Hi again --
This appears to be working now -- I needed to set search.anonymous to "true"
and search_scope to 2 in the authentcation-ldap.cfg file, and then it smartened
right up.
Thanks for the clues. I'm not actually sure I want to go with anonymous
searchability, for other reasons, but now I have a working fall-back, and can
start tightening up the controls.
________________________________
From: Clive Gould <[email protected]>
Sent: Monday, September 16, 2013 5:36 AM
To: [email protected] Tech; Reid, Andrew C.E.
Subject: Re: [Dspace-tech] LDAP auto-registration -- what am I missing?
Hi
You might find the information in my blog helpful
http://dspacebromley.blogspot.co.uk/2009/04/dspace-installation-procedure-on-centos.html
Bear in mind it refers to an older version of DSpace so some of the LDAP
settings e.g. special groups have changed
Good luck
Clive
Message: 1
Date: Sun, 15 Sep 2013 23:14:29 +0200
From: helix84 <[email protected]<mailto:[email protected]>>
Subject: Re: [Dspace-tech] LDAP auto-registration -- what am I
missing?
To: Andrew Reid <[email protected]<mailto:[email protected]>>
Cc: dspace-tech
<[email protected]<mailto:[email protected]>>
Message-ID:
<CAGdvKqjOx8oz95Zdi_duY90W909+kkDKGcVfUj+CnLG=2j_...@mail.gmail.com<mailto:[email protected]>>
Content-Type: text/plain; charset=UTF-8
On Fri, Sep 13, 2013 at 9:56 PM, Andrew Reid
<[email protected]<mailto:[email protected]>> wrote:
> The fact that the authentication succeeds makes me think I'm
> not too far off. I don't think I've typo'd any of the field
> names on either side. Is there some subtlety in the permissions
> that I'm missing? Does this work for other people?
Hi Andrew,
yes, that sounds like a permissions "problem" on the side of your LDAP
server. I'd say that once your user successfully authenticates, he's
not allowed to read his own attributes (name, surname, ...) and thus
DSpace stores null.
Do try to log in using some LDAP client (e.g. ldapsearch or a GUI
client like Apache Directory Studio) using the same user's credentials
and see if you can read the values of his attributes.
> I'm not doing heirarchical authentication, should I be?
If you can verify that the problem is what I say it is, you can fix it
on the LDAP server side by giving all users permission to read their
attributes (at least those that DSpace needs).
While you could have one special LDAP account that has read
permissions to all the other accounts and use it to retrieve the
attribute values, this is not how the code in DSpace currently works.
Even if you enable hierarchical auth (which you otherwise don't need -
because the authentication itself works for you), DSpace will still
use the actual user's account to retrieve its attributes, not the
search.user account.
Regards,
~~helix84
Compulsory reading: DSpace Mailing List Etiquette
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
