Hi Jason, DSpace ships with two LDAP options - LDAPAuthentication and LDAPHeirarchicalAuthentication.
If all your users are in one branch of an ldap tree (e.g. they all exist in ou=users,dc=unb,dc=ca) then you can use the former. This does not perform an initial bind, it just binds to the user's DN using their credentials. If the bind is successful then it allows the user to log in to DSpace. If your users are scattered across many different branches, then you'll need to use the LDAPHeirarchicalAuthentication option. This has extra settings in dspace.cfg to set the DN and password of a user who has search rights across the LDAP directory. DSpace will bind as that user and then perform a search to find the DN of the user who is trying to log in. Once it finds that, it then binds a second time to that DN, using the user's password. Hopefully the comments in dspace.cfg will guide you through the different settings. This blog post has some examples settings in that might help demonstrate what you need to put in where: - http://blog.stuartlewis.com/2008/08/18/test-ldap-service-upgraded-now-with-branches/ Thanks, Stuart Lewis IT Innovations Analyst and Developer Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: +64 (0)9 373 7599 x81928 On 26/06/2010, at 2:51 AM, Jason Nugent wrote: > Hi folks, > > Just to confirm, does DSpace perform a two step check and then bind for > authentication? I ask, because I've been talking to the fellow who has > access to our LDAP server logs and he has informed me that it appears as > though DSpace is attempting to bind with uid=jnugent,dc=unb,dc=ca, which > is obviously incorrect. What it *should* be doing is an initial search > with (uid=jnugent) as a filter, using the > ldap.search_user/search_password, and then retrieving the DN for my > record and binding with that, and the supplied password. In my case, my > full DN is unbCaId=XXXXXXX,ou=people,dc=unb,dc=ca where XXXXXX is a > unique string. Our users would never know what that string was. > > It sounds as though the setting for ldap.object_context is involved in > this, since it is appended to the ldap.id_field and username, but in my > case, I'd want it appended to unbCaID=XXXXXX, not my uid=jnugent string. > > Regards, > > Jason > -- > Jason Nugent > Systems Programmer/Database Developer > Electronic Text Centre > University of New Brunswick > jnug...@unb.ca > (506) 447 3177 > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > DSpace-tech mailing list > DSpace-tech@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/dspace-tech ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
