Hi Sue, Try using LDAPHeirarchicalAuthentication instead as your authentication method, as that is how it works. It is designed to first bind using a pre-configured set of credentials, find the DN of the user (typically because it is down a few branches in the trree somewhere), unbind, and then re-bind using the user's DN.
Further details and a sample config are at http://blog.stuartlewis.com/2008/08/18/test-ldap-service-upgraded-now-with-branches/ Thanks, Stuart ________________________________________ From: Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY] [[email protected]] Sent: Wednesday, 28 October 2009 3:57 a.m. To: Mark H. Wood; [email protected] Subject: Re: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP! Hi Mark, I see what you're saying. I'm going to try to change LDAPServlet.java to get it to do exactly what you're suggesting. Will you let you know what happens! Thanks a bunch, Sue -----Original Message----- From: Mark H. Wood [mailto:[email protected]] Sent: Tuesday, October 27, 2009 9:22 AM To: [email protected] Subject: Re: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP! On Mon, Oct 26, 2009 at 08:36:46AM -0500, Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY] wrote: > We are getting error: > > 32 LDAP_NO_SUCH_OBJECT 20 No such object The specified object > does not exist in the directory. > > I put some displays in LDAPServlet.java and here is what I'm getting when I > try to enter my username (it's in a field called "agencyUID"): > > 2009-10-26 09:28:22,278 INFO org.dspace.app.webui.servlet.LDAPServlet @ > anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:login:type=ldap,netid=suethorn > > 2009-10-26 09:28:22,302 INFO org.dspace.app.webui.servlet.LDAPServlet @ > anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:display:security_principal=ou=people,dc=nasa,dc=gov If this ^^^^^^^^^^^^^^^^^^ means what I think it means, then I'm not surprised at the No Such Object. I doubt that an OU can be a security principal. I would have expected "security_principal=agencyUID=suethorn,ou=people,dc=nasa,dc=gov". But from your earlier note, I suspect that authentication will require a security_principal like "employeenumber=NNNNNNN,ou=people,dc=nasa,dc=gov" and DSpace would have to look up the user account's DN by searching the context for agencyUID=... and then authenticating the password and the result of that search. Your directory administrator should be able to give you a definitive statement on what is required for authentication. If you must look up the DN using another attribute, you may have to have an authenticated binding to the directory first in order to be permitted to search. That is, the sequence of directory operations would be: 1. Bind using a fixed (DN, password) pair allocated for looking up users. Let's call this DistinguishedName "DN1". 2. Search the context for an account with the presented attribute (agencyUID) and requesting the DistinguishedName. Call the returned object's DN "DN2". 3. Unbind. 4. Bind again using (DN2, user-entered password). Log the DSpace session in as the presented user if this succeeds. 5. Unbind. We don't actually use LDAP with DSpace here -- I've used it in other applications -- so I don't know whether it can carry out this sequence, but it should not be difficult or lengthy to adapt the existing authenticator if required. > 2009-10-26 09:28:22,311 INFO org.dspace.app.webui.servlet.LDAPServlet @ > anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:login:type=ldap_search_context > =ou=people,dc=nasa,dc=gov > > 2009-10-26 09:28:22,311 WARN org.dspace.app.webui.servlet.LDAPServlet @ > anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:ldap_authentication:type=failed_auth > javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object] > > This is a critical project we should have had implemented weeks ago...and > we're at a loss so any help you can provide would really be appreciated. > I've tried everything I know to try. One last question - should I be able to > see where the password is stored thru the ldap browser? I don't see an > actual password field there. The directory administrator probably won't let you fetch any form of the password, as that would tend to compromise security. Depending on how the directory is set up, it may not even store the passwords itself, but rather pass them through to an authentication service or act as authentication proxy working against such a service (such as Kerberos). Even if the directory does store passwords, it's most likely configured to prevent you seeing even their existence, since it can test the user's credentials and return success/failure without revealing password hashes and that's all it is required to do. -- Mark H. Wood, Lead System Programmer [email protected] Friends don't let friends publish revisable-form documents. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
