Thanks clive, I can login to dsapce using active directory password, But can't login using the old dspace account. What will be the solution if I want some users to login using Dspace account.
Can anybody assist on this please. Thanks sisay ------------------------------------------------------------------- Message: 1 Date: Sat, 11 Jun 2011 11:06:59 +0100 From: Clive Gould <cli...@gmail.com> Subject: Re: [Dspace-tech] LDAP on dspace 1.7.1 To: dspace-tech@lists.sourceforge.net Cc: s.webs...@cgiar.org Message-ID: <banlktikohoq9vlb4c7i3pktdct5hqhq...@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hi Sisay I'm not an expert on DSpace or LDAP, but I have had DSpace/LDAP authentication successfully working on our production server for several years. We are using CentOS 5 Linux and Windows LDAP. If you would like to see the process I went through and the configuration settings I used please have a look at the following blog: http://dspacebromley.blogspot.com/ The entry you want is about 1/4 the way through the blog. It applies to an earlier version of DSpace, but same configuration settings work fine with DSpace 1.7.1 Incidentally for legacy reasons I'm using jspui too Good luck ;) Clive -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Sat, 11 Jun 2011 11:17:39 +0300 From: "Webshet, Sisay (ILRI)" <s.webs...@cgiar.org> Subject: [Dspace-tech] LDAP on dspace 1.7.1 To: <dspace-tech@lists.sourceforge.net> Message-ID: <e0b1bfd2eacafb4c9bdbc73eeea14c1701c71...@ilrietx1.ilri.cgiarad.org> Content-Type: text/plain; charset="us-ascii" Hello all, I have problem, i'm using dspace 1.7.1, jspui, on Linux (Debian) So I think using Active Directory. I just browsed our LDap server (Ms windows) as follow on ldapsearch -x -H ldap://172.26.0.218:389 -b "dc=ilri,dc=cgiarad,dc=org" -D "swebs...@ilri.cgiarad.org" -W "(sAMAccountName=swebshet)" I did some configuration options in dspace.cfg as follow. Should some other java files be configured. May be files like (LDAPservelet.java,registerservelet.java,LDAPAuthenticate.java,passworda utheticat.java) #### Stackable Authentication Methods ##### # Stack of authentication methods # (See org.dspace.authenticate.AuthenticationManager) # Example: # plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ # org.dspace.authenticate.ShibAuthentication, \ # org.dspace.authenticate.PasswordAuthentication plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ org.dspace.authenticate.LDAPHierarchicalAuthentication #### LDAP Authentication Configuration Settings #### # # If LDAP is enabled, then new users will be able to register # by entering their username and password without being sent the # registration token. If users do not have a username and password, # then they can still register and login with just their email address # the same way they do now. # # For providing any special privileges to LDAP users, # you will still need to extend the SiteAuthenticator class to # automatically put people who have a netid into a special # group. You might also want to give certain email addresses # special privileges. Refer to the DSpace documentation for more # information about how to do this. # # It may be necessary to obtain the values of these settings from the # LDAP server administrators as LDAP configuration will vary from server # to server. # This setting will enable or disable LDAP authentication in DSpace. # With the setting off, users will be required to register and login with # their email address. With this setting on, users will be able to login # and register with their LDAP user ids and passwords. # This setting is only used by the JSPUI. ldap.enable = true # This is the url to the institution's ldap server. The /o=myu.edu # may or may not be required depending on the LDAP server setup. # A server may also require the ldaps:// protocol. ldap.provider_url = ldap://ldap.myu.edu/o=myu.edu ldap.provider_url = ldap://192.168.249.99:389/ # This is the unique identifier field in the LDAP directory # where the username is stored. ldap.id_field = sAMAccountName # This is the object context used when authenticating the # user. It is appended to the ldap.id_field and username. # For example uid=username,ou=people,o=myu.edu. This must match # the LDAP server configuration. #ldap.object_context = ou=people,o=myu.edu ldap.object_context = OU=ILRI Ethiopia Employees,OU=ILRI Ethiopia,DC=ILRI,DC=CGIARAD,DC=ORG # This is the search context used when looking up a user's # LDAP object to retrieve their data for autoregistering. # With ldap.autoregister turned on, when a user authenticates # without an EPerson object, a search on the LDAP directory to # get their name and email address is initiated so that DSpace # can create a EPerson object for them. So after we have authenticated against # uid=username,ou=people,o=byu.edu we now search in ou=people # for filtering on [uid=username]. Often the # ldap.search_context is the same as the ldap.object_context # parameter. But again this depends on each individual LDAP server # configuration. ldap.search_context = OU=ILRI Ethiopia Employees,OU=ILRI Ethiopia,DC=ILRI,DC=CGIARAD,DC=ORG # This is the LDAP object field where the user's email address # is stored. "mail" is the default and the most common for # LDAP servers. If the mail field is not found the username # will be used as the email address when creating the eperson # object. ldap.email_field = mail # This is the LDAP object field where the user's last name is # stored. "sn" is the default and is the most common for LDAP # servers. If the field is not found the field will be left # blank in the new eperson object. #ldap.surname_field = sn # This is the LDAP object field where the user's given names # are stored. This may not be used or set in all LDAP instances. # If the field is not found the field will be left blank in the # new eperson object. #ldap.givenname_field = givenName # This is the field where the user's phone number is stored in # the LDAP directory. If the field is not found the field # will be left blank in the new eperson object. #ldap.phone_field = telephoneNumber ##### LDAP AutoRegister Settings ##### # This will turn LDAP autoregistration on or off. With this # on, a new EPerson object will be created for any user who # successfully authenticates against the LDAP server when they # first login. With this setting off, the user # must first register to get an EPerson object by # entering their ldap username and password and filling out # the forms. webui.ldap.autoregister = true ##### LDAP users group ##### # If required, a group name can be given here, and all users who log in # to LDAP will automatically become members of this group. This is useful # if you want a group made up of all internal authenticated users. #ldap.login.specialgroup = group-name ##### Hierarchical LDAP Settings ##### # If your users are spread out across a hierarchical tree on your # LDAP server, you will need to use the following stackable authentication # class: plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ org.dspace.authenticate.LDAPHierarchicalAuthentication # You can optionally specify the search scope. If anonymous access is not # enabled on your LDAP server, you will need to specify the full DN and # password of a user that is allowed to bind in order to search for the # users. # This is the search scope value for the LDAP search during # autoregistering. This will depend on your LDAP server setup. # This value must be one of the following integers corresponding # to the following values: # object scope : 0 # one level scope : 1 # subtree scope : 2 ldap.search_scope = 2 # The full DN and password of a user allowed to connect to the LDAP server # and search for the DN of the user trying to log in. If these are not specified, # the initial bind will be performed anonymously. #ldap.search.user = cn=admin,ou=people,o=myu.edu ldap.search.user = CN=Webshet\, Sisay (ILRI),OU=ILRI Ethiopia Employees,OU=ILRI Ethiopia,DC=ILRI,DC=CGIARAD,DC=ORG ldap.search.password = xxxxxxxxxxx # If your LDAP server does not hold an email address for a user, you can use # the following field to specify your email domain. This value is appended # to the netid in order to make an email address. E.g. a netid of 'user' and # ldap.netid_email_domain as '@example.com' would set the email of the user # to be 'u...@example.com #ldap.netid_email_domain = @example.com the log file shows me as follow. can any body asssit me org.dspace.authenticate.LDAPHierarchicalAuthentication @ anonymous:session_id=F11C4BFF6647976278B2B56BDFD04544:ip_addr=172.27.1.1 :ldap_authentication:type=failed_auth javax.naming.AuthenticationException\colon; [LDAP\colon; error code 49 - 80090308\colon; LdapErr\colon; DSID-0C0903A9, comment\colon; AcceptSecurityContext error, data 52e, v1db0FD04544:ip_addr=172.27.1.1:failed_login:netid=swebshet, result=2 Thanks sisay ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
