LDAP Authentication + Dspace 7.6 + CentOS Hello, I can't get authentication to work in Dspace 7.6 using LDAP. I would like to comment a little on everything as I have it. All PCs are running CentOS7. In one I have LDAP and in another I have Dspace7.6. Add that Dspace is http://ip and everything works correctly (Solr, Tomcat, Backend and Frontend). I can access it with email normally but not from an LDAP user. I would like to share the configurations I have so far and the (positive) connectivity tests of the ldap + user with the Dspace PC... Thank you and let's see if what I show you can help me with. I have used the official documentation all the time.
*authentication.cfg* # LDAP authentication/authorization. See authentication-ldap.cfg for default configuration. plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.LDAPAuthentication *authentication-ldap.cfg* #---------------------------------------------------------------# #------------LDAP AUTHENTICATION CONFIGURATIONS-----------------# #---------------------------------------------------------------# # Configuration properties used by the LDAP Authentication # # plugin, when it is enabled. # #---------------------------------------------------------------# # # If LDAP is enabled, then new users will be able to register # by entering their username and password without being sent the # registration token. If users do not have a username and password, # then they can still register and login with just their email address # the same way they do now. # # For providing any special privileges to LDAP users, # you will still need to extend the SiteAuthenticator class to # automatically put people who have a netid into a special # group. You might also want to give certain email addresses # special privileges. Refer to the DSpace documentation for more # information about how to do this. # # It may be necessary to obtain the values of these settings from the # LDAP server administrators as LDAP configuration will vary from server # to server. # This setting will enable or disable LDAP authentication in DSpace. # With the setting off, users will be required to register and login with # their email address. With this setting on, users will be able to login # and register with their LDAP user ids and passwords. *authentication-ldap.enable = true* ##### LDAP AutoRegister Settings ##### # This will turn LDAP autoregistration on or off. With this # on, a new EPerson object will be created for any user who # successfully authenticates against the LDAP server when they # first login. With this setting off, the user # must first register to get an EPerson object by # entering their ldap username and password and filling out # the forms. *authentication-ldap.autoregister = true* # This is the url to the institution's ldap server. The "o=myu.edu" # part may or may not be required depending on the LDAP server setup, # but make sure to include the slash after domain name. # A server may also require the ldaps:// protocol. # Note: Prepend commas with a backslash to escape them *authentication-ldap.provider_url = ldap://ds.intranet.despace.es* *autenticación-LDAP.starttls = true* # This is the unique identifier field in the LDAP directory # where the username is stored. *authentication-ldap.id_field = uid* # This is the object context used when authenticating the # user. It is appended to the id_field and username. # For example uid=username,ou=people,ou=faculties,o=myu.edu. This must match # the LDAP server configuration. # Note: Prepend commas with a backslash to escape them *authentication-ldap.object_context = o= ds.intranet.despace.es* # This is the search context used when looking up a user's # LDAP object to retrieve their data for autoregistering. # With autoregister turned on, when a user authenticates # without an EPerson object, a search on the LDAP directory to # get their name and email address is initiated so that DSpace # can create a EPerson object for them. So after we have authenticated against # uid=username,ou=people,o=byu.edu we now search in ou=people # for filtering on [uid=username]. Often the # search_context is the same as the object_context # parameter. But again this depends on each individual LDAP server # configuration. # Note: Prepend commas with a backslash to escape them *authentication-ldap.search_context = o= ds.intranet.despace.es* # This is the LDAP object field where the user's email address # is stored. "mail" is the default and the most common for # LDAP servers. If the mail field is not found the username # will be used as the email address when creating the eperson # object. *authentication-ldap.email_field = mail* # This is the LDAP object field where the user's last name is # stored. "sn" is the default and is the most common for LDAP # servers. If the field is not found the field will be left # blank in the new eperson object. *authentication-ldap.surname_field = sn* # This is the LDAP object field where the user's given names # are stored. This may not be used or set in all LDAP instances. # If the field is not found the field will be left blank in the # new eperson object. *authentication-ldap.givenname_field = givenName* # This is the field where the user's phone number is stored in # the LDAP directory. If the field is not found the field # will be left blank in the new eperson object. # authentication-ldap.phone_field = telephoneNumber ##### LDAP users group ##### # If required, a group name can be given here, and all users who log in # to LDAP will automatically become members of this group. This is useful # if you want a group made up of all internal authenticated users. #authentication-ldap.login.specialgroup = group-name ##### Hierarchical LDAP Settings ##### # If your users are spread out across a hierarchical tree on your # LDAP server, you will need to search the tree to find the full DN of # the user who is logging in. # * If anonymous search is allowed on your LDAP server, you will need to set # search.anonymous = true # * If not, you will need to specify the full DN and password of a # user that is allowed to bind in order to search for the users. # * If neither search.anonymous is true, nor search.user is specified, # LDAP will not do the hierarchical search for a DN and will assume # a flat directory structure. # This is the optional search scope value for the LDAP search during # autoregistering. This will depend on your LDAP server setup. # This value must be one of the following integers corresponding # to the following values: # object scope : 0 # one level scope : 1 # subtree scope : 2 #authentication-ldap.search_scope = 2 # If true, the initial bind will be performed anonymously. *authentication-ldap.search.anonymous = true* # The full DN and password of a user allowed to connect to the LDAP server # and search for the DN of the user trying to log in. # Note: Prepend commas with a backslash to escape them *authentication-ldap.search.user = 52955890c* *authentication-ldap.search.password = C3nt0s7!* # If your LDAP server does not hold an email address for a user, you can use # the following field to specify your email domain. This value is appended # to the netid in order to make an email address. E.g. a netid of 'user' and # netid_email_domain as '@example.com' would set the email of the user # to be '[email protected] *authentication-ldap.netid_email_domain = @ds .intranet.despace.es* # Take the left part of the groupmap value (before the ":") and look it up # in user's full DN. If it's found, assign user to the DSpace group # specified by the right part of the groupmap value (after the ":"). # One user may belong to multiple groups. #authentication-ldap.login.groupmap.1 = ou=ldap-dept1:dspace-group1 #authentication-ldap.login.groupmap.2 = ou=ldap-dept2:dspace-groupA #authentication-ldap.login.groupmap.3 = ou=ldap-dept3:dspace-groupA # If this property is uncommented, it changes the meaning of the left part of # the groupmap value (before the ":") as follows. # The value of login.groupmap.attribute specifies the name of an LDAP attribute. # If user has this attribute, look up the value of this attribute in the left # part of the groupmap value (before the ":"). If it's found, assign user to # the DSpace group specified by the right part of the groupmap value (after # the ":"). #authentication-ldap.login.groupmap.attribute = group #authentication-ldap.login.groupmap.1 = ldap-dept1:dspace-group1 #authentication-ldap.login.groupmap.2 = ldap-dept2:dspace-groupA #authentication-ldap.login.groupmap.3 = ldap-dept3:dspace-groupA # Enables support for StartTLS (default is false). If this flag is true be sure provider_url looks like: # ldap://ldap.myu.edu:389 #authentication-ldap.starttls=true ------------------------------------------------------------------------------------------------------------- *dspace/logs/dspace.cfg* *.* *.* *.* *2024-03-07 15:32:37,504 INFO unknown unknown org.dspace.authenticate.PasswordAuthentication @ anonymous::authenticate:attempting password auth of user=52955890c* *2024-03-07 15:32:37,507 INFO unknown unknown org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=52955890c, result=4* *2024-03-07 15:32:37,508 ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401)* org.springframework.security.authentication.BadCredentialsException: Login failed at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticateNewLogin(EPersonRestAuthenticationProvider.java:150) ~[classes/:7.6] at . . . at java.lang.Thread.run(Thread.java:833) [?:?] *Test LDAP in DSPACE 7.6 PC* *ldapsearch -H ldap://ds.intranet.dspace.es/ -x -b "" -s base * dnsHostName: dscentos.DS.intranet.dspace.es ldapServiceName: intranet.dspace.es:[email protected] serverName: CN=DSCENTOS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config uration,DC=intranet,DC=dspace,DC=es . . . isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 6 forestFunctionality: 6 domainControllerFunctionality: 6 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 *ldapsearch -H ldap://ds.intranet.dspace.es/ -x -b "" -s base -D '[email protected]' -w 'C3nt0s!' * . . . isGlobalCatalogReady: TRUE domainFunctionality: 6 forestFunctionality: 6 domainControllerFunctionality: 6 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/971b8074-fcb0-4959-a91c-405b9da87b6fn%40googlegroups.com.
