Re: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP!

Tue, 27 Oct 2009 12:51:42 -0700 

Hi Stuart,
     With the documentation on your blog, I was able to get anonymous bind 
working so that we don't have to use a preconfigured set of credentials.  What 
a relief!!  Thanks Stuart, Mark, and to everyone else who offered their help on 
this issue!!
Best,
Sue

-----Original Message-----
From: Stuart Lewis [mailto:[email protected]] 
Sent: Tuesday, October 27, 2009 2:08 PM
To: Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY]; 
[email protected]
Subject: RE: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP!

Hi Sue,

Try using LDAPHeirarchicalAuthentication instead as your authentication method, 
as that is how it works. It is designed to first bind using a pre-configured 
set of credentials, find the DN of the user (typically because it is down a few 
branches in the trree somewhere), unbind, and then re-bind using the user's DN.

Further details and a sample config are at 
http://blog.stuartlewis.com/2008/08/18/test-ldap-service-upgraded-now-with-branches/

Thanks,


Stuart

________________________________________
From: Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY] 
[[email protected]]
Sent: Wednesday, 28 October 2009 3:57 a.m.
To: Mark H. Wood; [email protected]
Subject: Re: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP!

Hi Mark,
     I see what you're saying.  I'm going to try to change LDAPServlet.java to 
get it to do exactly what you're suggesting.  Will you let you know what 
happens!
Thanks a bunch,
Sue

-----Original Message-----
From: Mark H. Wood [mailto:[email protected]]
Sent: Tuesday, October 27, 2009 9:22 AM
To: [email protected]
Subject: Re: [Dspace-tech] Can't get LDAP to work in DSpace 1.5.1 - Please HELP!

On Mon, Oct 26, 2009 at 08:36:46AM -0500, Thornton, Susan M. 
(LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY] wrote:
> We are getting error:
>
> 32    LDAP_NO_SUCH_OBJECT     20    No such object    The specified object 
> does not exist in the directory.
>
> I put some displays in LDAPServlet.java and here is what I'm getting when I 
> try to enter my username (it's in a field called "agencyUID"):
>
> 2009-10-26 09:28:22,278 INFO  org.dspace.app.webui.servlet.LDAPServlet @ 
> anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:login:type=ldap,netid=suethorn
>
> 2009-10-26 09:28:22,302 INFO  org.dspace.app.webui.servlet.LDAPServlet @ 
> anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:display:security_principal=ou=people,dc=nasa,dc=gov

If this ^^^^^^^^^^^^^^^^^^ means what I think it means, then I'm not
surprised at the No Such Object.  I doubt that an OU can be a security
principal.  I would have expected
"security_principal=agencyUID=suethorn,ou=people,dc=nasa,dc=gov".  But
from your earlier note, I suspect that authentication will require a
security_principal like
"employeenumber=NNNNNNN,ou=people,dc=nasa,dc=gov" and DSpace would
have to look up the user account's DN by searching the context for
agencyUID=... and then authenticating the password and the result of
that search.  Your directory administrator should be able to give you
a definitive statement on what is required for authentication.

If you must look up the DN using another attribute, you may have to
have an authenticated binding to the directory first in order to be
permitted to search.  That is, the sequence of directory operations
would be:

1.  Bind using a fixed (DN, password) pair allocated for looking up
    users.  Let's call this DistinguishedName "DN1".

2.  Search the context for an account with the presented attribute
    (agencyUID) and requesting the DistinguishedName.  Call the
    returned object's DN "DN2".

3.  Unbind.

4.  Bind again using (DN2, user-entered password).  Log the DSpace
    session in as the presented user if this succeeds.

5.  Unbind.

We don't actually use LDAP with DSpace here -- I've used it in other
applications -- so I don't know whether it can carry out this
sequence, but it should not be difficult or lengthy to adapt the
existing authenticator if required.

> 2009-10-26 09:28:22,311 INFO  org.dspace.app.webui.servlet.LDAPServlet @ 
> anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:login:type=ldap_search_context
>  =ou=people,dc=nasa,dc=gov
>
> 2009-10-26 09:28:22,311 WARN  org.dspace.app.webui.servlet.LDAPServlet @ 
> anonymous:session_id=567AE3ACFD839A70BE84ED443557B907:ip_addr=xxxxxxxxxx:ldap_authentication:type=failed_auth
>  javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
>
> This is a critical project we should have had implemented weeks ago...and 
> we're at a loss so any help you can provide would really be appreciated.  
> I've tried everything I know to try.  One last question - should I be able to 
> see where the password is stored thru the ldap browser?  I don't see an 
> actual password field there.

The directory administrator probably won't let you fetch any form of
the password, as that would tend to compromise security.  Depending on
how the directory is set up, it may not even store the passwords
itself, but rather pass them through to an authentication service or
act as authentication proxy working against such a service (such as
Kerberos).  Even if the directory does store passwords, it's most
likely configured to prevent you seeing even their existence, since it
can test the user's credentials and return success/failure without
revealing password hashes and that's all it is required to do.

--
Mark H. Wood, Lead System Programmer   [email protected]
Friends don't let friends publish revisable-form documents.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
  • Re: [D... Mark H. Wood
    • R... Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY]
      • ... Wynne, David
      • ... Mark H. Wood
        • ... Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY]
          • ... Stuart Lewis
            • ... Thornton, Susan M. (LARC-B702)[RAYTHEON TECHNICAL SERVICES COMPANY]

Reply via email to