LDAP authentication configuration
655 views
Skip to first unread message
Boris Kheyfets
Jan 24, 2016, 2:37:15 PM1/24/16
to Canvas LMS Users
I'm stuck on setting up LDAP authentication.
I have a LDAP, which I can bind with
require "net-ldap" ldap = Net::LDAP.new( :host => "ldap.university.ru", :port => 389 ) ldap.auth "email=mye...@university.ru,ou=students,dc=university,dc=ru", "myPassword" if ldap.bind puts "authentication succeeded" else puts "authentication failed" end
from my production server.
I made a canvas account with:
- username:
mye...@university.ru - password:
myPassword
And trying to set up LDAP authentification in Canvas dialog with:
- host:
ldap.university.ru - port: 389
- no TLS
- base:
ou=students,dc=university,dc=ru - filter:
email={{login}} - login attribute:
email - username:
mye...@university.ru - password:
myPassword
and can't pass the "Testing LDAP bind..." section, with no such object error:
What do I do wrong?
Christopher Bennell
Jan 25, 2016, 12:19:12 PM1/25/16
to Canvas LMS Users
In our ActiveDirectory, there is no "email" attribute, but there is a "mail" attribute which contains the email address. Does you LDAP user have an email attribute that contains "mye...@university.ru" ? I would also leave the Login Attribute field blank.
Frank Giuliani
Jan 25, 2016, 3:01:57 PM1/25/16
to Canvas LMS Users
In addition to the checking to verify there is an "email" attribute (rather than "mail") like Christopher had mentioned, I'd check to make sure your username is correct. Depending on the ldap server, i've had to use the full DN/CN rather than just the email address.
If you are familiar with ldapsearch in *nix i've used that on many occasions to determine the correct DN,CN,BindDN,SearchBase, etc. Once i can get it working in ldapsearch, I can generally get it working in whatever LDAP tool im fooling with, such as the canvas ldap sync.
Boris Kheyfets
Jan 26, 2016, 5:28:45 AM1/26/16
to Canvas LMS Users
The problem was that Canvas wanted me to provide username and password for LDAP directory manager. Where as I assumed Canvas wanted my own credentials. (because it uses net-ldap, and in net-ldap it is possible to bind, that is to check that username and passord are correct, without directory manager credentials)
So here's what worked for me:
* host: ldap.university.ru
* port: 389
* no TLS
* base: ou=students,dc=university,dc=ru
* filter: email={{login}}
* login attribute: email
* username: cn=directory manager
* password: dirManagerPassword
@Christopher Bennell
Thank your for your advise.
I'm working with 389-ds, but it also don't have email attribute by default. I added it my-self.
@Frank Giuliani
Thank your for your advise.
I used to check my dn with the net-ldap script I posted, but ldapsearch also worked:
ldapsearch -h ldap.university.ru -x -b "ou=students,dc=university,dc=ru"
ldapsearch -h ldap.university.ru -x -b "email=mye...@university.ru,ou=students,dc=university,dc=ru"
To bind as directory admin:
ldapsearch -h ldap.university.ru -x -b "email=mye...@university.ru,ou=students,dc=university,dc=ru" -D "cn=directory manager" -W
Reply all
Reply to author
Forward
0 new messages