[
https://jira.duraspace.org/browse/DS-994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22115#comment-22115
]
Stuart Lewis commented on DS-994:
---------------------------------
All our users self register via Shibboleth. Shibboleth authenticates them,
then DSpace creates an account for them.
> Add allow/deny rules for self-registration in the simple password
> authentication module
> ---------------------------------------------------------------------------------------
>
> Key: DS-994
> URL: https://jira.duraspace.org/browse/DS-994
> Project: DSpace
> Issue Type: Improvement
> Reporter: Hardy Pottinger
> Assignee: Hardy Pottinger
> Fix For: 1.8.0
>
> Attachments:
> DS-994-force-canselfregister-to-always-return-false.patch,
> DS-994-warning-patch-is-missing-required-changes-to-dspace-cfg.patch
>
> Original Estimate: 1 day
> Remaining Estimate: 1 day
>
> The simple authentication module currently has a method where you can
> selectively allow self-registration for certain domains. If one wishes to use
> simple password authentication and self-registration as part of a stack of
> authentication modules, it is important to limit self-registration to only
> domains that cannot use an alternate authentication method (in particular,
> Shibboleth), or competing eperson records with the same email address can
> break authorization rules (in plain English, some folks won't be able to get
> to stuff they should be able to get to).
> Clarification: the problem is not actually in duplicate e-mail addresses in
> the system, as that's not possible given the table schema, duplicates would
> cause an SQL exception. The problem is the automatically-created
> authorizations, which result from a shibboleth login (special groups logic,
> we've got a customized version of the shib authentication module, which
> assigns people to certain groups--think 'campus'--based on their e-mail
> address). None of those group memberships are created if an existing eperson
> record is found. The net result is, people who have self-registered are never
> allowed access to things they should have access to (in our system, the
> problem is usually with ETDs, as they can have
> specific access permissions set, at the request of the authors: campus access
> only, or System-wide access).
> Simply put, if an individual can authenticate with Shib then you want to
> ensure that they do so in order that they get assigned to the correct groups.
> And the only way to do that is to turn off self-registration for certain
> e-mail domains.
> This is a work in progress, I should be able to post a patch of the work so
> far later today.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.duraspace.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel
