Hello there, I have enabled the LDAP server in our institution and I also had some problems during the process.
At first you have to make sure that there's no firewall behind the LDAP server that prohibits dspace from accessing the directory. Secondly, to answer a question you pose below, if you need to authenticate via LDAP *only* then you do not need to use both authentication methods for that. Only the LDAP method will suffice. However, please note that enabling only the LDAP method will prohibit existing users in the dspace database (i.e. users that have registered themselves in dspace) to login in the future, since only the LDAP method will be available. Third, the files that are actually used to authenticate in LDAP (and via password authentication) are in the directory: <dspace-source-release>/dspace-api/src/main/java/org/dspace/authenticate and they are the files: LDAPAuthentication.java and PasswordAuthentication.java. Furthermore, in the <dspace-source-release>/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet you will find the LDAPServlet.java file that controls what JSP file is being displayed to the user according to the parameter ldap.enable. Also, in the dspace.cfg file, make sure where you edit the authentication methods, to edit them *in the file* and not pasting the authentication method from an external source, since sometimes it can get somehow "corrupted" and it does not "see" that you have enabled an authentication method. Also in the log directory of the running instance of dspace, e.g. /dspace/log/ the file dspace.log, or dspace.log.1, etc records some useful information during the LDAP authentication process that may actually point the errors that prevent the LDAP from working properly. I hope that I have helped. Best Regards, -Fk -- Filippos Kolovos Software Systems Analyst & Engineer M.Sc. (Eng.) in Data Communications Automation & Networking Department University of Macedonia Library Egnatia 156, P.O.Box 1591 540 06 Thessaloniki, Greece E-Mail: [email protected], [email protected] Profile: http://www.linkedin.com/in/filipposkolovos ----------------------------------------------------------------------- ----- Original Message ----- Date: Thu, 22 Oct 2009 15:33:13 -0500 From: "Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY]" <[email protected]> Subject: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP! To: "[email protected]" <[email protected]> Message-ID: <03de6124b1f32240b3692ed5e591ed1604de005...@ndmsscc07.ndc.nasa.gov> Content-Type: text/plain; charset="us-ascii" We have been struggling for awhile trying to get LDAP to work in DSpace 1.5.1 and I hope someone can help. I am new to LDAP and have followed the instructions in the doc. but something's still not right. First, I want to make sure I understand what LDAP is supposed to do for me in DSpace: 1. If I've never been on the DSpace site before, I click on "Register", which takes me to another logon screen that prompts me to enter Userid, password, and email address. When I have entered this information, DSpace goes out to LDAP and looks for whatever parameters I have set up in the dspace.cfg file and then, based on those parameters, it tries to find me in LDAP. If it finds me, if I have autoregister turned on, I get registered and an e-person record gets added to DSpace with my appropriate netid. If it doesn't find me, I can still register by filling out all the fields (registering myself). Or 2. If I've never been on the DSpace site before, I click on "Sign in" which takes me to the logon screen that only prompts me to enter my Userid and password. When I have entered this information, DSpace goes out to LDAP and looks for whatever parameters I have set up in the dspace.cfg file and then, based on those parameters, it tries to find me in LDAP. If it finds me, if I have autoregister turned on, I get registered and an e-person record gets added to DSpace with my appropriate netid. If it doesn't find me, I can still register by filling out all the fields (registering myself). I downloaded an LDAP browser and here is how I find the record I want: ou=people,dc=nasa,dc=gov filter on "agencyUID=swalkthor" to get to record. Here are my parameters from dspace.cfg: #### Stackable Authentication Methods ##### # Stack of authentication methods # (See org.dspace.authenticate.AuthenticationManager) plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ org.dspace.authenticate.PasswordAuthentication, \ org.dspace.authenticate.LDAPAuthentication QUESTION: Do I need both Password and LDAP Authentication in there if I'm using LDAP to authenticate? #### PasswordAuthentication options #### # Only emails ending in the following domains are allowed to self-register # Example - example.com domain : @example.com # Example - MIT domain and all .ac.uk domains: @mit.edu, .ac.uk # authentication.password.domain.valid = example.com authentication.password.domain.valid = @nasa.gov, @larc.nasa.gov ** No X.509 Authentication parameters set ** #### LDAP Authentication Configuration Settings #### ldap.enable = true # This is the url to the institution's ldap server. The /o=myu.edu # may or may not be required depending on the LDAP server setup. # A server may also require the ldaps:// protocol. #ldap.provider_url = ldap://ldap.myu.edu/o=myu.edu ldap.provider_url = ldap://dir.larc.nasa.gov:389/ # This is the unique identifier field in the LDAP directory # where the username is stored. ldap.id_field = agencyUID # This is the object context used when authenticating the # user. It is appended to the ldap.id_field and username. # For example uid=username,ou=people,o=myu.edu. This must match # the LDAP server configuration. ldap.object_context = ou=people,dc=nasa,dc=gov # This is the search context used when looking up a user's # LDAP object to retrieve their data for autoregistering. # With ldap.autoregister turned on, when a user authenticates # without an EPerson object, a search on the LDAP directory to # get their name and email address is initiated so that DSpace # can create a EPerson object for them. So after we have authenticated against <== I don't understand what this is saying # uid=username,ou=people,o=byu.edu we now search in ou=people # for filtering on [uid=username]. Often the # ldap.search_context is the same as the ldap.object_context # parameter. But again this depends on each individual LDAP server # configuration. ##ldap.search_context = ou=people ldap.search_context = ou=people,dc=nasa,dc=gov # This is the LDAP object field where the user's email address # is stored. "mail" is the default and the most common for # LDAP servers. If the mail field is not found the username # will be used as the email address when creating the eperson # object. #ldap.email_field = mail ldap.email_field = mail # This is the LDAP object field where the user's last name is # stored. "sn" is the default and is the most common for LDAP # servers. If the field is not found the field will be left # blank in the new eperson object. #ldap.surname_field = sn ldap.surname_field = sn # This is the LDAP object field where the user's given names # are stored. This may not be used or set in all LDAP instances. # If the field is not found the field will be left blank in the # new eperson object. #ldap.givenname_field = givenName ldap.givenname_field = givenName # This is the field where the user's phone number is stored in # the LDAP directory. If the field is not found the field # will be left blank in the new eperson object. #ldap.phone_field = telephoneNumber ldap.phone_field = telephoneNumber ##### LDAP AutoRegister Settings ##### # This will turn LDAP autoregistration on or off. With this # on, a new EPerson object will be created for any user who # successfully authenticates against the LDAP server when they # first login. With this setting off, the user # must first register to get an EPerson object by # entering their ldap username and password and filling out # the forms. #webui.ldap.autoregister = false webui.ldap.autoregister = true I've tried a zillion different varieties of parameters in the Ldap fields, to no avail. Another thing - which program actually authenticates against ldap? LdapServlet.java or RegisterServlet.java? The reason I ask is that the code appears to be a bit different in LdapServlet.java with no checking attributes. Finally - if, when using an LDAP browser with the following parameters, my record is found. [cid:[email protected]] I'm thinking part of our problem might be that our LDAP directory is structured differently from most and the reason I say this is, look at the DN above on the screenshot. After I keyed in the Search Settings (the Search DN and filter), what's showing under DN is employeenumber=999999999,ou=people,dc=nasa,dc=gov But the User enters userid (our field in ldap is agencyUID) on the DSpace screen, NOT employeenumber. If anyone can help us with this, I'd really appreciate it!!! Best regards, Sue Walker-Thornton Sue Walker-Thornton ConITS Contract NASA Langley Research Center Integrated Library Systems Application & Database Administrator 130 Research Drive Hampton, VA 23666 Office: (757) 224-4074 Fax: (757) 224-4001 Pager: (757) 988-2547 Email: [email protected]<mailto:[email protected]> ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
