Multiple LDAP/AD Configuration for Sakai

How do I configure multiple LDAP/AD sources for Sakai?

To configure Sakai for multiple LDAP/AD sources follow these steps.

Note: This article was written with respect to Sakai 2.4.x however it should be very similar, if not the same, for 2.5.x

1. Enable the Federated provider in project.xml **
1. Locate and edit project.xml under the sakai-src/provider/component directory
2. Uncomment the dependency with artifactId "sakai-federating-provider"
3. Run the appropriate maven tasks to build and deploy Sakai, which will create the sakai-federating-provider jar and put it into the {install_dir}/tomcat/components/sakai-provider-pack/WEB-INF/lib directory
2. Edit jldap-beans.xml
1. Under the tomcat/components/sakai-provider-pack/WEB-INF/ directory edit jldap-beans.xml
2. Find any beans with a class definition of 'edu.amc.sakai.user.JLDAPDirectoryProvider', if this is the first LDAP/AD configuration you are attempting, then you will find a basic template to follow. It is required that you have a bean definition for each source you intend to authenticate with, in order to have multiple beans of this class you must identify them uniquely by changing the bean id, an example for a source that is being used for students could be id="org.sakaiproject.user.api.UserDirectoryProvider.Students"
3. Go through the entire bean and configure the appropriate properties, the most important being, ldapHost, ldapPort, ldapUser, ldapPassword, and basePath.
4. Do this for each source you intend to authenticate with and be sure to take note of the bean id you gave each of your sources
3. Edit components.xml
1. Under the tomcat/components/sakai-provider-pack/WEB-INF/ directory edit components.xml
2. Search for and uncomment the bean definition that states 'Uncomment and configure to use the Federating UserDirectoryProvider'
3. Review the example configuration to better understand the structure of how source chaining will work, the first bean definition should point to your primary authentication source, if you have not necessarily designated a primary source then any sources can be used in any order.
4. For the myProvider property you will enter the bean id of one of your sources, which you defined in jldap-properties.xml, as a reference. Example: <ref bean=org.sakaiproject.user.api.UserDirectoryProvider.Students" />
5. For the nextProvider property you will reference the bean that will be defined as the next "link" of the chain, an example would be <ref bean="org.sakaiproject.user.api.UserDirectoryProvider.Chain1" />
6. Now we need to define the the Chain1 bean that we just referenced, the bean we just defined can be used as a template, or there should be an example included. The class will be the same, "org.sakaiproject.provider.user.FilterUserDirectoryProvider", however the id will be what we referenced in the previous bean, which in this example is "org.sakaiproject.user.api.UserDirectoryProvider.Chain1".
7. Again, the myProvider property will reference a bean that was defined in jldap-properties.xml that contains another authentication source and the nextProvider (if any) will be yet another "link" in the chain, which could be defined as "org.sakaiproject.user.api.UserDirectoryProvider.Chain2". This process can be continued for n-many sources, just be sure that each one of your bean definitions are unique.

If you are running into any issues you may want to try the following troubleshooting techniques.

1. Watch the catalina.out file closely on start up, if there are any malformed XML configurations you will be given a WARN message with the details on how to correct them. This may not be noticeable amongst the regular messages seen at start up, so look closely.
2. If you cannot authenticate and everything is configured as it should be, verify that the LDAP/AD credentials are valid through another application

** In the event that you are using a 2.4.x environment and you do not have a build environment set up, I have included the 2.4.x federated provider jar on this page that you can download here