Dear FILIPPOS, Many thanks for your help. I haven't tried it out yet, but read it carefully and will try it when ready.
Panyarak On Fri, Apr 9, 2021 at 2:51 PM FILIPPOS KOLOVOS <[email protected]> wrote: > Well, OK, if you use both LDAP and Password authentication, there is > something that you can configure and you can make it work with both > authentication methods, but it is a bit more complicated. > We use the same dual configuration in our institution for many years now, > for 3 *DSpace installations* with* two different versions (5.6 and 6.3)*. > However, in our case we have now disabled the manual registration and users > are *registering only via LDAP*, which is a separate server. The > Password authentication in this case is only for old users, when the manual > registration was still permitted. > > In order to make the system display the "*manual user registration*" for > users that want to register via the DSpace instance and *NOT having their > credentials in the LDAP Server* and also to make the system display *ONE > login form for BOTH authentication methods* when the users try to > connect, you have to do the following: > > At first lets begin with the reason that the system displays the " > *new-user-ldap.jsp*" form when users are trying to register and also the " > *chooser.jsp*" form when they try to login, making them choose with which > method they wish to authenticate. > The reason is because in the file > */dspace/config/modules/authentication-ldap.cfg* you have enabled the > setting *authentication-ldap.enable*, by setting it to *true*. The reason > that the *new-user-ldap.jsp* and the *chooser.jsp* pages are displayed > upon registering and logging in, is* this setting*, which is checked *before > *they are loaded. *You have to set this setting to false*. > > However, in order to make both the authentication methods to work, you > will then have to go into the file */dspace/config/modules/authentication.cfg > *and *enable both authentication methods (i.e. LDAP and > PasswordAuthentication) as follows*. These settings for your > installation, might be enabled in the */dspace/config/local.cfg file*, so > check if they are also there and *disable them* from one place or > another. I recommend to have them in the *authentication.cfg* file: > > /*dspace/config/modules/authentication.cfg* > > > > > > > > > > > > > > > > *# IP-based authentication/authorization. See authentication-ip.cfg for > default > configuration.#plugin.sequence.org.dspace.authenticate.AuthenticationMethod > = org.dspace.authenticate.IPAuthentication# LDAP > authentication/authorization. See authentication-ldap.cfg for default > configuration.plugin.sequence.org.dspace.authenticate.AuthenticationMethod > = org.dspace.authenticate.LDAPAuthentication# Shibboleth > authentication/authorization. See authentication-shibboleth.cfg for default > configuration.#plugin.sequence.org.dspace.authenticate.AuthenticationMethod > = org.dspace.authenticate.ShibAuthentication# X.509 certificate > authentication. See authentication-x509.cfg for default > configuration.#plugin.sequence.org.dspace.authenticate.AuthenticationMethod > = org.dspace.authenticate.X509Authentication# Authentication by Password > (encrypted in DSpace's database). See authentication-password.cfg for > default configuration.# Enabled by default (to disable, either comment out, > or define a new list of AuthenticationMethod plugins in your > local.cfg)plugin.sequence.org.dspace.authenticate.AuthenticationMethod = > org.dspace.authenticate.PasswordAuthentication* > > Now, you also have to *replace the class file* > */dspace/webapps/jspui/WEB-INF/classes/org/dspace/app/webui/util/Authenticate.class* > with the one I send you. This *patched class* does not display the > *chooser.jsp* form when the users try to login, but redirects them to the > */dspace/ldap-login > page*. Then, upon their login, since you have enabled BOTH the > authentication methods in the authentication.cfg file, it will try both of > them in the order they are configured. If your *ldap-login* page is in a > different location than that, then please inform me so as to send you the > correct one. However, the default is the one I send you. > > Finally, since an *LDAP user* *does not have the option to change his/her > password*, *you do not want them to be able to do that in case they have > logged in with LDAP*, *but only with password authentication*. Also, you > should also be able to see their netid (i.e. LDAP name) and not be able to > change their password from the *edit-user.jsp administration page* only > if they have registered as LDAP users. Since these textboxes and > information depend on the *authentication-ldap.enable setting* and if it > is false it considers all the users as *PasswordAuthentication *users, > then you have to *tweak two additional jsp files that have to do with > this information*. > > *The first has to do with the user's profile.* You do *not *want the "New > Password" and "Confirm Password" to be displayed in the manage my profile > of a user,* if that user is an LDAP user.* For this to work, you have to > insert code that actually ignores the "ldap_enabled" setting in case a user > is an LDAP user. You have to edit the file > */dspace/webapps/jspui/register/edit-profile.jsp* and at the top tweak > the code with the portion that I am sending you: > > boolean ldap_enabled = > ConfigurationManager.getBooleanProperty("authentication-ldap", "enable"); > > > > * //Filippos Kolovos -- Do not check for the ldap_enabled field, since it > is not enabled in the cfg file, //because it leads to a different login > page, which is not used. //boolean ldap_eperson = (ldap_enabled && > (eperson.getNetid() != null) && (eperson.getNetid().equals("") == false)); > boolean ldap_eperson = ((eperson.getNetid() != null) && > (eperson.getNetid().equals("") == false));* > > and then some lines below, check for the "not an LDAP user" in order to > *display > the password change box*: > .... > .... > <% > // Only show password update section if the user doesn't use > // certificates > if ((eperson.getRequireCertificate() == false) *&& (ldap_eperson == > false))* > { > %> > > That will take care of the user's profile management. Then, you also have > to edit the jsp file:* /dspace/webapps/dspace-admin/eperson-edit.jsp* and > again at the top insert the following code: > > boolean ldap_enabled = > ConfigurationManager.getBooleanProperty("authentication-ldap", "enable"); > > > * //Filippos Kolovos -- Do not check for the ldap_enabled field, since it > is not enabled in the cfg file, //because it leads to a different login > page, which is not used. boolean ldap_eperson = ((eperson.getNetid() != > null) && (eperson.getNetid().equals("") == false));* > > and again some lines below, *replace *the "ldap_enabled" check with > "ldap_eperson" check, in order to *DISPLAY *to the administrator the *LDAP > Net ID and NOT to display the reset password* for this user if he/she is > an *LDAP user* and *vice versa* if he/she is a Password user: > > Around Line 128: > > > > > > > > *<% if (ldap_eperson) { %> <div class="row"> > <label class="col-md-2">LDAP NetID:</label> <div > class="col-md-6"> <input class="form-control" name="netid" > size="24" value="<%=netid == null ? "" : Utils.addEntities(netid) %>" /> > </div> </div> <% } %>* > > Around Line 189: > > <div class="col-md-4 btn-group"> > <%-- <input type="submit" name="submit_save" > value="Save Edits"> --%> > <input class="btn btn-default" type="submit" > name="submit_save" value="<fmt:message > key="jsp.dspace-admin.general.save"/>" /> > > > > * <% // Filippos Kolovos -- Reset the password only for non-ldap users > if (!ldap_eperson) { %> <input > class="btn btn-default" type="submit" name="submit_resetpassword" > value="<fmt:message > key="jsp.dspace-admin.eperson-main.ResetPassword.submit"/>"/> > <% } %>* > <%-- <input type="submit" name="submit_delete" > value="Delete EPerson..."> --%> > <input class="btn btn-danger" type="submit" > name="submit_delete" value="<fmt:message > key="jsp.dspace-admin.general.delete"/>" /> > </div> > > Then, restart tomcat and you will be good to go. > > I think that this does it. *Please keep a backup of any files that you > replace in order for you to be able to go back to the previous setting.* > > I hope that this helps you. > > Best Regards, > > -Fk > > On Wed, Apr 7, 2021 at 12:40 PM Panyarak Ngamsritragul <[email protected]> > wrote: > >> Dear FILIPPOS, >> >> Well, we use both LDAP and Password authentication for the instance being >> in service. >> At the moment, I am working on a new instance which requires only >> Password authentication. In this case I simply commented out the LDAP >> authentication in the local.cfg. But the problem is when clicked at new >> user for registration, it brings up the page from the execution of >> new-ldap-user.jsp instead of new-user.jsp. This is also true when >> configured with both LDAP and Password authentication. >> >> Regards, >> Panayrak >> >> On Wed, Apr 7, 2021 at 3:39 PM FILIPPOS KOLOVOS <[email protected]> wrote: >> >>> Dear Sir Goodmorning, >>> >>> Could you please clarify if you wish to have LDAP authentication as well >>> as Password authentication, or just Password authentication/registration? >>> I am asking because there are workarounds, but different in each case. >>> >>> Best Regards, >>> >>> -Fk >>> >>> On Wed, Apr 7, 2021 at 6:34 AM Panyarak Ngamsritragul < >>> [email protected]> wrote: >>> >>>> >>>> Hi, >>>> >>>> In XMLUI,the UI for new user registration is quite straightforward. >>>> This is, however, not the case in JSPUI. >>>> >>>> When a new user is directed to the registration page, DSpace directs >>>> her/him to a page display by new-ldap-user.jsp instead of new-user.jsp. >>>> This may cause confusion for some users, or most new users. >>>> >>>> For LDAP authentication, I guess the system admin would choose the >>>> autoregister method. It is then not necessary to call new-ldap-user.jsp. >>>> >>>> However, for password-authentication users, it is necessary to call >>>> new-user.jsp, not new-ldap-user.jsp. >>>> >>>> Is there any work around for correcting this? The dirty solution is >>>> just copy new-user.jsp to new-ldap-user.jsp. >>>> >>>> Panyarak >>>> Prince of Songkla University >>>> >>>> -- >>>> All messages to this mailing list should adhere to the Code of Conduct: >>>> https://duraspace.org/about/policies/code-of-conduct/ >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "DSpace Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/dspace-community/a208e1d7-ef38-4dc9-98eb-69b61fa8ad81n%40googlegroups.com >>>> <https://groups.google.com/d/msgid/dspace-community/a208e1d7-ef38-4dc9-98eb-69b61fa8ad81n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> > > -- > Filippos Kolovos > > Software Systems Analyst & Engineer > M.Sc. (Eng.) in Data Communications > > Automation & Networking Department > University of Macedonia Library > Egnatia 156, > 546 36 Thessaloniki, Greece > > E-Mail: [email protected] <[email protected]> > Profile: http://gr.linkedin.com/in/filipposkolovos > Phone: +30-2310-891-826 > ---------------------------------------------- > -- All messages to this mailing list should adhere to the Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/CAJc8HTce9rOW-a-u0uvXHm7nyrX6qru1aYWQBEc2ZeBcYAgDAg%40mail.gmail.com.
