LDAP Authentication / Lookup

LDAP Authentication

UniTime allows for LDAP authentication. There are some custom properties that can be set (see the list bellow). If this does not help the LDAP authentication module is implemented (as a part of the JAAS) in the class org.unitime.timetable.authenticate.jaas.LdapAuthenitcateModule (see method doAuthenticate)

#Ldap authentication

tmtbl.authenticate.ldap.provider=ldap://some.university.edu:636

tmtbl.authenticate.ldap.security=simple

tmtbl.authenticate.ldap.version=3

tmtbl.authenticate.ldap.socketFactory=javax.net.ssl.SSLSocketFactory

tmtbl.authenticate.ldap.ssl.keyStore=path/to/keystore

tmtbl.authenticate.ldap.ssl.trustStore=path/to/truststore

tmtbl.authenticate.ldap.ssl.keyStorePassword=changeit

tmtbl.authenticate.ldap.ssl.trustStorePassword=changeit

tmtbl.authenticate.ldap.ssl.trustStoreType=jks

tmtbl.authenticate.ldap.principal=uid=%,ou=authenticate,dc=university,dc=edu

tmtbl.authenticate.ldap.query=uid=%,ou=authorize,dc=university,dc=edu

tmtbl.authenticate.ldap.externalId=exid


(% is where the login name should be inserted, exid name of the attribute that contains user external id that is used in the UniTime application)

See Timetabling Installation: Customization on how to set custom properties.

The LDAP authentication only provides external id of the authenticated user (it replaces the Users page). There still needs to be a timetable manager with the matching external id. Users without such a role, are assumed to be students and instructors which are only able to see their schedule (if there is a student / instructor record with matching external id), or use event management (if it is enabled).

LDAP Lookup

LDAP can also be used for people lookup (as one of the sources, besides instructors, staff, students, timetabling managers, and event contacts). To set LDAP lookup, you need to use the following properties:

#Ldap for people lookup

tmtbl.lookup.ldap=ldap://directory.university.edu:389

tmtbl.lookup.ldap.name=ou=directory,dc=university,dc=edu

tmtbl.lookup.ldap.phone=phone,officePhone,homePhone,telephoneNumber

tmtbl.lookup.ldap.department=department

tmtbl.lookup.ldap.position=position,title

See org.unitime.timetable.gwt.server.LookupServlet#findPeopleFromLdap for the implementation.

Moreover, it is expected that the LDAP lookup only returns usernames (attribute uid, not the actual external ids). If external ids are different from usernames, there is a class that provides translation between these two.

#Translation of external unique ids

tmtbl.externalUid.translation=org.unitime.timetable.util.LdapExternalIdTranslation

# Translation between user name and exteranl id

tmtbl.authenticate.ldap.uid2ext=uid=%,ou=identify,dc=university,dc=edu

# Translation between external id and user name

tmtbl.authenticate.ldap.ext2uid=exid=%,ou=identify,dc=university,dc=edu


The above one is using the LDAP authentication module to translate usernames (uid attribute) into external ids (given by tmtbl.authenticate.ldap.externalId attribute).

Timetable Managers / Instructors Validation

There is also a possibility to use LDAP to validate timetable mangers and instructors.

#Manager External Id Lookup

#Must implement the interface org.unitime.timetable.interfaces.ExternalUidLookup

tmtbl.manager.external_id.lookup.enabled=true

tmtbl.manager.external_id.lookup.class=org.unitime.timetable.util.LdapExternalUidLookup

# Identify query (provide user name, get external id, name, email etc.)

tmtbl.authenticate.ldap.identify=uid=%,ou=identify,dc=university,dc=edu


#Instructor External Id Lookup

#Must implement the interface org.unitime.timetable.interfaces.ExternalUidLookup

tmtbl.instructor.external_id.lookup.enabled=true

tmtbl.instructor.external_id.lookup.class=org.unitime.timetable.util.LdapExternalUidLookup


If enabled, the interface (org.unitime.timetable.interfaces.ExternalUidLookup) is used to validate (and/or translate) the entered username / external id. The above implementation also uses the LDAP authentication module (with a query provided in the tmtbl.authenticate.ldap.identify property).

Notes

Using some LDAP explorer (e.g., JXplorer, http://jxplorer.org/) may help you to find out all the settings (e.g., what certificates you need, or how the query should look like) in a more interactive way.

Back to Timetabling Documentation.©2010 UniTime LLCContent available under GNU Free Documentation License 1.3.