Patches item #2057378, was opened at 2008-08-18 11:30 Message generated for change (Comment added) made by nuncanada You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=319984&aid=2057378&group_id=19984
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Stuart Lewis (stuartlewis) Assigned to: Nobody/Anonymous (nobody) Summary: Hierarchical LDAP support Initial Comment: The attached file is a new pluggable authentication method to provide flexible support for hierarchical LDAP trees (where users are not all in the same subtree). This patch builds upon two other patches: - [2057231] Refactor LDAPServlet to use Stackable Authentication (this patch only supports LDAP servers to which you can anonymously bind) - [1597831] Patch for Hierarchical LDAP plus Stackable fixes (this does not work with LDAP servers which cannot return the DN of a user as one of its attributes) An additional feature is the ability to set a special group, of which all LDAP authenticated users are a member of. This is useful for automatically creating a group of all internal users, if you need to restrict items internally where you can't rely on IP authentication. It requires the following additions to dspace.cfg: ##### Hierarchical LDAP Settings ##### # If your users are spread out across a hierarchical tree on your # LDAP server, you will need to use the following stackable authentication # class: # plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ # org.dspace.authenticate.LDAPHierarchicalAuthentication # # You can optionally specify the search scope. If anonymous access is not # enabled on your LDAP server, you will need to specify the full DN and # password of a user that is allowed to bind in order to search for the # users. # This is the search scope value for the LDAP search during # autoregistering. This will depend on your LDAP server setup. # This value must be one of the following integers corresponding # to the following values: # object scope : 0 # one level scope : 1 # subtree scope : 2 #ldap.search_scope = 2 # The full DN and password of a user allowed to connect to the LDAP server # and search for the DN of the user trying to log in. #ldap.search.user = cn=admin,ou=people,o=myu.edut #ldap.search.password = password ##### LDAP users group ##### # If required, a group name can be given here, and all users who log in # to LDAP will automatically become members of this group. This is useful # if you want a group made up of all internal authenticated users. #ldap.login.specialgroup = group-name ---------------------------------------------------------------------- Comment By: Flavio Botelho (nuncanada) Date: 2008-08-20 21:38 Message: Logged In: YES user_id=18555 Originator: NO I tested and it's working fine. Didn't test the special groups yet. Minor issues: - If the admin user has a backslash in it \, it needs to be doubled in dspace.cfg. Seems to be because the way the cfg parser works, so it would be nice to add an alert message just before that configuration. - loginPageURL, i would prefer the stack to work by itself without the necessity for the user to choose from possible authentication mechanisms. Maybe later on put an option in the stackable configuration to ignore the loginPageURL? Thanks a lot for the nice work :) ---------------------------------------------------------------------- Comment By: Alex Barbieri (ikandros) Date: 2008-08-20 10:25 Message: Logged In: YES user_id=2167742 Originator: NO I have done some preliminary testing of this patch. There are some issues - 1) If a user has no email on the ldap server, they will not be autoregistered (this was an issue on my server). This can be changed by commenting out line 253 and wrapping line 257 in a try/catch block for nullity. 2) The getSpecialGroups() method will put all users who can log in by any method into the "ldap.login.specialgroup" group, not just users who can authenticate with ldap. I have not found an easy way to work around this. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=319984&aid=2057378&group_id=19984 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Dspace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-devel
