The boss recently tasked me and the other guy with creating a digital document repository to store all of his and his colleagues’ research papers. Of the various options available, Invenio seemed like a good choice, so I built a development site to see if we could get it to work with our system.
One of the most important factors in determining whether this would work for us or not is LDAPS support. Because of the sensitive data that the firm works with, the “S” is very important.
After a couple of hours of sifting through Python scripts, I finally figured out how to add LDAPS to Invenio.
Start with LDAP
If your LDAP server is already set up, the most challenging part of getting LDAPS support on your Invenio installation is configuring LDAP. Fortunately others have already explained how to do that. For everything except the “S” I followed this post: “CDS Invenio: Configuring LDAP to login into repository.”
Adding the “S”
To add the security of LDAPS, there were three things that I needed to tweak on Miguel’s walkthrough.
First of all, I needed to change the URL to my server to indicate LDAPS. In this file (
$PATH_TO_INVENIO/lib/python/invenio/external_authentication_ldap.py), he put:
CFG_EXTERNAL_AUTH_LDAP_SERVERS = ['ldap://ldapmail.unizar.es']
For LDAPS, I needed to add the “s” to the protocol name as well as the port number, for example:
CFG_EXTERNAL_AUTH_LDAP_SERVERS = ['ldaps://ldapmail.unizar.es:636']
That alone wasn’t enough. I also needed to add one other line that I found on the Google Code page for the Python LDAP module. On lines 61 and 62 of that page, there is one crucial piece of code:
|# DIK added for accessibility of ldaps://…..|
|ldap.set_option( ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER )|
Those two things might be enough for you if you don’t required a trusted binding. In our case we have a special user to complete a trusted binding with our Mac OS X Open Directory Server, so below the line from the Google Code, I added the name and password for the binding user:
username = "[enter username]"
password = "[enter password]"
Then I called the script to write the changes and restarted the Apache server (
sudo $PATH_TO_INVENIO/bin/inveniocfg --update-all; sudo service apache2 restart) and I was up and running with LDAPS on Invenio.