Patches item #2057378, was opened at 2008-08-18 11:30
Message generated for change (Comment added) made by pjsm
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=319984&aid=2057378&group_id=19984
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Closed
Resolution: Accepted
Priority: 5
Private: No
Submitted By: Stuart Lewis (stuartlewis)
Assigned to: Stuart Lewis (stuartlewis)
Summary: Hierarchical LDAP support
Initial Comment:
The attached file is a new pluggable authentication method to provide flexible
support for hierarchical LDAP trees (where users are not all in the same
subtree).
This patch builds upon two other patches:
- [2057231] Refactor LDAPServlet to use Stackable Authentication (this patch
only supports LDAP servers to which you can anonymously bind)
- [1597831] Patch for Hierarchical LDAP plus Stackable fixes (this does not
work with LDAP servers which cannot return the DN of a user as one of its
attributes)
An additional feature is the ability to set a special group, of which all LDAP
authenticated users are a member of. This is useful for automatically creating
a group of all internal users, if you need to restrict items internally where
you can't rely on IP authentication.
It requires the following additions to dspace.cfg:
##### Hierarchical LDAP Settings #####
# If your users are spread out across a hierarchical tree on your
# LDAP server, you will need to use the following stackable authentication
# class:
# plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
# org.dspace.authenticate.LDAPHierarchicalAuthentication
#
# You can optionally specify the search scope. If anonymous access is not
# enabled on your LDAP server, you will need to specify the full DN and
# password of a user that is allowed to bind in order to search for the
# users.
# This is the search scope value for the LDAP search during
# autoregistering. This will depend on your LDAP server setup.
# This value must be one of the following integers corresponding
# to the following values:
# object scope : 0
# one level scope : 1
# subtree scope : 2
#ldap.search_scope = 2
# The full DN and password of a user allowed to connect to the LDAP server
# and search for the DN of the user trying to log in.
#ldap.search.user = cn=admin,ou=people,o=myu.edut
#ldap.search.password = password
##### LDAP users group #####
# If required, a group name can be given here, and all users who log in
# to LDAP will automatically become members of this group. This is useful
# if you want a group made up of all internal authenticated users.
#ldap.login.specialgroup = group-name
----------------------------------------------------------------------
Comment By: Paulo Matos (pjsm)
Date: 2009-02-07 00:03
Message:
I've noticed that anonymous bind is missing so I suggest that you
incorporate the following changes to the patch. If admin user/password is
missing or empty it assumes that the bind should be anonymous.
--- LDAPHierarchicalAuthentication.java.orig 2009-02-06
23:40:32.000000000 +0000
+++ LDAPHierarchicalAuthentication.java 2009-02-06 23:51:08.000000000
+0000
@@ -402,9 +402,15 @@
env.put(javax.naming.Context.PROVIDER_URL,
ldap_provider_url);
// Authenticate
-
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "simple");
- env.put(javax.naming.Context.SECURITY_PRINCIPAL,
adminUser);
- env.put(javax.naming.Context.SECURITY_CREDENTIALS,
adminPassword);
+ if ((adminUser != null) && (adminUser.trim() !=
"") && (adminPassword != null) && (adminPassword.trim() != "") ){
+ // Use admin credencials for search
+
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "simple");
+
env.put(javax.naming.Context.SECURITY_PRINCIPAL, adminUser);
+
env.put(javax.naming.Context.SECURITY_CREDENTIALS, adminPassword);
+ } else {
+ // Use anonymous authentication
+
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "none");
+ }
DirContext ctx = null;
try
----------------------------------------------------------------------
Comment By: Stuart Lewis (stuartlewis)
Date: 2008-09-17 22:55
Message:
A new version of this patch is attached which addresses most of these
issues. This patch has been applied to 1_5_x branch.
File Added: hierarchical-ldap.patch
----------------------------------------------------------------------
Comment By: Flavio Botelho (nuncanada)
Date: 2008-08-20 21:38
Message:
Logged In: YES
user_id=18555
Originator: NO
I tested and it's working fine. Didn't test the special groups yet.
Minor issues:
- If the admin user has a backslash in it \, it needs to be doubled in
dspace.cfg. Seems to be because the way the cfg parser works, so it would
be nice to add an alert message just before that configuration.
- loginPageURL, i would prefer the stack to work by itself without the
necessity for the user to choose from possible authentication mechanisms.
Maybe later on put an option in the stackable configuration to ignore the
loginPageURL?
Thanks a lot for the nice work :)
----------------------------------------------------------------------
Comment By: Alex Barbieri (ikandros)
Date: 2008-08-20 10:25
Message:
Logged In: YES
user_id=2167742
Originator: NO
I have done some preliminary testing of this patch. There are some issues
-
1) If a user has no email on the ldap server, they will not be
autoregistered (this was an issue on my server). This can be changed by
commenting out line 253 and wrapping line 257 in a try/catch block for
nullity.
2) The getSpecialGroups() method will put all users who can log in by any
method into the "ldap.login.specialgroup" group, not just users who can
authenticate with ldap. I have not found an easy way to work around this.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=319984&aid=2057378&group_id=19984
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
