6
LDAP integration allows users to sign into SchoolTool with their
7
existing LDAP accounts.
11
We cannot test our LDAP support against all the existing LDAP implementations and configurations, so we cannot guarantee it will "just work" for you.
13
Before you make any promises about SchoolTool working with your LDAP, test it against your LDAP server.
15
In particular, there seems to be a problem currently with LDAP servers trying to assign non-ASCII characters in usernames, which is not supported by Zope (and thus SchoolTool). We are looking into a fix for this issue.
17
To enable LDAP support, you will need to install the `SchoolTool LDAP
18
<https://launchpad.net/schooltool.ldap>`_ plugin from the
19
:ref:`ppa` using **Ubuntu Software Center**,
22
sudo apt-get install python-schooltool.ldap
24
Once you have installed the plugin, LDAP configuration will appear on the Server page.
26
.. image:: images/ldap-config-1.png
28
Users will not be automatically "pulled" from the LDAP server.
29
Instead, they will be created (if missing) when they log in for
30
the first time. Here, student001 just logged in on a fresh
31
SchoolTool installation with LDAP support:
33
.. image:: images/ldap-newperson-1.png
35
SchoolTool will pull some of the user's contact information and update it
36
each time user logs in.
38
.. image:: images/ldap-newperson-2.png
40
.. image:: images/ldap-newperson-4.png
42
If configured, users can also be automatically assigned to desired
43
SchoolTool groups. Here, two users have been assigned to "students":
45
.. image:: images/ldap-newperson-3.png
50
By default, SchoolTool will look for ``/etc/ldap.conf`` and try to figure
51
out your current setup. If your server has that entry, there's a good
52
chance that LDAP integration will work out-of-the-box.
54
.. image:: images/ldap-config-1.png
56
If you have installed **Zentyal** (http://www.zentyal.com/) on the
57
same server and configured Users / Groups modules, SchoolTool should
58
be able to pick up LDAP settings automatically.
60
It's important to note autodetection works on server start up, so
61
SchoolTool needs to be restarted after the server's LDAP config changes::
63
$ sudo service schooltool restart
65
SchoolTool's LDAP settings can be edited with a web browser, unless this option is
66
explicitly disabled in ``schooltool.conf``.
68
.. image:: images/ldap-config-2.png
70
To enable LDAP integration you must specify **LDAP server URI** and at
71
least one **user DN query**.
73
**User DN queries** are used to obtain the list of LDAP users. We
74
also require to specify the "login attribute", which in almost all
75
cases is "uid" and should look like this::
77
uid ou=Users,dc=example,dc=com?one?(objectClass=inetOrgPerson)
79
If you need to fine-tune your queries it's best to install an interactive
80
LDAP browser (like http://jxplorer.org) and test what queries return
81
proper lists of users.
83
**Bind DN** and **Bind password** are used when connecting to LDAP to retrieve the
84
user list. Leave these fields empty if anonymous LDAP connections are allowed to
87
**Group DN queries** and **POSIX group counterparts** allow automatic
88
adding of users to desired SchoolTool groups. To enable mapping, you
89
will need to enter one or more queries that retreive the list of LDAP
90
groups. You will also have to find out "gidNumber" of each LDAP group
91
you want to map. Again, using tools like jXplorer helps a lot.
93
.. image:: images/ldap-config-3.png
95
**POSIX group counterparts** allow you to bind groups to a specific
96
school year or to the active one. Users will be assigned to their
97
groups when they log into SchoolTool::
99
2012-2013, students, 2001
103
Advanced configuration
104
++++++++++++++++++++++
106
You can configure LDAP by adding a section like this to ``schooltool.conf``::
108
<ldap_authentication>
111
autodetect_from /etc/ldap.conf
112
uri ldap://127.0.0.1:389
114
default_login_attr uid
115
default_login_filter objectclass=inetOrgPerson
117
query_users uid dc=localhost?sub?(objectClass=inetOrgPerson)
119
query_groups dc=localhost?sub?(objectClass=posixGroup)
120
bind_group teachers 7001
121
bind_group 2011-2012 students 6024
124
bind_password thepassword
126
</ldap_authentication>
128
**Important**: through-the-web configuration takes precedence over
129
``schooltool.conf``, unless ``allow_web_config`` is set to ``no``.
131
**allow_web_config** lets you disable through-the-web overriding of
134
**autodetect_from** should point to the ``ldap.conf`` file that SchoolTool
135
will use to infer its LDAP configuration.
137
It's worth noting that **query_users**, **query_groups** and
138
**bind_group** can have multiple entries.
140
**default_login_attr** and **default_login_filter** are rarely-used settings,
141
useful primarily when you want to influence auto-detection of LDAP settings.