I've ranted in the past about the ldap Authentication code. There is in
my view conflict in anonymous access and having priviledged or root LDAP
access. Most people don't have that kind of access and it has to be
challenge response. That is make an LDAP request as a user and supply a
password and then get only the LDAP information for that user. Sort of a
privacy thing.
In the current version LDAP field contents is assigned in getDNOfUser
and this is the wrong place. I don't think the code assigning attlist
variables (LDAP attributes) ever gets executed even with rootly LDAP
privileges. All the field collections should be done in the
method/routine ldapAuthenticate as was the case in older versions of
DSpace.
I submitted some code to GIT but the code should be rejigged by someone
that properly knows the ins and outs of DSpace java. I have a more
recent version but it is really a a temporary thing for our site until
"DSpace" fixes this.
The current working java code we are using duplicates the field
assignments in ldapAuthenticate and I didn't dare delete the duplicated
code from getDNOfUser.
Attached is the java code that fixes the problem but it is not
esthetically pleasing containing duplicated code and breaks programming
guidelines. It needs a DSpace code guru to streamline it. Hey it works!
It require two lines in /dspace/config/modules/authentication-ldap.cfg
to be added. One line defining the ldap field that contains a users role
and one line that allocates the user to a group based on what the role
is. (Helix didn't like this scheme but he will come round eventually)
e.g.
position_field = usydPersonEntitlement
groupMapping_field = staff:access,enrolled:access
On Wed, 2014-02-19 at 15:38 +0100, helix84 wrote:
> On Wed, Feb 19, 2014 at 3:22 PM, Stefanie Behnke <[email protected]> wrote:
> > It does work so far, although I am not really happy.
>
> OK, now I'm a bit lost. Can you tell me again what your problem was
> before you set email_field = uid and what your problem is now?
>
> You're testing in JSPUI, right? Can you also always try the same thing
> in XMLUI? It should be the same, I just want to confirm it.
>
> > Any chance to get the fields surname_field =sn, givenname_field =givenName,
> > phone_field =telephoneNumber and mail?
>
> I've seen a situation where there was a null appended to the value of
> these fields but I'm not sure I've heard of a situation where they
> would be empty (it certainly works for me). If you bind with LDAP with
> the same user you're trying to log in to DSpace with, does that user
> see these attributes? My thinking here is that this might be a problem
> with your LDAP setup, not in DSpace. If this is the case, it might be
> worked around using the initial bind (with a user who has access to
> these attributes).
>
>
> Regards,
> ~~helix84
>
> Compulsory reading: DSpace Mailing List Etiquette
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> DSpace-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
> List Etiquette:
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.authenticate;
import java.sql.SQLException;
import java.util.Hashtable;
import java.util.HashSet;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.dspace.authorize.AuthorizeException;
import org.dspace.core.ConfigurationManager;
import org.dspace.core.Context;
import org.dspace.core.LogManager;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group;
/**
* This combined LDAP authentication method supersedes both the 'LDAPAuthentication'
* and the 'LDAPHierarchicalAuthentication' methods. It's capable of both:
* - authenticaton against a flat LDAP tree where all users are in the same unit
* (if search.user or search.password is not set)
* - authentication against structured hierarchical LDAP trees of users.
* An initial bind is required using a user name and password in order to
* search the tree and find the DN of the user. A second bind is then required to
* check the credentials of the user by binding directly to their DN.
*
* @author Stuart Lewis, Chris Yates, Alex Barbieri, Flavio Botelho, Reuben Pasquini, Samuel Ottenhoff, Ivan Masár
* @version $Revision$
*/
public class LDAPAuthentication
implements AuthenticationMethod {
static String ldapTGroup;
/** log4j category */
private static Logger log = Logger.getLogger(LDAPAuthentication.class);
/**
* Let a real auth method return true if it wants.
*/
public boolean canSelfRegister(Context context,
HttpServletRequest request,
String username)
throws SQLException
{
// Looks to see if autoregister is set or not
return ConfigurationManager.getBooleanProperty("authentication-ldap", "autoregister");
}
/**
* Nothing here, initialization is done when auto-registering.
*/
public void initEPerson(Context context, HttpServletRequest request,
EPerson eperson)
throws SQLException
{
// XXX should we try to initialize netid based on email addr,
// XXX for eperson created by some other method??
}
/**
* Cannot change LDAP password through dspace, right?
*/
public boolean allowSetPassword(Context context,
HttpServletRequest request,
String username)
throws SQLException
{
// XXX is this right?
return false;
}
/*
* This is an explicit method.
*/
public boolean isImplicit()
{
return false;
}
/*
* Add authenticated users to the group defined in dspace.cfg by
* the login.specialgroup key.
*/
public int[] getSpecialGroups(Context context, HttpServletRequest request)
{
// Prevents anonymous users from being added to this group, and the second check
// ensures they are LDAP users
try
{
if (!context.getCurrentUser().getNetid().equals("")) {
String groupName = ConfigurationManager.getProperty("ldap.login.specialgroup");
log.info(LogManager.getHeader(context, "SpecialGroup ", groupName));
if ((groupName != null) && (!groupName.trim().equals(""))) {
Group ldapGroup = Group.findByName(context, groupName);
if (ldapGroup == null) {
// Oops - the group isn't there.
log.warn(LogManager.getHeader(context,
"ldap_specialgroup",
"Group defined in ldap.login.specialgroup does not exist"));
return new int[0];
}
else {
return new int[] { ldapGroup.getID() };
}
}
}
}
catch (Exception npe) {
// The user is not an LDAP user, so we don't need to worry about them
}
return new int[0];
}
/*
* Authenticate the given credentials.
* This is the heart of the authentication method: test the
* credentials for authenticity, and if accepted, attempt to match
* (or optionally, create) an <code>EPerson</code>. If an <code>EPerson</code> is found it is
* set in the <code>Context</code> that was passed.
*
* @param context
* DSpace context, will be modified (ePerson set) upon success.
*
* @param username
* Username (or email address) when method is explicit. Use null for
* implicit method.
*
* @param password
* Password for explicit auth, or null for implicit method.
*
* @param realm
* Realm is an extra parameter used by some authentication methods, leave null if
* not applicable.
*
* @param request
* The HTTP request that started this operation, or null if not applicable.
*
* @return One of:
* SUCCESS, BAD_CREDENTIALS, CERT_REQUIRED, NO_SUCH_USER, BAD_ARGS
* <p>Meaning:
* <br>SUCCESS - authenticated OK.
* <br>BAD_CREDENTIALS - user exists, but credentials (e.g. passwd) don't match
* <br>CERT_REQUIRED - not allowed to login this way without X.509 cert.
* <br>NO_SUCH_USER - user not found using this method.
* <br>BAD_ARGS - user/pw not appropriate for this method
*/
public int authenticate(Context context,
String netid,
String password,
String realm,
HttpServletRequest request)
throws SQLException
{
log.info(LogManager.getHeader(context, "auth", "attempting trivial auth of user="+netid));
// Skip out when no netid or password is given.
if (netid == null || password == null)
{
return BAD_ARGS;
}
// Locate the eperson
EPerson eperson = null;
try
{
eperson = EPerson.findByNetid(context, netid.toLowerCase());
}
catch (SQLException e)
{
}
log.info(LogManager.getHeader(context, "create ldap from speaker2ldap", ""));
SpeakerToLDAP ldap = new SpeakerToLDAP(log);
// Get the DN of the user
boolean anonymousSearch = ConfigurationManager.getBooleanProperty("authentication-ldap", "search.anonymous");
String adminUser = ConfigurationManager.getProperty("authentication-ldap", "search.user");
String adminPassword = ConfigurationManager.getProperty("authentication-ldap", "search.password");
String objectContext = ConfigurationManager.getProperty("authentication-ldap", "object_context");
String idField = ConfigurationManager.getProperty("authentication-ldap", "id_field");
String dn = "";
log.info(LogManager.getHeader(context, "Call ldap.getDNOfUser","h1"));
// If adminUser is blank and anonymous search is not allowed, then we can't search so construct the DN instead of searching it
if ((StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword)) && !anonymousSearch)
{
dn = idField + "=" + netid + "," + objectContext;
}
else
{
dn = ldap.getDNOfUser(adminUser, adminPassword, context, netid);
}
// Check a DN was found
if ((dn == null) || (dn.trim().equals("")))
{
log.info(LogManager
.getHeader(context, "failed_login", "no DN found for user " + netid));
return BAD_CREDENTIALS;
}
log.info(LogManager.getHeader(context, "DNUser ",dn));
// if they entered a netid that matches an eperson
if (eperson != null)
{
// e-mail address corresponds to active account
if (eperson.getRequireCertificate())
{
return CERT_REQUIRED;
}
else if (!eperson.canLogIn())
{
return BAD_ARGS;
}
if (ldap.ldapAuthenticate(dn,netid, password, context))
{
context.setCurrentUser(eperson);
// assign user to groups based on ldap dn
assignGroupsBasedOnLdapDn(dn, context);
log.info(LogManager
.getHeader(context, "authenticate", "type=ldap"));
return SUCCESS;
}
else
{
return BAD_CREDENTIALS;
}
}
else
{
// the user does not already exist so try and authenticate them
// with ldap and create an eperson for them
if (ldap.ldapAuthenticate(dn,netid, password, context))
{
// Register the new user automatically
log.info(LogManager.getHeader(context, "autoregister", "netid=" + netid));
// If there is no email and the email domain is set, add it to the netid
String email = ldap.ldapEmail;
if( email==null) email="";
log.info(LogManager.getHeader(context, "emailFromldap", email));
if (((email == null) || ("".equals(email))) &&
(!"".equals(ConfigurationManager.getProperty("authentication-ldap", "netid_email_domain"))))
{
email = netid + ConfigurationManager.getProperty("authentication-ldap", "netid_email_domain");
log.info(LogManager.getHeader(context, "emailAndnetid_suffix ",email));
}
log.info(LogManager.getHeader(context, "emailAuth", email));
if ((email != null) && (!"".equals(email)))
{
try
{
eperson = EPerson.findByEmail(context, email);
if (eperson!=null)
{
log.info(LogManager.getHeader(context,
"type=ldap-login", "type=ldap_but_already_email"));
context.setIgnoreAuthorization(true);
log.info(LogManager.getHeader(context, "Set netid:",netid));
eperson.setNetid(netid.toLowerCase());
eperson.update();
context.commit();
context.setIgnoreAuthorization(false);
context.setCurrentUser(eperson);
// assign user to groups based on ldap dn
log.info(LogManager.getHeader(context, "AssignGrp ldapTGroup",ldapTGroup));
assignGroupsBasedOnLdapDn(dn, context);
return SUCCESS;
}
else
{
if (canSelfRegister(context, request, netid))
{
// TEMPORARILY turn off authorisation
try
{
context.setIgnoreAuthorization(true);
eperson = EPerson.create(context);
if ((email != null) && (!"".equals(email))) {
eperson.setEmail(email);
}
if ((ldap.ldapGivenName!=null) && (!ldap.ldapGivenName.equals(""))) {
eperson.setFirstName(ldap.ldapGivenName);
}
if ((ldap.ldapSurname!=null) && (!ldap.ldapSurname.equals(""))) {
eperson.setLastName(ldap.ldapSurname);
}
if ((ldap.ldapPhone!=null)&&(!ldap.ldapPhone.equals(""))) {
eperson.setMetadata("phone", ldap.ldapPhone);
}
eperson.setNetid(netid.toLowerCase());
eperson.setCanLogIn(true);
AuthenticationManager.initEPerson(context, request, eperson);
eperson.update();
context.commit();
context.setCurrentUser(eperson);
// assign user to groups based on ldap dn
assignGroupsBasedOnLdapDn(dn, context);
log.info(LogManager.getHeader(context, "ln328 ldapTGroup",ldapTGroup));
// ldapTGroup set in ldapAuthenticate (sorry about global value)
try {
if(ldapTGroup != null) {
Group ldapGroup = Group.findByName(context, ldapTGroup);
if (ldapGroup != null)
{
ldapGroup.addMember(context.getCurrentUser());
ldapGroup.update();
context.commit();
}
}
}
catch (AuthorizeException ae) {
log.debug(LogManager.getHeader(context, "GroupsBasedOnldapTGroup ",ldapTGroup));
}
}
catch (AuthorizeException e)
{
return NO_SUCH_USER;
}
finally
{
context.setIgnoreAuthorization(false);
}
log.info(LogManager.getHeader(context, "authenticate",
"type=ldap-login, created ePerson"));
return SUCCESS;
}
else
{
// No auto-registration for valid certs
log.info(LogManager.getHeader(context,
"failed_login", "type=ldap_but_no_record"));
return NO_SUCH_USER;
}
}
}
catch (AuthorizeException e)
{
eperson = null;
}
finally
{
context.setIgnoreAuthorization(false);
}
}
}
}
return BAD_ARGS;
}
/**
* Internal class to manage LDAP query and results, mainly
* because there are multiple values to return.
*/
private static class SpeakerToLDAP {
private Logger log = null;
protected String ldapEmail = null;
protected String ldapGivenName = null;
protected String ldapSurname = null;
protected String ldapPhone = null;
protected String ldapPosition = null;
protected String ldapGroupMapping = null;
/** LDAP settings */
String ldap_provider_url = ConfigurationManager.getProperty("authentication-ldap", "provider_url");
String ldap_id_field = ConfigurationManager.getProperty("authentication-ldap", "id_field");
String ldap_search_context = ConfigurationManager.getProperty("authentication-ldap", "search_context");
String ldap_search_scope = ConfigurationManager.getProperty("authentication-ldap", "search_scope");
String ldap_email_field = ConfigurationManager.getProperty("authentication-ldap", "email_field");
String ldap_givenname_field = ConfigurationManager.getProperty("authentication-ldap", "givenname_field");
String ldap_surname_field = ConfigurationManager.getProperty("authentication-ldap", "surname_field");
String ldap_phone_field = ConfigurationManager.getProperty("authentication-ldap", "phone_field");
String ldap_position_field = ConfigurationManager.getProperty("position_field");
String ldap_groupMapping_field = ConfigurationManager.getProperty("groupMapping_field");
SpeakerToLDAP(Logger thelog)
{
log = thelog;
}
protected String getDNOfUser(String adminUser, String adminPassword, Context context, String netid)
{
// The resultant DN
String resultDN;
// The search scope to use (default to 0)
int ldap_search_scope_value = 0;
try
{
ldap_search_scope_value = Integer.parseInt(ldap_search_scope.trim());
}
catch (NumberFormatException e)
{
// Log the error if it has been set but is invalid
if (ldap_search_scope != null)
{
log.warn(LogManager.getHeader(context,
"ldap_authentication", "invalid search scope: " + ldap_search_scope));
}
}
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(javax.naming.Context.PROVIDER_URL, ldap_provider_url);
if ((adminUser != null) && (!adminUser.trim().equals("")) &&
(adminPassword != null) && (!adminPassword.trim().equals("")))
{
// Use admin credencials for search// Authenticate
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "simple");
env.put(javax.naming.Context.SECURITY_PRINCIPAL, adminUser);
env.put(javax.naming.Context.SECURITY_CREDENTIALS, adminPassword);
}
else
{
// Use anonymous authentication
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "none");
}
DirContext ctx = null;
try
{
// Create initial context
ctx = new InitialDirContext(env);
Attributes matchAttrs1 = new BasicAttributes(true);
matchAttrs1.put(new BasicAttribute(ldap_id_field, netid));
// look up attributes
try
{
SearchControls ctrls = new SearchControls();
ctrls.setSearchScope(ldap_search_scope_value);
NamingEnumeration<SearchResult> answer = ctx.search(
ldap_provider_url + ldap_search_context,
"(&({0}={1}))", new Object[] { ldap_id_field,
netid }, ctrls);
while (answer.hasMoreElements()) {
SearchResult sr = answer.next();
if (StringUtils.isEmpty(ldap_search_context)) {
resultDN = sr.getName();
} else {
resultDN = (sr.getName() + "," + ldap_search_context);
}
String attlist[] = {ldap_email_field, ldap_givenname_field,
ldap_surname_field, ldap_phone_field};
Attributes atts = sr.getAttributes();
Attribute att;
if (attlist[0] != null) {
att = atts.get(attlist[0]);
if (att != null)
{
ldapEmail = (String) att.get();
}
}
if (attlist[1] != null) {
att = atts.get(attlist[1]);
if (att != null)
{
ldapGivenName = (String) att.get();
}
}
if (attlist[2] != null) {
att = atts.get(attlist[2]);
if (att != null)
{
ldapSurname = (String) att.get();
}
}
if (attlist[3] != null) {
att = atts.get(attlist[3]);
if (att != null)
{
ldapPhone = (String) att.get();
}
}
if (answer.hasMoreElements()) {
// Oh dear - more than one match
// Ambiguous user, can't continue
} else {
log.debug(LogManager.getHeader(context, "got DN", resultDN));
return resultDN;
}
}
}
catch (NamingException e)
{
// if the lookup fails go ahead and create a new record for them because the authentication
// succeeded
log.warn(LogManager.getHeader(context,
"ldap_attribute_lookup", "type=failed_search "
+ e));
}
}
catch (NamingException e)
{
log.warn(LogManager.getHeader(context,
"ldap_authentication", "type=failed_auth " + e));
}
finally
{
// Close the context when we're done
try
{
if (ctx != null)
{
ctx.close();
}
}
catch (NamingException e)
{
}
}
// No DN match found
return null;
}
protected boolean ldapAuthenticate(String dnld, String netid, String password, Context context)
{
if (!password.equals(""))
{
String ldap_search_context = ConfigurationManager.getProperty("authentication-ldap","search_context");
String ldap_object_context = ConfigurationManager.getProperty("authentication-ldap","object_context");
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(javax.naming.Context.PROVIDER_URL, ldap_provider_url);
// Authenticate
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "Simple");
env.put(javax.naming.Context.SECURITY_PRINCIPAL, ldap_id_field+"="+netid+","+ldap_object_context);
//env.put(javax.naming.Context.SECURITY_PRINCIPAL, dnld);
//
env.put(javax.naming.Context.SECURITY_CREDENTIALS, password);
env.put(javax.naming.Context.AUTHORITATIVE, "true");
env.put(javax.naming.Context.REFERRAL, "follow");
// Config examples don't recommend trailing slash or the prefix ldap protocol
if ( ! ldap_provider_url.startsWith("ldap://";) ) {
ldap_provider_url="ldap://"; + ldap_provider_url;
}
if ( ! ldap_provider_url.endsWith("/") ) {
ldap_provider_url=ldap_provider_url+"/";
}
DirContext ctx = null;
try
{
// Create initial context
ctx = new InitialDirContext(env);
String ldap_email_field = ConfigurationManager.getProperty("authentication-ldap","email_field");
String ldap_givenname_field = ConfigurationManager.getProperty("authentication-ldap","givenname_field");
String ldap_surname_field = ConfigurationManager.getProperty("authentication-ldap","surname_field");
String ldap_phone_field = ConfigurationManager.getProperty("authentication-ldap","phone_field");
String ldap_position_field = ConfigurationManager.getProperty("authentication-ldap","position_field");
String ldap_groupMapping_field = ConfigurationManager.getProperty("authentication-ldap","groupMapping_field");
Attributes matchAttrs = new BasicAttributes(true);
log.info(LogManager.getHeader(context, "ldap_id_field",ldap_id_field));
log.info(LogManager.getHeader(context, "netid",netid));
log.info(LogManager.getHeader(context, "dnld",dnld));
matchAttrs.put(new BasicAttribute(ldap_id_field, dnld));
log.info(LogManager.getHeader(context, "matchattrs",matchAttrs.toString()));
String attlist[] = {
ldap_email_field, ldap_givenname_field, ldap_surname_field,
ldap_phone_field, ldap_position_field
};
// The search scope to use (default to 0)
int ldap_search_scope_value = 0;
try {
ldap_search_scope_value = Integer.parseInt(ldap_search_scope.trim());
}
catch (NumberFormatException e) {
// Log the error if it has been set but is invalid
if (ldap_search_scope != null) {
log.warn(LogManager.getHeader(context,
"ldap_authentication", "invalid search scope: " + ldap_search_scope));
}
}
try
{
SearchControls ctrls = new SearchControls();
ctrls.setSearchScope(ldap_search_scope_value);
log.info(LogManager.getHeader(context, "ldapProvider",ldap_provider_url));
log.info(LogManager.getHeader(context, "ldapSrchContxt",ldap_search_context));
log.info(LogManager.getHeader(context, "netid",netid));
NamingEnumeration<SearchResult> answer = ctx.search(
ldap_provider_url + ldap_search_context,
"(&({0}={1}))", new Object[] { ldap_id_field, netid }, ctrls);
//for (int i=0; i<attlist.length;i++)
//log.info(LogManager.getHeader(context, "attlist1 ",attlist[i]));
while(answer.hasMore()) {
SearchResult sr = (SearchResult)answer.next();
Attributes atts = sr.getAttributes();
Attribute att;
if (attlist[0]!=null) {
att = atts.get(attlist[0]);
if (att != null) ldapEmail = (String)att.get();
log.info(LogManager.getHeader(context,
"ldap_Email", ldapEmail));
}
if (attlist[1]!=null) {
att = atts.get(attlist[1]);
if (att != null) ldapGivenName = (String)att.get();
log.info(LogManager.getHeader(context,
"ldap_ldapGivenName", ldapGivenName));
}
if (attlist[2]!=null) {
att = atts.get(attlist[2]);
if (att != null) ldapSurname = (String)att.get();
log.info(LogManager.getHeader(context,
"ldap_ldapSurname", ldapSurname));
}
if (attlist[3]!=null) {
att = atts.get(attlist[3]);
if (att != null) ldapPhone = (String)att.get();
log.info(LogManager.getHeader(context,
"ldap_phone", ldapPhone));
}
if (attlist[4]!=null) {
att = atts.get(attlist[4]);
if (att != null) ldapPosition = (String)att.get();
log.info(LogManager.getHeader(context,
"ldap_ldapPosition", ldapPosition));
//If there is a mapping of the ldap entry to internal dspace entries
// get the mapping and assign the group to put the user in to that mapping
String [] piecePair;
// split string on commas, each item in string array then to be split on colon
String [] mapPieces= ldap_groupMapping_field.split(",");
ldapTGroup="";
for (int i=0; i<mapPieces.length; i++) {
piecePair=mapPieces[i].split(":");
if (piecePair[0].equals(ldapPosition))
ldapTGroup=piecePair[1];
}
log.info(LogManager.getHeader(context,
"Group Mapping field is ", ldap_groupMapping_field));
log.info(LogManager.getHeader(context,
"Group assign AAA ldap_ldapTGroup", ldapTGroup));
}
else {
//ldapPosition unmapped ldap group to put user in
//if(ldapPosition == null) ldapTGroup = ldapPosition;
ldapTGroup = ConfigurationManager.getProperty("authentication-ldap", "login.specialgroup");
log.info(LogManager.getHeader(context,
"Special Group used", ldapTGroup));
}
}
}
catch (NamingException e) {
// if the lookup fails go ahead and create a new record for them because the authentication
// succeeded
log.warn(LogManager.getHeader(context,
"ldap_attribute_lookup", "type=failed_search "+e));
return true;
}
}
catch (NamingException e) {
log.warn(LogManager.getHeader(context,
"ldap_authentication", "type=failed_auth "+e));
return false;
}
finally
{
// Close the context when we're done
try {
if (ctx != null)
ctx.close();
}
catch (NamingException e) {
}
}
}
else
{
return false;
}
return true;
}
}
/*
* Returns URL to which to redirect to obtain credentials (either password
* prompt or e.g. HTTPS port for client cert.); null means no redirect.
*
* @param context
* DSpace context, will be modified (ePerson set) upon success.
*
* @param request
* The HTTP request that started this operation, or null if not applicable.
*
* @param response
* The HTTP response from the servlet method.
*
* @return fully-qualified URL
*/
public String loginPageURL(Context context,
HttpServletRequest request,
HttpServletResponse response)
{
return response.encodeRedirectURL(request.getContextPath() +
"/ldap-login");
}
/**
* Returns message key for title of the "login" page, to use
* in a menu showing the choice of multiple login methods.
*
* @param context
* DSpace context, will be modified (ePerson set) upon success.
*
* @return Message key to look up in i18n message catalog.
*/
public String loginPageTitle(Context context)
{
return "org.dspace.eperson.LDAPAuthentication.title";
}
/*
* Add authenticated users to the group defined in dspace.cfg by
* the ldap.login.groupmap.* key.
*/
private void assignGroupsBasedOnLdapDn(String dn, Context context)
{
if (StringUtils.isNotBlank(dn))
{
System.out.println("dn:" + dn);
int i = 1;
String groupMap = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + i);
while (groupMap != null)
{
String t[] = groupMap.split(":");
String ldapSearchString = t[0];
String dspaceGroupName = t[1];
if (StringUtils.containsIgnoreCase(dn, ldapSearchString))
{
// assign user to this group
try
{
Group ldapGroup = Group.findByName(context, dspaceGroupName);
if (ldapGroup != null)
{
ldapGroup.addMember(context.getCurrentUser());
ldapGroup.update();
context.commit();
}
else
{
// The group does not exist
log.warn(LogManager.getHeader(context,
"ldap_assignGroupsBasedOnLdapDn",
"Group defined in ldap.login.groupmap." + i + " does not exist :: " + dspaceGroupName));
}
}
catch (AuthorizeException ae)
{
log.debug(LogManager.getHeader(context, "assignGroupsBasedOnLdapDn could not authorize addition to group", dspaceGroupName));
}
catch (SQLException e)
{
log.debug(LogManager.getHeader(context, "assignGroupsBasedOnLdapDn could not find group", dspaceGroupName));
}
}
groupMap = ConfigurationManager.getProperty("ldap.login.groupmap." + ++i);
}
}
}
}
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
