSMeet NITC

10 A DIRECTORY TREE STRUCTURE
COUNTRY STATE THE ORGANIZATION ORGANIZATIONAL UNIT FOSSMeet NITC PERSON

11 LDAP: Directory Structure
Hieararchy of entries Entry = set of attributes Has a unique identifier: Distringuished Name (DN) Relative Distinguished Name, includes parent’s DN Hieararchy: e.g. if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN. Attribute: Name + One or more values Defined in a schema A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. FOSSMeet NITC

12 LDAP: Directory entry Example of LDAP entry, in LDIF format
dn: cn=John Doe,dc=example,dc=co m cn: John Doe givenName: John sn: Doe telephoneNumber: telephoneNumber: mail: manager: cn=Barbara Doe,dc=example,dc= com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top Where "dn" is the distinguished name of the entry Neither an attribute nor a part of the entry. "cn=John Doe" is RDN (Relative Distinguished Name) FOSSMeet NITC

13 LDAP: Directory entry Example of LDAP entry, in LDIF format
dn: cn=John Doe,dc=example,dc=co m cn: John Doe givenName: John sn: Doe telephoneNumber: telephoneNumber: mail: manager: cn=Barbara Doe,dc=example,dc= com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top Where "dc=example,dc=com" is the DN of the parent entry, "dc" denotes 'Domain Component'. Other lines: attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for address, and "sn" for surname. FOSSMeet NITC

14 Multiple Values DN: cn=Dave Hollinger, O=RPI, C=US CN: Dave Hollinger
Each attribute can have multiple values, for example we could have the following record: DN: cn=Dave Hollinger, O=RPI, C=US CN: Dave Hollinger CN: David Hollinger FOSSMeet NITC

15 objectClass Commonly used attribute: objectClass
Each record is object. Each record can have one or more attributes called objectClass Attributes of the record are defined according to objectClass E.g. dn=abhijit.comp, ou=comp,dc=coep,dc=org,dc=in cn: abhijit.comp objectClass: posixAccount mail: Here posixAccount tells us that this entry must have the attributes: cn $ uid $ uidNumber $ gidNumber $ homeDirectory and can also have userPassword $ loginShell $ gecos $ description FOSSMeet NITC

16 objectClass You can define what attributes are required for objects with a specific value for the objectclass attribute. You can also define what attributes are allowed. New records must adhere to these settings! FOSSMeet NITC

17 A directory can have many different types of entries
FOSSMeet NITC

18 Example: Directory Structure, OU, Dns, RDNs
catalogue.pearsoned.co.uk/samplechapter/ X.pdf FOSSMeet NITC

19 Schemas The contents of the entries in a subtree is governed by a schema Defines the possible attribute types. Definition includes a syntax Most non-binary values in LDAPv3 use UTF-8 string syntax For example, a "mail" attribute might contain the value A "jpegPhoto" attribute would contain photograph(s) in binary JPEG/JFIF format. A "member" attribute contains the DNs of other directory entries. FOSSMeet NITC

20 Schemas Definitions:Whether the attribute is single- valued or multi-valued, how to search/compare the attribute. The schema defines object classes. Each entry must have an objectClass attribute containing named classes defined in the schema. e.g. a person, organization or domain. Server administrators can define their own schemas in addition to the standard ones. Most of the times we don’t need to define new schema. Just use the existing ones. FOSSMeet NITC

21 Schema Examples attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX {256} ) objectclass ( NAME 'posixAccount' SUP top DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) Credit: FOSSMeet NITC

22 Basic Operations Bind Start TLS More operations Unbind
Search - search for and/or retrieve directory entries, Compare - test if a named entry contains a given attribute value, Add a new entry, Delete an entry, Modify an entry, Modify DN - move or rename an entry, Abandon - abort a previous request, Extended Operation - generic operation used to define other operations, Unbind Credit: FOSSMeet NITC

23 phpldapadmin FOSSMeet NITC

24 openldap Free implementation of the Lightweight Directory Access Protocol (LDAP) BSD-style license called the OpenLDAP Public License. Runs on GNU/Linux, BSD- variants, AIX, Android, HP-UX, macOS, Solaris, Microsoft Windows (NT and derivatives, e.g. 2000, XP, Vista, Windows 7, etc.), and z/OS. FOSSMeet NITC

25 openldap OpenLDAP has three main components:
slapd – stand-alone LDAP daemon and associated modules and tools libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER) client software: ldapsearch, ldapadd, ldapdelete, and others FOSSMeet NITC

26 OpenLDAP integrated setup at COEP
Services in use Moodle Mediawiki Nextcloud FOSS Server (Drupal) Proxy Server MRBS Dormant Helpdesk Kpoint Abandoned Desktop Authentication Upcoming Suggestions Portal COEP Website Desired, but not possible MIS FOSSMeet NITC

27 OpenLDAP Implemented at COEP
FOSSMeet NITC

28 OpenLDAP Implemented at COEP - 2
FOSSMeet NITC

29 OpenLDAP Implemented at COEP - 3
FOSSMeet NITC

30 OpenLDAP Implemented at COEP: Typical LDIF entry
# abhijit.comp, staff, comp, coep.org.in dn: cn=abhijit.comp,ou=staff,ou=comp,dc=coep,dc=org,dc=in gecos: abhijit.comp,staff,comp gidNumber: 102 homeDirectory: /it/staff/compit/abhijit.comp loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 2000 shadowMax: 99999 shadowWarning: 7 uid: abhijit.comp sn: abhijit.comp uidNumber: 10016 cn: abhijit.comp mail: UserPassword:: e1NTSM0hVK1BhdGdleVFsaE1na1JJS0U= FOSSMeet NITC

31 OpenLDAP Implemented at COEP: Typical LDIF entry-2
dn: cn= ,ou=2017,ou=students,ou=comp,dc=coep,dc=org,dc=in uid: mail: sn: cn: objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 2000 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: gidNumber: homeDirectory: /comp/students/2017c/ gecos: ,2017c,students,comp userPassword:: e01ENX1Lblo0V1dteWFzMXk5b2lGdEZPT3JnPT0= FOSSMeet NITC

32 Key issues Hiearchy comp/student , comp/staff, comp/ntstaff OR
Student/comp, student/entc , staff/comp, staff/entc Home folder path For a possible NFS based shared home directory for all users Desktop authentication also possible using LDAP Tried, tested and abandoned Performance issues cn for each user Roll Nos used Gidnumber design Defining groups for future use FOSSMeet NITC

33 Challenges faced Too many uses accounts needed
5000+ students, 400+ teachers, 500+ non- teaching staff Shell scripts to the rescue Copy them from me Passwords reset phpldapadmin setup Moodle as the only source for changing passwords Too many complications in having multiple software doing passwords change FOSSMeet NITC

34 Challenges faced IT Education Members who are not IT friendly
Wiki to the rescue Usage: Still low But increasing FOSSMeet NITC

35 Challenges Faced Different Terminology
Different software use different terms to refer to the same concept Login attribute, Login id, User Id, May sometimes mean cn or uidNumber not fetched from LDAP entries LDAP used only for authentication and users stored locally by software Duplication of data Duplicate users created by applications After you login using LDAP, application creates a copy FOSSMeet NITC

36 Challenges Faced Errors have creeped in LDIF entries
Mistakes of the system administrator Passwords are forgotten by users ! A pain for the maintainers Phpldapadmin to rescue FOSSMeet NITC

37 Setting up your own openLDAP server
Our current implementation On Ubuntu (!) Good guide by ubuntu on setting up openLDAP p-server.html Make life easy generate your own LDIF file containing all user accounts using shell script and just run one ldapadd command to add all accounts FOSSMeet NITC

38 Moodle – LDAP setup -1 FOSSMeet NITC

39 Moodle – LDAP setup -2 FOSSMeet NITC

40 Moodle – LDAP setup -3 FOSSMeet NITC

41 Moodle – LDAP setup -4 FOSSMeet NITC

42 Moodle – LDAP setup -5 FOSSMeet NITC

43 Moodle’s User Table Locally stores all the users authenticated from LDAP Does not cache the password Stores id of it’s own If users change the id, then does not reflect it in LDAP entry FOSSMeet NITC

44 Nextcloud - LDAP Setup - 1
FOSSMeet NITC

45 Nextcloud - LDAP Setup - 2
FOSSMeet NITC

46 Nextcloud - LDAP Setup - 3
FOSSMeet NITC

47 Nextcloud - LDAP Setup - 4
FOSSMeet NITC

48 Nextcloud - LDAP Setup – 5 (advanced)
FOSSMeet NITC

49 Mediawiki – LDAP Settings Localsettings.php -1
wfLoadExtension("LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array("coep"); $wgLDAPServerNames = array("coep"=>" "); $wgLDAPUseLocal = false; $LDAPEncryptionType = array("coep"=>"clear"); $wgLDAPBaseDNs = array("coep"=>"dc=coep,dc=org,dc=in"); $wgLDAPUserBaseDNs = array("coep"=>"dc=coep,dc=org,dc=in"); FOSSMeet NITC

50 Mediawiki – LDAP Settings Localsettings.php - 2
$wgLDAPProxyAgent = array( 'coep' => 'cn=Manager,dc=coep,dc=org,dc=in' ); $wgLDAPProxyAgentPassword = array( 'coep' => 'password-hidden-from-you' $wgLDAPSearchAttributes = array('coep' => 'uid'); $wgLDAPGroupObjectclass = array("coep"=>"posixgroup"); FOSSMeet NITC

51 <?php namespace LDAP;
MRBS LDAP Settings - 1 <?php namespace LDAP; /*********************** * LDAP Authentication ***********************/ $auth["session"] = "php"; $auth["type"] = "ldap"; $auth["realm"] = "mrbs"; $ldap_host = "ldap:// "; $ldap_port = 389; $ldap_v3 = true; FOSSMeet NITC

52 $ldap_user_attrib = "uid"; $ldap_dn_search_attrib = "uid";
MRBS LDAP Settings - 2 $ldap_tls = false; $ldap_user_attrib = "uid"; $ldap_dn_search_attrib = "uid"; $ldap_base_dn = "dc=coep,dc=org,dc=in"; $ldap_dn_search_dn = "cn=Manager,dc=coep,dc=org,dc= in"; $ldap_dn_search_password = "password-hidden-from-you"; $ldap_get_user_ = TRUE; $ldap_ _attrib = 'mail'; FOSSMeet NITC

53 Drupal – Simpleldap module confiugration
FOSSMeet NITC

54 Future Possibilities Single sign on
Users should sign in only once and all services should be available automatically Moodle has SSO support Other services will need code modifications Possible additions Desktop login (with decentralised NFS servers) Diaspora pod Buddypress ... FOSSMeet NITC

55 Credits https://en.wikipedia.org/wiki/OpenLDAP
FOSSMeet NITC

Download ppt "of Various FOSS Services for Educational Institutes"

Similar presentations

LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.

INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.
LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.

LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs:

Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – docs –RFCs:
LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.

LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Introduce LDAP 张海鹏 2008-07-25. SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.

Introduce LDAP 张海鹏 SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

Similar presentations

Ads by Google