[atutor.git] / mods / ldap / readme.txt

ATutor LDAP authentication module, version 0.2

This module provide basic functions of user authentication via LDAP Server, copy user information from LDAP Server and insert it into ATutor DB.
Also module provide GUI for settings LDAP-auth and listing all user's which authenticated via LDAP. 
Transfering user passwords from browsers to ATutor server protected by strongly public key encryption (RSA with 512 bit key) 

        REQUIREMENTS
1. PHP must be with ldap and openssl extensions (required for LDAP functions in ldap_lib.php and decryption in rsa.inc.php)
2. In your server operating system must be installed OpenSSL package (OpenSSL package using when generated private/public keys)

        INSTALLING
Module consist of several php and java scripts and sql file for DB updating
Next schema describe module structure and file in module

        ----------------------------------
        admin/ ---------|
                        |- ldap_lib.php      -  Library of basic LDAP authentication functions. Provide connect to LDAP 
                        |                       server, authentication users with 
                        |                       password in LDAP server, coping user's info from LDAP to ATutor DB.
                        |- config_ldap.php   -  Script which generated page for configure LDAP authentication.
                        |- ldap_auth_log.php -  Script for genaratin page with list of user's which created via 
                        |                       LDAP authoring
        
        include/lib/ ---|
                        | - rsa.inc.php       - Library provide basic RSA decryption via private key and managament 
                        |                       of authoring cookie which useed 
                        |                       to check valid of encrypted string.
                        | - menu_pages.php    - Modified standart menu_pages.php file. In this file added strings 
                        |                       which describe new pages for ATutor administrator.
                        | - pk.pem            - Example private key 

        rsa/  ----------|
                        | - base64.js 
                        | - jsbn.js
                        | - prng4.js
                        | - rng.js
                        | - rsa.js             - ALL of this files using for encryption user password in login page.
                        |                        Using jscript's from http://www-cs-students.stanford.edu/~tjw/jsbn/
         
        themes/default/-|
                        | - login.tmpl.php     - Modified standart login.tmpl.php. Added new hidden input and 
                        |                       password encryption via RSA public key.
        
        jscript/jqgrid -|   -                  javascript files required for AJAX table in admin LDAP log page
                        |
        login.php   -----------------------------Modified standart login.php. To this file added required functions 
                                                 for RSA encryption/decryption and LDAP communication.

Also module has:
1. atutor.ldap.struct.sql file - Use this file to update your ATutor DB and create requried tables.



Install module:

1. Copy all files from atutor.ldap.mod  to your ATutor and put them in appropriate directories (see module schema).

2. Use atutor.ldap.struct.sql to modify your ATutor DB. In this step you may use next command:
        mysql -u "user_name" -p "your_atutor_DB" < atutor.ldap.struct.sql, then press ENTER and put "user_password"
                where "user_name"      - user that can modify your ATutor DB (see your ATutor's 
                                         include/config.inc.php)
                      "user_password"  - password for access "user_name" to your ATutor DB (see your ATutor's 
                                         include/config.inc.php)
                      "your_atutor_DB" - name of DB which used by your ATutor 

                EXAMPLE:  mysql -u atutor -p atutor154 < atutor.ldap.struct.sql   

3. Now you must generate a private key using openssl.(This module has example private key, but strongly recomended     generate new private key)  
  
  To generate RSA private key use next commands:
        
        $ openssl genrsa -out priv_key.pem.     
        Generating RSA private key, 512 bit long modulus
.       .++++++++++++
        ..............++++++++++++
        e is 65537 (0x10001)
        $

        Private key will be saved in priv_key.pem

4. Copy your private key in a place which can't be readed by everyone (don't copy your private key to directory,       which can be readed by Apache  web-server), but rsa.inc.php must has access to private key.
   In my ATutor installations I do following steps (let private key stored in priv_key.pem):
                1. Copy priv_key.pem to my_atutor_installation_path/include/lib/ directory. 
                2. Use chmod 644 priv_key.pem (now rsa.inc.php has read access to priv_key.pem !!!)
                3. In httpd.conf of my Apache web server I put next dirictives 
                                <Directory "my_atutor_installation_path/include/lib/">
                                        Order deny,allow
                                        Deny from all
                                </Directory>
                        Now, include/lib/ directory protected and nobody can read priv_key.pem 
   
   Path to your private key must be defined in rsa.inc.php 

5. Getting modulus from private key and configure rsa.inc.php

        $ openssl rsa -in priv_key.pem -noout -modulus
        Modulus=DA3BB4C40E3C7E76F7DBDD8BF3DF0714CA39D3A0F7F9D7C2E4FEDF8C7B28C2875F7EB98950B22AE82D539C1ABC1AB550BA
        $
        
        Copy modulus to rsa.inc.php 
        
6. Confgiure LDAP authentication
        1. Login in your ATutor system.
        2. Go to System Prefernces and then to LDAP Authentication page
        3. Set LDAP Server name. It may in two variants, first - FQDN, second - LDAP URL ("ldap://your_ldap_server"
           or "ldap://xxx.xxx.xxx.xxx", where xxx.xxx.xxx.xxx - IP address of LDAP server
        4. Set LDAP port. By default using standart LDAP port
        5. Set LDAP Server tree. You must define LDAP tree (or subtree) where stored user's entries.
                EXAMPLE. If LDAP server has name  example.com and it has subtree with name "accounts". Subtree 
                "accounts" has children subtree "users" where stored user's entries. So, your LDAP Server tree
                will be "ou=users,ou=accounts,dc=example,dc=com".
                
                Contact with your LDAP server administrator to get full information about LDAP structure.
        6. Set attributes of user entries.
                In "LDAP Server field" you must set name of LDAP entries attribute. 
                EXAMPLE. If user entries in LDAP has 6 attributes, 1 is uid attribute, where stored user's login, 
                2 is password attribute, where stored user's password, 3, 4, 5 is l_name, f_name, s_name attributes where stored user's last, first and second names, and 6 attribute is mail, where stored user's email. 
                In this case, you must set in "Login" field - "uid", "E-mail" field - "mail", in "Last name", "First name", "Second name" fields - "l_name", "f_name", "s_name".
                
                Contact with your LDAP server administrator to get full information about entries attributes.


This module tested (and it's work) in next platforms

        1. OpenSUSE 10.2 + Apache 2.2.3 + MySQL 5.0.26 + PHP 5.2.0 + OpenLDAP 2.2 
        2. Slackware 11.0 + Apache 1.3.37 + MySQL 5.0.33 + PHP 4.4.6 + OpenLDAP 2.3.32
        3. Fedora 10 + Apache 2 + MySQL 5.0.23 + PHP 5.2 + OpenLDAP

Currently ATutor + ldap module running on Fedora 10 + Apache 2.2.3 + MySQL 5.0.22 + PHP 5.1.6  and LDAP server running on Fedora Core 4 + OpenLDAP 2.2.4 In  this configuration system running aproximetly 25 month. 

This module with a few changes can be used for user authentication via Microsoft Active Directory.

This module distributed "as is" and can be modified for your needs.

If you use or modified this module, please, email me.

         smal (Serhiy Voyt)
         smalgroup@gmail.com
        
         Distributed under GPL (c)Sehiy Voyt 2005-2009