[Dspace-tech] Problem with LDAP Authentication

Dr. Ahmad Al-Zubi Mon, 22 Jun 2009 01:48:27 -0700

Hello List
Did any one find a solution for my problem with LDAP authentication? sorry
for resending the same messege, I need your help.
Problem Description:
Icant login with userid, I can only do that with full name.
I'm trying make Dspace 151  do ldap  authentication aginst AD (MS 2003)
  Our ldap directory contains users with their CN and under user's CN there
  are attributes(sAMAccountName, mailNickNamme,sn, mailadress,....)
  Our ldap tree contains users like,
 DN (CN = Ahmad Ali Al-Zubi,OU=Regular Users,OU=KSU-USERS,DC=KSU,DC=LOCAL)
  Attribute: mailaddress [EMAIL PROTECTED]
  Attribute: sAMAccountName=aalzubi
  Attribute: mailNickname=aalzubi
  Attribute: givenname = ( ......................... )
  Attribute: ........
when i am trying to setup the LDAP authentication the olny way it works,
   is giving in dspace.cfg in LDAP authentications settings,
  ldap.id_field = CN
  so on in dsapce login page i have to write in the field
  *Username or Email address*:Ahmad Ali Al-Zubi


as you see this the full name (display name) and I want people to sign in
with their usernames not full name (sAMAccountName, or mailNickName)
  but when they try do login with  email or uid it doesnt works.
  How can i define ldap.id_field in order to do authentication using
username (sAMAccountName, or mailNickName) or   mailladrees(attributes of
every user's CN).
Please see the configuration I have and logs in the attached files.
  I would be very gratefull if you could help me.

-- 
Best Regards

Dr Ahmad Al-Zubi
KSU Repository Project Manager
King Saud University
Saudi Arabia

#### Stackable Authentication Methods #####

# Stack of authentication methods
#  (See org.dspace.authenticate.AuthenticationManager)
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
            org.dspace.authenticate.LDAPAuthentication                   


#### PasswordAuthentication options ####

# Only emails ending in the following domains are allowed to self-register
# Example - example.com domain : @example.com
# Example - MIT domain and all .ac.uk domains: @mit.edu, .ac.uk
# authentication.password.domain.valid = example.com

#### Example of configuring X.509 authentication
#### (to use add org.dspace.authenticate.X509Authentication to auth stack above)

## method 1, using keystore
#authentication.x509.keystore.path = /tomcat/conf/keystore
#authentication.x509.keystore.password = changeit

## method 2, using CA certificate
#authentication.x509.ca.cert = c:/dspace/config/MyClientCA.pem

## Create e-persons for unknown names in valid certificates?
#authentication.x509.autoregister = true

## Allow Certificate auth to show as a choice in chooser
# Use Messages.properties key for title
#authentication.x509.chooser.title.key=org.dspace.eperson.X509Authentication.title
#
# Identify the location of the Certificate Login Servlet.
#authentication.x509.chooser.uri=/certificate-login
        
#### Example of configuring IP-based authentication
#### (to use, add org.dspace.authenticate.IPAuthentication to auth stack above)
#
# authentication.ip.GROUPNAME = iprange[, iprange ...]
# 
# Note if the Groupname contains blanks you must escape it,
# e.g. Department\ of\ Statistics

#
# Full, partial IPs; network/netmask; network/CIDR
#
#authentication.ip.MY_UNIVERSITY = 10.1.2.3, \
#                                  13.5, \
#                                  11.3.4.5/24, \
#                                  12.7.8.9/255.255.128.0


#### LDAP Authentication Configuration Settings ####
#
# If LDAP is enabled, then new users will be able to register
# by entering their username and  password without being sent the 
# registration token. If users do not have a username and password,
# then they  can still register and login with just their email address 
# the same way they do now. 
#
# For providing any special privileges to LDAP users,
# you will still need to extend the SiteAuthenticator class to
# automatically put people who have a netid into a special
# group.  You might also want to give certain email addresses
# special privileges. Refer to the DSpace documentation for more
# information about how to do this.
# 
# It may be necessary to obtain the values of these settings from the
# LDAP server administrators as LDAP configuration will vary from server
# to server.

# This setting will enable or disable LDAP authentication in DSpace.
# With the setting off, users will be required to register and login with
# their email address.  With this setting on, users will be able to login
# and register with their LDAP user ids and passwords.
# This setting is only used by the JSPUI.
ldap.enable = true

# This is the url to the institution's ldap server. The /o=myu.edu
# may or may not be required depending on the LDAP server setup.
# A server may also require the ldaps:// protocol.
ldap.provider_url = ldap://XXXXXXXXX:389/

# This is the unique identifier field in the LDAP directory
# where the username is stored. 
ldap.id_field = CN

# This is the object context used when authenticating the
# user.  It is appended to the ldap.id_field and username. 
# For example uid=username,ou=people,o=myu.edu.  This must match 
# the LDAP server configuration.
ldap.object_context = OU=Regular Users,OU=KSU-USER,DC=KSU,DC=LOCAL

# This is the search context used when looking up a user's
# LDAP object to retrieve their data for autoregistering. 
# With ldap.autoregister turned on, when a user authenticates
# without an EPerson object, a search on the LDAP directory to
# get their name and email address is initiated so that DSpace 
# can create a EPerson object for them.  So after we have authenticated against
# uid=username,ou=people,o=byu.edu we now search in ou=people
# for filtering on [uid=username].  Often the
# ldap.search_context is the same as the ldap.object_context
# parameter.  But again this depends on each individual LDAP server
# configuration.
ldap.search_context = OU=Regular Users,OU=KSU-USER,DC=KSU,DC=LOCAL

# This is the LDAP object field where the user's email address
# is stored.  "mail" is the default and the most common for
# LDAP servers.  If the mail field is not found the username
# will be used as the email address when creating the eperson
# object.
ldap.email_field = mail

# This is the LDAP object field where the user's last name is
# stored.  "sn" is the default and is the most common for LDAP
# servers.  If the field is not found the field will be left
# blank in the new eperson object.
ldap.surname_field = sn

# This is the LDAP object field where the user's given names
# are stored.  This may not be used or set in all LDAP instances.
# If the field is not found the field will be left blank in the 
# new eperson object.
ldap.givenname_field = givenName

# This is the field where the user's phone number is stored in
# the LDAP directory.  If the field is not found the field
# will be left blank in the new eperson object.
ldap.phone_field = telephoneNumber

##### LDAP AutoRegister Settings #####

# This will turn LDAP autoregistration on or off.  With this
# on, a new EPerson object will be created for any user who
# successfully authenticates against the LDAP server when they
# first login.  With this setting off, the user
# must first register to get an EPerson object by
# entering their ldap username and password and filling out
# the forms.
webui.ldap.autoregister = true

2009-06-15 09:15:46,405 INFO  org.dspace.app.webui.servlet.LDAPServlet @ 
bestaut...@ksu.edu.sa:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:login:type=ldap-login
2009-06-15 09:15:46,421 INFO  org.dspace.app.webui.servlet.MyDSpaceServlet @ 
bestaut...@ksu.edu.sa:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:view_mydspace:
2009-06-15 09:16:34,514 INFO  org.dspace.app.webui.servlet.LogoutServlet @ 
bestaut...@ksu.edu.sa:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:logout:
2009-06-15 09:16:45,108 WARN  org.dspace.app.webui.servlet.LDAPServlet @ 
anonymous:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:ldap_authentication:type=failed_auth
 javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: 
LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
2009-06-15 09:16:45,108 INFO  org.dspace.app.webui.servlet.LDAPServlet @ 
anonymous:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:failed_login:netid=bestauther
2009-06-15 09:16:55,374 INFO  org.dspace.app.webui.servlet.LDAPServlet @ 
bestaut...@ksu.edu.sa:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:login:type=ldap
2009-06-15 09:16:55,374 INFO  org.dspace.app.webui.servlet.MyDSpaceServlet @ 
bestaut...@ksu.edu.sa:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:view_mydspace:
2009-06-15 09:17:04,561 INFO  org.dspace.app.webui.servlet.LogoutServlet @ 
bestaut...@ksu.edu.sa:session_id=3C49807FA35E625DEED0803092027502:ip_addr=10.131.36.123:logout:

------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org

_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech

[Dspace-tech] Problem with LDAP Authentication

Reply via email to