Re: [dspace-tech] DSpace 5.X: Switching auth method from LDAP to Shibboleth
You bet ** From the error message you got: "If the user's netid has changed you will need to manually change it to the correct value or unset it in the database." I think it would be much faster and easier if you can sort and unset the netid data for the affected AD users by nulling their netid values in the netid column in dapsce --> eperson --> netid column. You should test it first on a single user. Best of luck BR On Tuesday, February 14, 2023 at 11:49:15 AM UTC+3 Evelthon Prodromou wrote: > Hello Mohammad, > > No I have not. Will look into it. Thank you for the tip. > > E. > > On Tuesday, February 14, 2023 at 9:54:23 AM UTC+2 Mohammad S. AlMutairi > wrote: > >> Hello Evelthon, >> >> Have you thought about scripting a bulk modification of the users netid? >> ( [dspace]/bin/dspace user --modify -h ). >> >> On Tuesday, February 14, 2023 at 9:21:55 AM UTC+3 Evelthon Prodromou >> wrote: >> >>> Hello Mark, >>> Thank you for your reply. >>> >>> eduPersonPrincipalName is close but not exactly the same. Will have to >>> review my options. >>> >>> Evelthon >>> >>> On Friday, February 10, 2023 at 3:24:41 PM UTC+2 Mark H. Wood wrote: >>> On Fri, Feb 10, 2023 at 03:06:53AM -0800, Evelthon Prodromou wrote: > Shibboleth SP is configured properly and attributes are released. > > The problem is with Epersons that were previously created with LDAP > authentication. When the same user attempts to authenticate via Shibboleth > a failure occurs and the following error is logged: > > ERROR org.dspace.authenticate.ShibAuthentication @ The identified EPerson > based upon Shibboleth email header, 'mail'='us...@domain.com', is locked to > another netid: 'a_username'. This might be a possible hacking attempt to > steal another > users credentials. If the user's netid has changed you will need to > manually change it to the correct value or unset it in the database. > > What is the proper way for Identity Scheme Migration (LDAP to Shibboleth)? I'm only guessing here, but it appears that the Shibboleth attribute that you are using for netid has different values for the same account than the LDAP attribute that you have been using. Does your IDP offer another attribute which tracks the LDAP service's attribute? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 <(317)%20274-0749> www.ulib.iupui.edu >>> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/3998b1e6-be24-4b7a-abdb-a8f1b84f2f3fn%40googlegroups.com.
Re: [dspace-tech] DSpace 5.X: Switching auth method from LDAP to Shibboleth
Hello Mohammad, No I have not. Will look into it. Thank you for the tip. E. On Tuesday, February 14, 2023 at 9:54:23 AM UTC+2 Mohammad S. AlMutairi wrote: > Hello Evelthon, > > Have you thought about scripting a bulk modification of the users netid? > ( [dspace]/bin/dspace user --modify -h ). > > On Tuesday, February 14, 2023 at 9:21:55 AM UTC+3 Evelthon Prodromou wrote: > >> Hello Mark, >> Thank you for your reply. >> >> eduPersonPrincipalName is close but not exactly the same. Will have to >> review my options. >> >> Evelthon >> >> On Friday, February 10, 2023 at 3:24:41 PM UTC+2 Mark H. Wood wrote: >> >>> On Fri, Feb 10, 2023 at 03:06:53AM -0800, Evelthon Prodromou wrote: >>> > Shibboleth SP is configured properly and attributes are released. >>> > >>> > The problem is with Epersons that were previously created with LDAP >>> > authentication. When the same user attempts to authenticate via >>> Shibboleth >>> > a failure occurs and the following error is logged: >>> > >>> > ERROR org.dspace.authenticate.ShibAuthentication @ The identified >>> EPerson >>> > based upon Shibboleth email header, 'mail'='us...@domain.com', is >>> locked to >>> > another netid: 'a_username'. This might be a possible hacking attempt >>> to >>> > steal another >>> > users credentials. If the user's netid has changed you will need to >>> > manually change it to the correct value or unset it in the database. >>> > >>> > What is the proper way for Identity Scheme Migration (LDAP to >>> Shibboleth)? >>> >>> I'm only guessing here, but it appears that the Shibboleth attribute >>> that you are using for netid has different values for the same account >>> than the LDAP attribute that you have been using. Does your IDP offer >>> another attribute which tracks the LDAP service's attribute? >>> >>> -- >>> Mark H. Wood >>> Lead Technology Analyst >>> >>> University Library >>> Indiana University - Purdue University Indianapolis >>> 755 W. Michigan Street >>> Indianapolis, IN 46202 >>> 317-274-0749 <(317)%20274-0749> >>> www.ulib.iupui.edu >>> >> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/6180122e-c0b4-48d0-92d2-9074f3d73a49n%40googlegroups.com.
Re: [dspace-tech] DSpace 5.X: Switching auth method from LDAP to Shibboleth
Hello Evelthon, Have you thought about scripting a bulk modification of the users netid? ( [dspace]/bin/dspace user --modify -h ). On Tuesday, February 14, 2023 at 9:21:55 AM UTC+3 Evelthon Prodromou wrote: > Hello Mark, > Thank you for your reply. > > eduPersonPrincipalName is close but not exactly the same. Will have to > review my options. > > Evelthon > > On Friday, February 10, 2023 at 3:24:41 PM UTC+2 Mark H. Wood wrote: > >> On Fri, Feb 10, 2023 at 03:06:53AM -0800, Evelthon Prodromou wrote: >> > Shibboleth SP is configured properly and attributes are released. >> > >> > The problem is with Epersons that were previously created with LDAP >> > authentication. When the same user attempts to authenticate via >> Shibboleth >> > a failure occurs and the following error is logged: >> > >> > ERROR org.dspace.authenticate.ShibAuthentication @ The identified >> EPerson >> > based upon Shibboleth email header, 'mail'='us...@domain.com', is >> locked to >> > another netid: 'a_username'. This might be a possible hacking attempt >> to >> > steal another >> > users credentials. If the user's netid has changed you will need to >> > manually change it to the correct value or unset it in the database. >> > >> > What is the proper way for Identity Scheme Migration (LDAP to >> Shibboleth)? >> >> I'm only guessing here, but it appears that the Shibboleth attribute >> that you are using for netid has different values for the same account >> than the LDAP attribute that you have been using. Does your IDP offer >> another attribute which tracks the LDAP service's attribute? >> >> -- >> Mark H. Wood >> Lead Technology Analyst >> >> University Library >> Indiana University - Purdue University Indianapolis >> 755 W. Michigan Street >> Indianapolis, IN 46202 >> 317-274-0749 <(317)%20274-0749> >> www.ulib.iupui.edu >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ac96c977-1568-4900-a62c-7b905e091870n%40googlegroups.com.
Re: [dspace-tech] DSpace 5.X: Switching auth method from LDAP to Shibboleth
Hello Mark, Thank you for your reply. eduPersonPrincipalName is close but not exactly the same. Will have to review my options. Evelthon On Friday, February 10, 2023 at 3:24:41 PM UTC+2 Mark H. Wood wrote: > On Fri, Feb 10, 2023 at 03:06:53AM -0800, Evelthon Prodromou wrote: > > Shibboleth SP is configured properly and attributes are released. > > > > The problem is with Epersons that were previously created with LDAP > > authentication. When the same user attempts to authenticate via > Shibboleth > > a failure occurs and the following error is logged: > > > > ERROR org.dspace.authenticate.ShibAuthentication @ The identified > EPerson > > based upon Shibboleth email header, 'mail'='us...@domain.com', is > locked to > > another netid: 'a_username'. This might be a possible hacking attempt to > > steal another > > users credentials. If the user's netid has changed you will need to > > manually change it to the correct value or unset it in the database. > > > > What is the proper way for Identity Scheme Migration (LDAP to > Shibboleth)? > > I'm only guessing here, but it appears that the Shibboleth attribute > that you are using for netid has different values for the same account > than the LDAP attribute that you have been using. Does your IDP offer > another attribute which tracks the LDAP service's attribute? > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 <(317)%20274-0749> > www.ulib.iupui.edu > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ae2c10f0-0e41-4655-9ebf-97fc79614998n%40googlegroups.com.
Re: [dspace-tech] DSpace 5.X: Switching auth method from LDAP to Shibboleth
On Fri, Feb 10, 2023 at 03:06:53AM -0800, Evelthon Prodromou wrote: > Shibboleth SP is configured properly and attributes are released. > > The problem is with Epersons that were previously created with LDAP > authentication. When the same user attempts to authenticate via Shibboleth > a failure occurs and the following error is logged: > > ERROR org.dspace.authenticate.ShibAuthentication @ The identified EPerson > based upon Shibboleth email header, 'mail'='u...@domain.com', is locked to > another netid: 'a_username'. This might be a possible hacking attempt to > steal another > users credentials. If the user's netid has changed you will need to > manually change it to the correct value or unset it in the database. > > What is the proper way for Identity Scheme Migration (LDAP to Shibboleth)? I'm only guessing here, but it appears that the Shibboleth attribute that you are using for netid has different values for the same account than the LDAP attribute that you have been using. Does your IDP offer another attribute which tracks the LDAP service's attribute? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/Y%2BZFlcOhy6pQJUbK%40IUPUI.Edu. signature.asc Description: PGP signature
[dspace-tech] DSpace 5.X: Switching auth method from LDAP to Shibboleth
Hello all, Shibboleth SP is configured properly and attributes are released. The problem is with Epersons that were previously created with LDAP authentication. When the same user attempts to authenticate via Shibboleth a failure occurs and the following error is logged: ERROR org.dspace.authenticate.ShibAuthentication @ The identified EPerson based upon Shibboleth email header, 'mail'='u...@domain.com', is locked to another netid: 'a_username'. This might be a possible hacking attempt to steal another users credentials. If the user's netid has changed you will need to manually change it to the correct value or unset it in the database. What is the proper way for Identity Scheme Migration (LDAP to Shibboleth)? kind regards, Evelthon -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/43c14f75-1b42-4f5d-96e3-10135c8b2397n%40googlegroups.com.
