Hello, I can't get authentication to work in Dspace 7.6 using LDAP. I would 
like to comment a little on everything as I have it. All PCs are running 
CentOS7. In one I have LDAP and in another I have Dspace7.6. Add that 
Dspace is http://ip and everything works correctly (Solr, Tomcat, Backend 
and Frontend). I can access it with email normally but not from an LDAP 
user. I would like to share the configurations I have so far and the 
(positive) connectivity tests of the ldap + user with the Dspace PC... 
Thank you and let's see if what I show you can help me with. I have used 
the official documentation all the time.


# LDAP authentication/authorization. See authentication-ldap.cfg for 
default configuration.

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = 





#------------LDAP AUTHENTICATION CONFIGURATIONS-----------------#


# Configuration properties used by the LDAP Authentication      #

# plugin, when it is enabled.                                   #




# If LDAP is enabled, then new users will be able to register

# by entering their username and  password without being sent the

# registration token. If users do not have a username and password,

# then they  can still register and login with just their email address

# the same way they do now.


# For providing any special privileges to LDAP users,

# you will still need to extend the SiteAuthenticator class to

# automatically put people who have a netid into a special

# group.  You might also want to give certain email addresses

# special privileges. Refer to the DSpace documentation for more

# information about how to do this.


# It may be necessary to obtain the values of these settings from the

# LDAP server administrators as LDAP configuration will vary from server

# to server.


# This setting will enable or disable LDAP authentication in DSpace.

# With the setting off, users will be required to register and login with

# their email address.  With this setting on, users will be able to login

# and register with their LDAP user ids and passwords.

*authentication-ldap.enable = true*



##### LDAP AutoRegister Settings #####


# This will turn LDAP autoregistration on or off.  With this

# on, a new EPerson object will be created for any user who

# successfully authenticates against the LDAP server when they

# first login.  With this setting off, the user

# must first register to get an EPerson object by

# entering their ldap username and password and filling out

# the forms.

*authentication-ldap.autoregister = true*



# This is the url to the institution's ldap server. The "o=myu.edu"

# part may or may not be required depending on the LDAP server setup,

# but make sure to include the slash after domain name.

# A server may also require the ldaps:// protocol.

# Note: Prepend commas with a backslash to escape them

*authentication-ldap.provider_url = ldap://ds.intranet.despace.es*

*autenticación-LDAP.starttls = true*


# This is the unique identifier field in the LDAP directory

# where the username is stored.

*authentication-ldap.id_field = uid*


# This is the object context used when authenticating the

# user.  It is appended to the id_field and username.

# For example uid=username,ou=people,ou=faculties,o=myu.edu.  This must 

# the LDAP server configuration.

# Note: Prepend commas with a backslash to escape them

*authentication-ldap.object_context = o= ds.intranet.despace.es*


# This is the search context used when looking up a user's

# LDAP object to retrieve their data for autoregistering.

# With autoregister turned on, when a user authenticates

# without an EPerson object, a search on the LDAP directory to

# get their name and email address is initiated so that DSpace

# can create a EPerson object for them.  So after we have authenticated 

# uid=username,ou=people,o=byu.edu we now search in ou=people

# for filtering on [uid=username].  Often the

# search_context is the same as the object_context

# parameter.  But again this depends on each individual LDAP server

# configuration.

# Note: Prepend commas with a backslash to escape them

*authentication-ldap.search_context = o= ds.intranet.despace.es*


# This is the LDAP object field where the user's email address

# is stored.  "mail" is the default and the most common for

# LDAP servers.  If the mail field is not found the username

# will be used as the email address when creating the eperson

# object.

*authentication-ldap.email_field = mail*


# This is the LDAP object field where the user's last name is

# stored.  "sn" is the default and is the most common for LDAP

# servers.  If the field is not found the field will be left

# blank in the new eperson object.

*authentication-ldap.surname_field = sn*


# This is the LDAP object field where the user's given names

# are stored.  This may not be used or set in all LDAP instances.

# If the field is not found the field will be left blank in the

# new eperson object.

*authentication-ldap.givenname_field = givenName*


# This is the field where the user's phone number is stored in

# the LDAP directory.  If the field is not found the field

# will be left blank in the new eperson object.

# authentication-ldap.phone_field = telephoneNumber



##### LDAP users group #####


# If required, a group name can be given here, and all users who log in

# to LDAP will automatically become members of this group. This is useful

# if you want a group made up of all internal authenticated users.

#authentication-ldap.login.specialgroup = group-name



##### Hierarchical LDAP Settings #####


# If your users are spread out across a hierarchical tree on your

# LDAP server, you will need to search the tree to find the full DN of

# the user who is logging in.


# * If anonymous search is allowed on your LDAP server, you will need to set

#   search.anonymous = true

# * If not, you will need to specify the full DN and password of a 

#   user that is allowed to bind in order to search for the users.

# * If neither search.anonymous is true, nor search.user is specified,

#   LDAP will not do the hierarchical search for a DN and will assume

#   a flat directory structure.


# This is the optional search scope value for the LDAP search during

# autoregistering. This will depend on your LDAP server setup.

# This value must be one of the following integers corresponding

# to the following values:

# object scope : 0

# one level scope : 1

# subtree scope : 2

#authentication-ldap.search_scope = 2


# If true, the initial bind will be performed anonymously.

*authentication-ldap.search.anonymous = true*


# The full DN and password of a user allowed to connect to the LDAP server

# and search for the DN of the user trying to log in.

# Note: Prepend commas with a backslash to escape them

*authentication-ldap.search.user = 52955890c*

*authentication-ldap.search.password = C3nt0s7!*


# If your LDAP server does not hold an email address for a user, you can use

# the following field to specify your email domain. This value is appended

# to the netid in order to make an email address. E.g. a netid of 'user' and

# netid_email_domain as '@example.com' would set the email of the user

# to be 'u...@example.com

*authentication-ldap.netid_email_domain = @ds .intranet.despace.es*


# Take the left part of the groupmap value (before the ":") and look it up

# in user's full DN. If it's found, assign user to the DSpace group

# specified by the right part of the groupmap value (after the ":").

# One user may belong to multiple groups.

#authentication-ldap.login.groupmap.1 = ou=ldap-dept1:dspace-group1

#authentication-ldap.login.groupmap.2 = ou=ldap-dept2:dspace-groupA

#authentication-ldap.login.groupmap.3 = ou=ldap-dept3:dspace-groupA


# If this property is uncommented, it changes the meaning of the left part 

# the groupmap value (before the ":") as follows.

# The value of login.groupmap.attribute specifies the name of an LDAP 

# If user has this attribute, look up the value of this attribute in the 

# part of the groupmap value (before the ":"). If it's found, assign user to

# the DSpace group specified by the right part of the groupmap value (after

# the ":").

#authentication-ldap.login.groupmap.attribute = group

#authentication-ldap.login.groupmap.1 = ldap-dept1:dspace-group1

#authentication-ldap.login.groupmap.2 = ldap-dept2:dspace-groupA

#authentication-ldap.login.groupmap.3 = ldap-dept3:dspace-groupA


# Enables support for StartTLS (default is false). If this flag is true be 
sure provider_url looks like:

# ldap://ldap.myu.edu:389












*2024-03-07 15:32:37,504 INFO  unknown unknown 
org.dspace.authenticate.PasswordAuthentication @ 
anonymous::authenticate:attempting password auth of user=52955890c*

*2024-03-07 15:32:37,507 INFO  unknown unknown 
org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ 
anonymous::failed_login:email=52955890c, result=4*

*2024-03-07 15:32:37,508 ERROR unknown unknown 
org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed 

org.springframework.security.authentication.BadCredentialsException: Login 






                at java.lang.Thread.run(Thread.java:833) [?:?]


*Test LDAP in DSPACE 7.6 PC*

*ldapsearch -H ldap://ds.intranet.dspace.es/ -x -b "" -s base           *


dnsHostName: dscentos.DS.intranet.dspace.es

ldapServiceName: intranet.dspace.es:dscentos$@DS.INTRANET.DSPACE.ES






isSynchronized: TRUE

isGlobalCatalogReady: TRUE

domainFunctionality: 6

forestFunctionality: 6

domainControllerFunctionality: 6


# search result

search: 2

result: 0 Success


# numResponses: 2

# numEntries: 1



*ldapsearch -H ldap://ds.intranet.dspace.es/ -x -b "" -s base -D 
'529558...@ds.intranet.dspace.es' -w 'C3nt0s!' *




isGlobalCatalogReady: TRUE

domainFunctionality: 6

forestFunctionality: 6

domainControllerFunctionality: 6


# search result

search: 2

result: 0 Success


# numResponses: 2

# numEntries: 1

