[
https://jira.duraspace.org/browse/DS-652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18316#action_18316
]
Tim Donohue commented on DS-652:
--------------------------------
Flavio,
I think this change will need more discussion amongst the
developers/committers, as it seems to be changing how the 'special groups'
feature was actually meant to work. The 'special groups' feature was
originally designed so that special groups could be added even *without
authentication*.
As a basic example, this is a feature specifically useful to Libraries who want
to provide special access rights to their walkup patrons (i.e. users who are
accessing the site directly from a Library computer). In that scenario, I know
of several institutions who want patrons at a Library computer to have special
access rights to materials in DSpace.
So, here's a more specific example:
* Suppose your DSpace installation contains several works (perhaps Theses or
Dissertations) that are *only* accessible to people at your University.
* In DSpace, you'd create a special group called something like "University
Users". People should be added to this group in one of several specific
scenarios:
(1) If the user is able to login via your Campus authentication system
(LDAP or similar) they should be auto-added to this special group
(2) If someone is accessing DSpace from a specific range of IP addresses
(e.g. a computer in your Library) they should be auto-added to this group *even
if they are not authenticated*. This would allow your local users to get
automatic access to research from a Library computer.
As you can see, #2 above isn't possible unless you allow people to be added to
Special Groups even if the authentication plugin didn't truly authenticate the
user.
I wonder if there may be another way around the problem you are seeing? It
looks like the LDAPAuthentication.getSpecialGroups() method is specifically
trying to make sure it doesn't add anonymous or non-LDAP users (users not
having a 'netID' stored in DSpace) to the 'ldap.login.specialgroup'. I'm
trying to determine why this doesn't seem to work in your scenario (and if it
doesn't, maybe there's a bug in the LDAPAuthentication.getSpecialGroups()
method that can fix your problem in an easier way). Perhaps we can help you
figure out a better workaround if you can describe which Authentication
plugin(s) you are using and what your configurations are in dspace.cfg for
those plugins.
> Wrong behaviour of special groups at login. Use only special groups of the
> authetication that DID authenticate the user.
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: DS-652
> URL: https://jira.duraspace.org/browse/DS-652
> Project: DSpace
> Issue Type: Bug
> Components: DSpace API
> Affects Versions: 1.6.0
> Reporter: Flávio Botelho
> Priority: Major
> Attachments: Fix_behaviour_of_autentication_specialGroups.patch
>
>
> We have internal users autheticating thru LDAP. And external users are still
> able to create new users.
> Unfortunally the authentication is putting all external users created thru
> the Login Authentication also in the ldap.login.specialgroup, of course that
> is not expected.
> Looking at code at AuthenticationManager it becomes clear that it is adding
> ALL the special groups of ALL the possible authentication mechanism, which
> doesnt make any sense whatsoever...
> It should only add special groups of the authentication mechanism that DID
> authenticate the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
