Older LDAP Authentication

This page documents the original way to perform LDAP authentication with EZproxy. This method is still supported, but LDAP Authentication describes a greatly enhanced method that is supported in EZProxy 3.0a GA (2004-08-02) and later.

Setup

To authenticate your users against an existing LDAP server, edit user.txt/ezproxy.usr and add a line like this:

::ldap= ldaphost.yourlib.org,uid=$U,o=yourlib,c=us

replacing ldaphost.yourlib.org with the hostname of your LDAP server, and uid=$U,o=yourlib,c=us with the appropriate bind point for authenticating your users. EZproxy will replace $U with the username provided to the login form. You may need to use "cn=$U" instead of "uid=$U" depending on the naming convention employed by your LDAP server.

Active Directory

If you are using Microsoft's Active Directory, in most instances, you can use a simpler configuration like this:

::ldap= pdc.yourlib.org,$U@ your.domain

replacing pdc.yourlib.org with the name of your Active Directory domain controller and replacing your.domain with the domain name that appears in Active Directory Users and Computers when you right-click a user, select Properties, click on the Account tab, then look at the domain name that appears on the right side of the User logon name. In some instances, the simpler:

::ldap= pdc.yourlib.org

will also work with Active Directory.

Multiple LDAP bind points

EZproxy will not search through subcontainers of your directory to locate users. If your site has multiple LDAP bind points, you can edit login.htm and loginbu.htm and add lines similar to this after the <form> tag:

Account type: <select name="auth">
<option value="d1">Student</option>
<option value="d2">Faculty</option>
</select><br>

then edit user.txt/ezproxy.usr and add lines like this:

::auth=d1,ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us
::auth=d2,ldap=ldaphost.yourlib.org,uid=$U,ou=faculty,o=yourlib,c=us

Here, "d1" and "d2" are just arbitrary text that is chosen to create a link between the login form and the user.txt/ezproxy.usr file. "Student" and "Faculty" are the terms that will appear in the popup on the login form. EZproxy will only attempt to bind against ou=student or ou=faculty depending on the value of the "auth" field.

Since ldap= accepts options with commas, it must appear as the last option on any line within user.txt/ezproxy.usr. For example,

::auth=d1,ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us
::ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us,auth=d1

are not equivalent.