OpenOLAT and AD FS (Active Directory Federation Services)

90 views
Skip to first unread message

albert...@brueggli.ch

unread,
Sep 18, 2017, 10:43:55 AM9/18/17
to OpenOLAT

Dear OpenOLAT community,

I would like to know if it is possible to create a connection between Ubuntu 14.04 and Windows Server 2012 via AD FS.
My purpose is to use the user loggings from Windows Active Directory in OpenOLAT.
If this may be possible. Could you please tell me what are the ADFS requirements for OpenOLAT and Ubuntu?

Thanks and best regards
Alberto

Florian Gnägi

unread,
Sep 18, 2017, 12:49:06 PM9/18/17
to open...@googlegroups.com
Hi Alberto 

You can configure the LDAP properties to let users login using their AD credentials ans synchronize your users from your AD. And/Or you can use the ADFS oAuth feature to implement a single-sign-on process to your infrastructure. 

For more info about the configuration options, please have a look at http://hg.openolat.org/openolat/file/76b076b47bc2/src/main/resources/serviceconfig/olat.properties

Search for LDAP. For ADFS you can set up the configuration in Administration -> Login -> Social Providers -> ADFS

Cheers
Florian

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org

---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix  GmbH
Florian Gnägi, Geschäftsführer
Hardturmstrasse 76
CH-8005 Zürich, Switzerland


Find me on skype  twitter xing linkedin 
--------------------------------------------------------------------


nic0l.b...@gmail.com

unread,
Oct 9, 2017, 6:48:18 AM10/9/17
to OpenOLAT
Hello Florian,

The single-sign-on-solution with the Active Directory Federation Services does not require any manipulation of the olat.local.properties-file, or does it?  I assume that the user-synchronisation with ldap requires some changes in the olat.local.properties-file.

Greetings
Nicolas

Oliver Kant

unread,
Oct 10, 2017, 5:10:04 AM10/10/17
to OpenOLAT
Hello Nicolas,

please allow me to try and explain how I would set this up. I hope this will give you a fair starting point.

This applies to OpenLDAP, ADFS over SSL. I would recommend to use encryption for various reasons.

Some basic settings in the olat.local.properties would be:

ldap.enable=true     # of course
ldap.activeDirectory=true     # In your case
ldap.ldapBases=ou=XXX,dc=XXX,dc=XXX     # where do we find the users?
ldap.ldapSyncCronSync=false     # or true, but I would start with false
ldap.ldapSyncOnStartup=false     # or true, but I would start with false
ldap.ldapSystemDN=CN=YYY,dc=XXX,dc=XXX     # This can be the dn or email of a user allowed to read the entries
ldap.ldapSystemPW=QWERQWERQWER
ldap.sslEnabled=true
ldap.ldapUrl=ldaps://XXX:XXX:636     # IP or Hostname with port number
ldap.trustStoreLocation=/PATH/TO/MY/cacerts     # You have timport the server's certificate into the cacerts of Java, see below
ldap.trustStorePwd=ASDFASDFASDF     # changeit unless changed, see below
ldap.trustStoreType=JKS

Java cacerts:
You should copy the cacerts file from JAVA_HOME/jre/lib/security/cacerts to somewhere else (Path from olat.local.properties) and get the server's certificate as .x509 File. Import it with this command:
JAVA_HOME/jre/bin/keytool -import -file PATH/server-ldaps-cert.x509 -alias ldaps -keystore /PATH/TO/MY/cacerts
It will ask for a password. This is "changeit" until you change it.

I hope this helps, since from here on, it really is a very custom thing, depending on how you have set up your active directory and how you want to use that information in OpenOLAT.

Cheers,
Oliver
Reply all
Reply to author
Forward
0 new messages