Hello Tom, Thanks for your contribution, we applied the changes of the 3 files that you mention in the page https://github.com/DSpace/DSpace/pull/1598, and we could not connect to an LDAP, did you find any other solution? Or are we doing something wrong?
El martes, 3 de enero de 2017, 6:15:45 (UTC-6), Tom Desair (Atmire) escribió: > > I created a pull request which contains this fix: > https://github.com/DSpace/DSpace/pull/1598 > > > [image: logo] Tom Desair > 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 > Esperantolaan 4, Heverlee 3001, Belgium > www.atmire.com > <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> > > 2016-12-22 16:37 GMT+01:00 Tom Desair <tom.d...@atmire.com <javascript:>>: > >> That's great news! I'll try to convert this into a pull request between >> Christmas and New Year so that it is also fixed upstream. >> >> Best regards, >> Tom >> >> >> [image: logo] Tom Desair >> 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 >> Esperantolaan 4, Heverlee 3001, Belgium >> www.atmire.com >> <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> >> >> 2016-12-22 16:19 GMT+01:00 Devaux Cédric <cedric...@insee.fr >> <javascript:>>: >> >>> >>> I've made a test with *DSpaceAuthenticationProvider.java* provide by >>> Tom ( >>> https://github.com/milieuinfo/dspace54-atmire/blob/ontwikkel/dspace/modules/rest/src/main/java/org/dspace/rest/authentication/DSpaceAuthenticationProvider.java >>> >>> <https://github.com/milieuinfo/dspace54-atmire/blob/ontwikkel/dspace/modules/rest/src/main/java/org/dspace/rest/authentication/DSpaceAuthenticationProvider.java#L65> >>> >>> ) and it's OK : >>> >>> When I check the authentication (/status) with the JSESSIONID from the >>> /login response, "authenticated" is now true : >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <status><authenticated>true</authenticated><email>*@*.*</email><fullname>Cedric >>> >>> Devaux</fullname><okay>true</okay></status> >>> >>> >>> (The response to /status request is now similar to Password >>> Authentication : without apiVersion and sourceVersion ) >>> >>> Thanks for this solution. >>> >>> Regards, >>> >>> Cedric >>> >>> >>> >>> >>> >>> ------------------------------ >>> *De :* dspac...@googlegroups.com <javascript:> [mailto: >>> dspac...@googlegroups.com <javascript:>] *De la part de* Tom Desair >>> *Envoyé :* jeudi 22 décembre 2016 09:41 >>> *À :* Terry Brady >>> *Cc :* Devaux Cédric; dspac...@googlegroups.com <javascript:> >>> *Objet :* Re: [dspace-tech] DSpace 6.0 : problem with LDAP >>> authentication in REST API >>> >>> This is a bit of a guess, but we had a client for which we needed to >>> implement authentication support for OpenAM through the REST API. To do >>> this, we back ported the DSpace 6 REST authentication framework to DSpace >>> 5. We then encountered a similar issue. >>> >>> The problem is that when a user logs in using LDAP or Shibboleth, they >>> do that using a some kind of username or user ID and not their e-mail >>> address. This has the effect that the DSpace 6 DSpaceAuthenticationProvider >>> creates a UsernamePasswordAuthenticationToken with that user name (which is >>> not an e-mail address): >>> https://github.com/DSpace/DSpace/blob/master/dspace-rest/src/main/java/org/dspace/rest/authentication/DSpaceAuthenticationProvider.java#L63 >>> >>> Later on, this user name is used to lookup the ePerson account based on >>> his e-mail address: >>> https://github.com/DSpace/DSpace/blob/master/dspace-rest/src/main/java/org/dspace/rest/Resource.java#L91 >>> >>> BUT THIS IS WRONG, since the user name is mostly not the e-mail address of >>> that user. >>> >>> We fixed this by adding a method createAuthenticationToken to the >>> DSpaceAuthenticationProvider that will store the authenticated ePerson's >>> e-mail address in the Spring Authentication object, instead of the user >>> name used to login: >>> https://github.com/milieuinfo/dspace54-atmire/blob/ontwikkel/dspace/modules/rest/src/main/java/org/dspace/rest/authentication/DSpaceAuthenticationProvider.java#L65 >>> >>> That solved the problem for us, since the logic in the REST Resource class >>> is then correct. >>> >>> I do not have access to a development Shibboleth or LDAP system so I >>> cannot test if this will also fix the problem in the official DSpace 6 >>> code, but I'm pretty confident it will. Can someone who has a development >>> Shibboleth and/or LDAP, apply this fix and check if it works? If it helps, >>> I can create a separate pull request for this. >>> >>> I do not think this is related to >>> https://jira.duraspace.org/browse/DS-3108, since Cédric is able to >>> complete the authentication request. I have another idea about DS-3108 >>> which I will post in the comments of that ticket. >>> >>> Best regards, >>> Tom >>> >>> >>> [image: logo] Tom Desair >>> 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 >>> Esperantolaan 4, Heverlee 3001, Belgium >>> www.atmire.com >>> <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> >>> >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "DSpace Technical Support" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to dspace-tech...@googlegroups.com <javascript:>. >>> To post to this group, send email to dspac...@googlegroups.com >>> <javascript:>. >>> Visit this group at https://groups.google.com/group/dspace-tech. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
