LDAP, Active Directory and LDAP/SSO
I’ve had to reply to part of a call for tender today. The interesting question was “Can Dokeos interact with our LDAP/SSO system?”.
So first I should review the vocabulary a bit. After searching the web for a while, I can most probably say that LDAP and LDAP/SSO are actually the same thing.
- LDAP goes for Lightweight Directory Access Protocol (there is actually a heavyweight DAP protocol)
- SSO goes for Single Sign-On (which means it’s a system by which a user only has to sign-in once to access multiple applications, for example)
Basically, the implemented result of LDAP is that one server has the credentials of a lot of users in a structured data tree, and that anybody using an application connected to that LDAP server can say “I’m xyz” and the authentication is then made by contacting the LDAP server to ask if the user is really who he says he is, and what information we can get.
So this is a Single Sign-On technology, which means LDAP/SSO is a redundant acronym.
Active Directory is the Microsoft’s home-made system that has the same features as LDAP but is not LDAP, so you have to do an implementation just for them (I’m being told the rules also change from one version of Windows server to the other, which makes implementations dependent on versions, which is not practical).
Luckily, Microsoft (or other people actually, I don’t know) realised that this was not practical, so they offered a translation system from Active Directory to LDAP, which makes it easily possible to use an Active Directory server as a LDAP server.
Now, let’s talk a bit about Dokeos and LDAP…
Dokeos offers an LDAP extension which provides it with an almost-easy way to connect to an LDAP server and get authentication data from there. It’s almost easy because:
- it’s shipped by default with all versions of Dokeos (from 1.6.0 at least)
- it’s configurable via only one file (but it’s not configurable via the web interface)
- there is a different login page for LDAP which takes the login in charge
The LDAP extension had been originally contributed by Evie (R.) Embrechts around 2003.
Just recently, a contribution (to be integrated by me in the coming weeks) has been shared by Mustapha Alouani, which eases greatly the use of the LDAP extension by providing a web interface to do various administrative tasks.
This is a massive improvement regarding LDAP integration. You can tell that over 4 years of development, this is the first big step in that direction.
On another bright side, I’ve just integrated OpenID login support into Dokeos 1.8.5 using the Drupal code for OpenID, which means it’s now possible to use another, very recent, practical and easy, Single Sign-On method in Dokeos.