Stuart, Thanks for the excellent pointer. The two settings I had to change were to add the port number and trailing slash to my ldap.provider_url and take my ldap.search_context up a level, allowing DSpace search down into both containers. So, now I've got:
ldap.provider_url = ldap://dc1.rhodes.edu:389/ ldap.search_context = dc=rhodes,dc=edu I'm still testing authentication from various users, but so far, it really works well. Assuming that I don't find any problems, I would like to provide a write-up for others to follow, as Active Directory is so prevalent as an LDAP server but can be a tricky beast. Sometimes, it is just helpful to know that someone else has gotten it working, to give you the extra boost to keep trying. Would this be something useful for the DSpace Wiki HOWTO page? http://wiki.dspace.org/index.php/Category:HOWTO Is the DSpace Wiki still utilized, or is something going to take its place in the near-future? Stacy -----Original Message----- From: Stuart Lewis [mailto:s.le...@auckland.ac.nz] Sent: Thursday, October 15, 2009 6:48 AM To: Pennington_Stacy Cc: dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] How to Best Configure and Use LDAPHierarchicalAuthentication Hi Stacy, This blog post might help with an example LDAP tree and the associated settings: - http://blog.stuartlewis.com/2008/08/18/test-ldap-service-upgraded-now-with-branches/ The specific error you are getting is related to not knowing the host name as it is concatenating . I think it might be fixed by adding a trailing slash to the ldap.provier_url setting to separate the server name from the query. Thanks, Stuart Lewis IT Innovations Analyst and Developer Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: 64 9 373-7599 x81928 http://www.library.auckland.ac.nz/ On 15/10/2009, at 9:03 AM, <penning...@rhodes.edu> <penning...@rhodes.edu > wrote: > One of the features I'm most looking forward to utilizing in DSpace > 1.5.2 is the LDAPHierarchicalAuthentication option, which I think is > designed to help institutions like Rhodes, which have separate LDAP > containers for different groups of users. > > Faculty and Staff are in: cn=Users,dc=rhodes,dc=edu > Students are in: ou=Students,dc=rhodes,dc=edu > Temporary Staff are in: ou=Temp Accounts,dc=rhodes,dc=edu > > In DSpace 1.4.x, we used LDAP auth for our faculty and staff and > just created local ePerson accounts manually for students and them > use their local DSpace password and email address to log in (i.e. > not LDAP). With 1.5.2, we would like to use the > LDAPHierarchicalAuthentication auth method to allow all users with > ePerson accounts in DSpace to log in. (In other words, we would like > the ability to control who can log into DSpace by creating the > ePerson accounts for those folks manually but letting the > authentication for that ePerson account to happen via LDAP rather > than students having to use a local DSpace password.) > > Our LDAP server is Microsoft Active Directory, which doesn't allow > anonymous logins. We do have a generic ldap search login account > that we use for other services to provide a authenticated account to > bind and search Active Directory. I tried to turn on > LDAPHierarchicalAuthentication by making the following changes in > dspace.cfg: > > plugin.sequence.org.dspace.authenticate.AuthenticationMethod = > org.dspace.authenticate.LDAPHierarchicalAuthentication > ,org.dspace.authenticate.PasswordAuthentication > > ldap.search_scope = 2 > > ldap.search.user = cn=ourldapuser,cn=Users,dc=rhodes,dc=edu > > ldap.search.password = ourpassword > > ldap.netid_email_domain = @rhodes.edu > > With these settings, no one was able to log in via LDAP. It wasn't > clear if I needed to keep the main LDAP auth method > (org.dspace.authenticate.LDAPAuthentication) in the > AuthenticationMethod config statement (in the middle) or not. > > Does LDAPHierarchicalAuthentication use the other LDAP auth settings > in dspace.cfg? > > What is the search_scope? The number of levels down from the top > level that the search user will browse? > > Does the search LDAP user identify which container the particular > user that is trying to authenticate is located and then try a > connection as that user with their password, not that it knows the > full login string for that user? Is that how it is supposed to work? ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
