Sisay,
You need to make sure that in your dspace.cfg you have all the different types
of
authentication you plan to use, and in the order you wish to have DSpace check
them.
In my local implementation I have:
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
org.dspace.authenticate.LDAPHierarchicalAuthentication, \
org.dspace.authenticate.PasswordAuthentication
As you can see, we are using Hierarichical LDAP (and we use Active Directory
here). DSpace
checks to see if that field is authenticated, if not, it will move to the
PasswordAuthentication.
Make sure your logon screens have both options available.
Hope this helps a little.
--JEff
On Jun 15, 2011, at 6:05 AM, Webshet, Sisay (ILRI) wrote:
> Thanks clive,
>
> I can login to dsapce using active directory password,
> But can't login using the old dspace account. What will be the solution
> if I want some users to login using
> Dspace account.
>
> Can anybody assist on this please.
>
> Thanks
> sisay
>
> -------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 11 Jun 2011 11:06:59 +0100
> From: Clive Gould <cli...@gmail.com>
> Subject: Re: [Dspace-tech] LDAP on dspace 1.7.1
> To: dspace-tech@lists.sourceforge.net
> Cc: s.webs...@cgiar.org
> Message-ID: <banlktikohoq9vlb4c7i3pktdct5hqhq...@mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Sisay
>
> I'm not an expert on DSpace or LDAP, but I have had DSpace/LDAP
> authentication successfully working on our production server for several
> years.
>
> We are using CentOS 5 Linux and Windows LDAP. If you would like to see
> the
> process I went through and the configuration settings I used please have
> a
> look at the following blog:
>
> http://dspacebromley.blogspot.com/
>
> The entry you want is about 1/4 the way through the blog.
>
> It applies to an earlier version of DSpace, but same configuration
> settings
> work fine with DSpace 1.7.1
>
> Incidentally for legacy reasons I'm using jspui too
>
> Good luck ;)
>
> Clive
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
> Message: 2
> Date: Sat, 11 Jun 2011 11:17:39 +0300
> From: "Webshet, Sisay (ILRI)" <s.webs...@cgiar.org>
> Subject: [Dspace-tech] LDAP on dspace 1.7.1
> To: <dspace-tech@lists.sourceforge.net>
> Message-ID:
>
> <e0b1bfd2eacafb4c9bdbc73eeea14c1701c71...@ilrietx1.ilri.cgiarad.org>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello all,
>
> I have problem, i'm using dspace 1.7.1, jspui, on Linux (Debian) So I
> think using Active Directory.
>
>
>
> I just browsed our LDap server (Ms windows) as follow on
>
>
>
> ldapsearch -x -H ldap://172.26.0.218:389 -b "dc=ilri,dc=cgiarad,dc=org"
> -D "swebs...@ilri.cgiarad.org" -W "(sAMAccountName=swebshet)"
>
>
>
> I did some configuration options in dspace.cfg as follow. Should some
> other java files be configured. May be files like
> (LDAPservelet.java,registerservelet.java,LDAPAuthenticate.java,passworda
> utheticat.java)
>
>
>
>
>
> #### Stackable Authentication Methods #####
>
>
>
> # Stack of authentication methods
>
> # (See org.dspace.authenticate.AuthenticationManager)
>
> # Example:
>
> # plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
>
> # org.dspace.authenticate.ShibAuthentication, \
>
> # org.dspace.authenticate.PasswordAuthentication
>
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
>
> org.dspace.authenticate.LDAPHierarchicalAuthentication
>
>
>
>
>
>
>
> #### LDAP Authentication Configuration Settings ####
>
> #
>
> # If LDAP is enabled, then new users will be able to register
>
> # by entering their username and password without being sent the
>
> # registration token. If users do not have a username and password,
>
> # then they can still register and login with just their email address
>
> # the same way they do now.
>
> #
>
> # For providing any special privileges to LDAP users,
>
> # you will still need to extend the SiteAuthenticator class to
>
> # automatically put people who have a netid into a special
>
> # group. You might also want to give certain email addresses
>
> # special privileges. Refer to the DSpace documentation for more
>
> # information about how to do this.
>
> #
>
> # It may be necessary to obtain the values of these settings from the
>
> # LDAP server administrators as LDAP configuration will vary from server
>
> # to server.
>
>
>
> # This setting will enable or disable LDAP authentication in DSpace.
>
> # With the setting off, users will be required to register and login
> with
>
> # their email address. With this setting on, users will be able to
> login
>
> # and register with their LDAP user ids and passwords.
>
> # This setting is only used by the JSPUI.
>
> ldap.enable = true
>
>
>
> # This is the url to the institution's ldap server. The /o=myu.edu
>
> # may or may not be required depending on the LDAP server setup.
>
> # A server may also require the ldaps:// protocol.
>
> ldap.provider_url = ldap://ldap.myu.edu/o=myu.edu
>
> ldap.provider_url = ldap://192.168.249.99:389/
>
>
>
>
>
>
>
> # This is the unique identifier field in the LDAP directory
>
> # where the username is stored.
>
> ldap.id_field = sAMAccountName
>
>
>
> # This is the object context used when authenticating the
>
> # user. It is appended to the ldap.id_field and username.
>
> # For example uid=username,ou=people,o=myu.edu. This must match
>
> # the LDAP server configuration.
>
> #ldap.object_context = ou=people,o=myu.edu
>
> ldap.object_context = OU=ILRI Ethiopia Employees,OU=ILRI
> Ethiopia,DC=ILRI,DC=CGIARAD,DC=ORG
>
>
>
> # This is the search context used when looking up a user's
>
> # LDAP object to retrieve their data for autoregistering.
>
> # With ldap.autoregister turned on, when a user authenticates
>
> # without an EPerson object, a search on the LDAP directory to
>
> # get their name and email address is initiated so that DSpace
>
> # can create a EPerson object for them. So after we have authenticated
> against
>
> # uid=username,ou=people,o=byu.edu we now search in ou=people
>
> # for filtering on [uid=username]. Often the
>
> # ldap.search_context is the same as the ldap.object_context
>
> # parameter. But again this depends on each individual LDAP server
>
> # configuration.
>
> ldap.search_context = OU=ILRI Ethiopia Employees,OU=ILRI
> Ethiopia,DC=ILRI,DC=CGIARAD,DC=ORG
>
>
>
> # This is the LDAP object field where the user's email address
>
> # is stored. "mail" is the default and the most common for
>
> # LDAP servers. If the mail field is not found the username
>
> # will be used as the email address when creating the eperson
>
> # object.
>
> ldap.email_field = mail
>
>
>
> # This is the LDAP object field where the user's last name is
>
> # stored. "sn" is the default and is the most common for LDAP
>
> # servers. If the field is not found the field will be left
>
> # blank in the new eperson object.
>
> #ldap.surname_field = sn
>
>
>
> # This is the LDAP object field where the user's given names
>
> # are stored. This may not be used or set in all LDAP instances.
>
> # If the field is not found the field will be left blank in the
>
> # new eperson object.
>
> #ldap.givenname_field = givenName
>
>
>
> # This is the field where the user's phone number is stored in
>
> # the LDAP directory. If the field is not found the field
>
> # will be left blank in the new eperson object.
>
> #ldap.phone_field = telephoneNumber
>
>
>
> ##### LDAP AutoRegister Settings #####
>
>
>
> # This will turn LDAP autoregistration on or off. With this
>
> # on, a new EPerson object will be created for any user who
>
> # successfully authenticates against the LDAP server when they
>
> # first login. With this setting off, the user
>
> # must first register to get an EPerson object by
>
> # entering their ldap username and password and filling out
>
> # the forms.
>
> webui.ldap.autoregister = true
>
>
>
>
>
> ##### LDAP users group #####
>
>
>
> # If required, a group name can be given here, and all users who log in
>
> # to LDAP will automatically become members of this group. This is
> useful
>
> # if you want a group made up of all internal authenticated users.
>
> #ldap.login.specialgroup = group-name
>
>
>
>
>
> ##### Hierarchical LDAP Settings #####
>
>
>
> # If your users are spread out across a hierarchical tree on your
>
> # LDAP server, you will need to use the following stackable
> authentication
>
> # class:
>
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
>
> org.dspace.authenticate.LDAPHierarchicalAuthentication
>
>
>
> # You can optionally specify the search scope. If anonymous access is
> not
>
> # enabled on your LDAP server, you will need to specify the full DN and
>
> # password of a user that is allowed to bind in order to search for the
>
> # users.
>
>
>
> # This is the search scope value for the LDAP search during
>
> # autoregistering. This will depend on your LDAP server setup.
>
> # This value must be one of the following integers corresponding
>
> # to the following values:
>
> # object scope : 0
>
> # one level scope : 1
>
> # subtree scope : 2
>
> ldap.search_scope = 2
>
>
>
> # The full DN and password of a user allowed to connect to the LDAP
> server
>
> # and search for the DN of the user trying to log in. If these are not
> specified,
>
> # the initial bind will be performed anonymously.
>
> #ldap.search.user = cn=admin,ou=people,o=myu.edu
>
> ldap.search.user = CN=Webshet\, Sisay (ILRI),OU=ILRI Ethiopia
> Employees,OU=ILRI Ethiopia,DC=ILRI,DC=CGIARAD,DC=ORG
>
> ldap.search.password = xxxxxxxxxxx
>
>
>
> # If your LDAP server does not hold an email address for a user, you can
> use
>
> # the following field to specify your email domain. This value is
> appended
>
> # to the netid in order to make an email address. E.g. a netid of 'user'
> and
>
> # ldap.netid_email_domain as '@example.com' would set the email of the
> user
>
> # to be 'u...@example.com
>
> #ldap.netid_email_domain = @example.com
>
>
>
>
>
>
>
> the log file shows me as follow. can any body asssit me
>
>
>
>
>
> org.dspace.authenticate.LDAPHierarchicalAuthentication @
> anonymous:session_id=F11C4BFF6647976278B2B56BDFD04544:ip_addr=172.27.1.1
> :ldap_authentication:type=failed_auth
> javax.naming.AuthenticationException\colon; [LDAP\colon; error code 49 -
> 80090308\colon; LdapErr\colon; DSID-0C0903A9, comment\colon;
> AcceptSecurityContext error, data 52e,
> v1db0FD04544:ip_addr=172.27.1.1:failed_login:netid=swebshet, result=2
>
>
>
>
>
> Thanks
>
> sisay
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
Jeffrey Trimble
System LIbrarian
William F. Maag Library
Youngstown State University
330.941.2483 (Office)
jatrim...@ysu.edu
http://www.maag.ysu.edu
http://digital.maag.ysu.edu
""For he is the Kwisatz Haderach..."
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
