Hi Emith, did you solve the problem? I have the same problem. Below is the log when I try to login with an ldap user:
ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401) org.springframework.security.authentication.BadCredentialsException: Login failed at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticateNewLogin(EPersonRestAuthenticationProvider.java:150) ~[classes/:7.6.2] at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticate(EPersonRestAuthenticationProvider.java:88) ~[classes/:7.6.2] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.7.11.jar:5.7.11] at org.dspace.app.rest.security.StatelessLoginFilter.attemptAuthentication(StatelessLoginFilter.java:74) [classes/:7.6.2] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.dspace.app.rest.security.StatelessAuthenticationFilter.doFilterInternal(StatelessAuthenticationFilter.java:102) [classes/:7.6.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:132) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) [spring-web-5.3.34.jar:5.3.34] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:221) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) [spring-security-web-5.7.11.jar:5.7.11] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) [spring-web-5.3.34.jar:5.3.34] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) [spring-web-5.3.34.jar:5.3.34] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.3.34.jar:5.3.34] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) [spring-boot-actuator-2.7.18.jar:2.7.18] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) [spring-boot-2.7.18.jar:2.7.18] at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) [spring-boot-2.7.18.jar:2.7.18] at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) [spring-boot-2.7.18.jar:2.7.18] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) [spring-boot-2.7.18.jar:2.7.18] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.34.jar:5.3.34] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.springframework.web.filter.ForwardedHeaderFilter.doFilterInternal(ForwardedHeaderFilter.java:156) [spring-web-5.3.34.jar:5.3.34] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.34.jar:5.3.34] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:70) [log4j-web-2.23.1.jar:2.23.1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179) [catalina.jar:9.0.87] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154) [catalina.jar:9.0.87] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) [catalina.jar:9.0.87] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) [catalina.jar:9.0.87] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) [catalina.jar:9.0.87] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) [catalina.jar:9.0.87] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) [catalina.jar:9.0.87] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) [catalina.jar:9.0.87] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [catalina.jar:9.0.87] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) [catalina.jar:9.0.87] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) [tomcat-coyote.jar:9.0.87] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-coyote.jar:9.0.87] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) [tomcat-coyote.jar:9.0.87] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786) [tomcat-coyote.jar:9.0.87] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-coyote.jar:9.0.87] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:9.0.87] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:9.0.87] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) [tomcat-util.jar:9.0.87] at java.base/java.lang.Thread.run(Thread.java:840) [?:?] On Thursday 7 March 2024 at 19:40:26 UTC+3 Emith Suárez Romero wrote: > LDAP Authentication + Dspace 7.6 + CentOS > > Hello, I can't get authentication to work in Dspace 7.6 using LDAP. I > would like to comment a little on everything as I have it. All PCs are > running CentOS7. In one I have LDAP and in another I have Dspace7.6. Add > that Dspace is http://ip and everything works correctly (Solr, Tomcat, > Backend and Frontend). I can access it with email normally but not from > an LDAP user. I would like to share the configurations I have so far and > the (positive) connectivity tests of the ldap + user with the Dspace PC... > Thank you and let's see if what I show you can help me with. I have used > the official documentation all the time. > > *authentication.cfg* > > # LDAP authentication/authorization. See authentication-ldap.cfg for > default configuration. > > plugin.sequence.org.dspace.authenticate.AuthenticationMethod = > org.dspace.authenticate.LDAPAuthentication > > > > > > *authentication-ldap.cfg* > > #---------------------------------------------------------------# > > #------------LDAP AUTHENTICATION CONFIGURATIONS-----------------# > > #---------------------------------------------------------------# > > # Configuration properties used by the LDAP Authentication # > > # plugin, when it is enabled. # > > #---------------------------------------------------------------# > > > > # > > # If LDAP is enabled, then new users will be able to register > > # by entering their username and password without being sent the > > # registration token. If users do not have a username and password, > > # then they can still register and login with just their email address > > # the same way they do now. > > # > > # For providing any special privileges to LDAP users, > > # you will still need to extend the SiteAuthenticator class to > > # automatically put people who have a netid into a special > > # group. You might also want to give certain email addresses > > # special privileges. Refer to the DSpace documentation for more > > # information about how to do this. > > # > > # It may be necessary to obtain the values of these settings from the > > # LDAP server administrators as LDAP configuration will vary from server > > # to server. > > > > # This setting will enable or disable LDAP authentication in DSpace. > > # With the setting off, users will be required to register and login with > > # their email address. With this setting on, users will be able to login > > # and register with their LDAP user ids and passwords. > > *authentication-ldap.enable = true* > > > > > > ##### LDAP AutoRegister Settings ##### > > > > # This will turn LDAP autoregistration on or off. With this > > # on, a new EPerson object will be created for any user who > > # successfully authenticates against the LDAP server when they > > # first login. With this setting off, the user > > # must first register to get an EPerson object by > > # entering their ldap username and password and filling out > > # the forms. > > *authentication-ldap.autoregister = true* > > > > > > # This is the url to the institution's ldap server. The "o=myu.edu" > > # part may or may not be required depending on the LDAP server setup, > > # but make sure to include the slash after domain name. > > # A server may also require the ldaps:// protocol. > > # Note: Prepend commas with a backslash to escape them > > *authentication-ldap.provider_url = ldap://ds.intranet.despace.es > <http://ds.intranet.despace.es>* > > *autenticación-LDAP.starttls = true* > > > > # This is the unique identifier field in the LDAP directory > > # where the username is stored. > > *authentication-ldap.id_field = uid* > > > > # This is the object context used when authenticating the > > # user. It is appended to the id_field and username. > > # For example uid=username,ou=people,ou=faculties,o=myu.edu. This must > match > > # the LDAP server configuration. > > # Note: Prepend commas with a backslash to escape them > > *authentication-ldap.object_context = o= ds.intranet.despace.es > <http://ds.intranet.despace.es>* > > > > # This is the search context used when looking up a user's > > # LDAP object to retrieve their data for autoregistering. > > # With autoregister turned on, when a user authenticates > > # without an EPerson object, a search on the LDAP directory to > > # get their name and email address is initiated so that DSpace > > # can create a EPerson object for them. So after we have authenticated > against > > # uid=username,ou=people,o=byu.edu we now search in ou=people > > # for filtering on [uid=username]. Often the > > # search_context is the same as the object_context > > # parameter. But again this depends on each individual LDAP server > > # configuration. > > # Note: Prepend commas with a backslash to escape them > > *authentication-ldap.search_context = o= ds.intranet.despace.es > <http://ds.intranet.despace.es>* > > > > # This is the LDAP object field where the user's email address > > # is stored. "mail" is the default and the most common for > > # LDAP servers. If the mail field is not found the username > > # will be used as the email address when creating the eperson > > # object. > > *authentication-ldap.email_field = mail* > > > > # This is the LDAP object field where the user's last name is > > # stored. "sn" is the default and is the most common for LDAP > > # servers. If the field is not found the field will be left > > # blank in the new eperson object. > > *authentication-ldap.surname_field = sn* > > > > # This is the LDAP object field where the user's given names > > # are stored. This may not be used or set in all LDAP instances. > > # If the field is not found the field will be left blank in the > > # new eperson object. > > *authentication-ldap.givenname_field = givenName* > > > > # This is the field where the user's phone number is stored in > > # the LDAP directory. If the field is not found the field > > # will be left blank in the new eperson object. > > # authentication-ldap.phone_field = telephoneNumber > > > > > > ##### LDAP users group ##### > > > > # If required, a group name can be given here, and all users who log in > > # to LDAP will automatically become members of this group. This is useful > > # if you want a group made up of all internal authenticated users. > > #authentication-ldap.login.specialgroup = group-name > > > > > > ##### Hierarchical LDAP Settings ##### > > > > # If your users are spread out across a hierarchical tree on your > > # LDAP server, you will need to search the tree to find the full DN of > > # the user who is logging in. > > > > # * If anonymous search is allowed on your LDAP server, you will need to > set > > # search.anonymous = true > > # * If not, you will need to specify the full DN and password of a > > # user that is allowed to bind in order to search for the users. > > # * If neither search.anonymous is true, nor search.user is specified, > > # LDAP will not do the hierarchical search for a DN and will assume > > # a flat directory structure. > > > > # This is the optional search scope value for the LDAP search during > > # autoregistering. This will depend on your LDAP server setup. > > # This value must be one of the following integers corresponding > > # to the following values: > > # object scope : 0 > > # one level scope : 1 > > # subtree scope : 2 > > #authentication-ldap.search_scope = 2 > > > > # If true, the initial bind will be performed anonymously. > > *authentication-ldap.search.anonymous = true* > > > > # The full DN and password of a user allowed to connect to the LDAP server > > # and search for the DN of the user trying to log in. > > # Note: Prepend commas with a backslash to escape them > > *authentication-ldap.search.user = 52955890c* > > *authentication-ldap.search.password = C3nt0s7!* > > > > # If your LDAP server does not hold an email address for a user, you can > use > > # the following field to specify your email domain. This value is appended > > # to the netid in order to make an email address. E.g. a netid of 'user' > and > > # netid_email_domain as '@example.com' would set the email of the user > > # to be '[email protected] > > *authentication-ldap.netid_email_domain = @ds .intranet.despace.es > <http://intranet.despace.es>* > > > > # Take the left part of the groupmap value (before the ":") and look it up > > # in user's full DN. If it's found, assign user to the DSpace group > > # specified by the right part of the groupmap value (after the ":"). > > # One user may belong to multiple groups. > > #authentication-ldap.login.groupmap.1 = ou=ldap-dept1:dspace-group1 > > #authentication-ldap.login.groupmap.2 = ou=ldap-dept2:dspace-groupA > > #authentication-ldap.login.groupmap.3 = ou=ldap-dept3:dspace-groupA > > > > # If this property is uncommented, it changes the meaning of the left part > of > > # the groupmap value (before the ":") as follows. > > # The value of login.groupmap.attribute specifies the name of an LDAP > attribute. > > # If user has this attribute, look up the value of this attribute in the > left > > # part of the groupmap value (before the ":"). If it's found, assign user > to > > # the DSpace group specified by the right part of the groupmap value (after > > # the ":"). > > #authentication-ldap.login.groupmap.attribute = group > > #authentication-ldap.login.groupmap.1 = ldap-dept1:dspace-group1 > > #authentication-ldap.login.groupmap.2 = ldap-dept2:dspace-groupA > > #authentication-ldap.login.groupmap.3 = ldap-dept3:dspace-groupA > > > > # Enables support for StartTLS (default is false). If this flag is true be > sure provider_url looks like: > > # ldap://ldap.myu.edu:389 > > #authentication-ldap.starttls=true > > > > > ------------------------------------------------------------------------------------------------------------- > > > > > > > > *dspace/logs/dspace.cfg* > > > > *.* > > *.* > > *.* > > *2024-03-07 15:32:37,504 INFO unknown unknown > org.dspace.authenticate.PasswordAuthentication @ > anonymous::authenticate:attempting password auth of user=52955890c* > > *2024-03-07 15:32:37,507 INFO unknown unknown > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ > anonymous::failed_login:email=52955890c, result=4* > > *2024-03-07 15:32:37,508 ERROR unknown unknown > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed > (status:401)* > > org.springframework.security.authentication.BadCredentialsException: Login > failed > > at > org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticateNewLogin(EPersonRestAuthenticationProvider.java:150) > > ~[classes/:7.6] > > at > > . > > . > > . > > at java.lang.Thread.run(Thread.java:833) [?:?] > > > > *Test LDAP in DSPACE 7.6 PC* > > *ldapsearch -H ldap://ds.intranet.dspace.es/ > <http://ds.intranet.dspace.es/> -x -b "" -s base * > > > > dnsHostName: dscentos.DS.intranet.dspace.es > > ldapServiceName: intranet.dspace.es:[email protected] > > serverName: > CN=DSCENTOS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config > > uration,DC=intranet,DC=dspace,DC=es > > . > > . > > . > > isSynchronized: TRUE > > isGlobalCatalogReady: TRUE > > domainFunctionality: 6 > > forestFunctionality: 6 > > domainControllerFunctionality: 6 > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > > > *ldapsearch -H ldap://ds.intranet.dspace.es/ > <http://ds.intranet.dspace.es/> -x -b "" -s base -D > '[email protected]' -w 'C3nt0s!' * > > . > > . > > . > > isGlobalCatalogReady: TRUE > > domainFunctionality: 6 > > forestFunctionality: 6 > > domainControllerFunctionality: 6 > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/811dcd26-cfac-4a14-8db7-927faee3274bn%40googlegroups.com.
