Hi David,
Not sure I have an answer, but perhaps a few clues.
The error says it cannot determine a user account's full DN:
"failed_login:no DN found for user krbelcher".
So, that implies to me that it *might* be having issues with either
"search_context" or the lack of "object_context". But, nothing jumps
out to me as to why either of those would be problematic.
DSpace definitely will work with Active Directory (I've set it up in the
past), but as each directory structure is a bit different, it's hard to
have standard instructions here.
In the past, I've usually seen AD directory structures which look more like:
dc=relligar,dc=edu
|
|
ou = User Accounts
_/| \_
_/ |\_
/| \
ou=Staff Accounts ou=Faculty Accounts ou=Student Accounts
In that scenario, I've set "search_context = ou=User
Accounts,dc=relligar,dc=edu", and found that it worked fine. So, by the
same logic, it *seems* like your "search_context" should be correct, but
there's still obviously something wrong here.
One option may be to try to debug your settings by running similar LDAP
queries using a third-party tool like "ldapsearch" (which is in the
"ldap-utils" Linux Package).
So, for example, using "ldapsearch" you could run test/verification
queries similar to these:
# Returns the first 100 accts (using "subtree" search) under the
search_context (returning just the 'cn', 'mail' and 'sn' fields)
ldapsearch -x -H [provider_url] -D [search.user] -W -b [search_context]
-z 100 -s sub cn mail sn
# Returns the first 100 accts (using "subtree" search) where username
(id_field) starts with "k"
ldapsearch -x -H [provider_url] -D [search.user] -W -b [search_context]
-z 100 -s sub "([id_field]=k*)" [id_field] cn mail sn givenName
If it isn't obvious, all the placeholders above correspond to the values
of configs in authentication-ldap.cfg.
More info on "ldapsearch" commands:
http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=OpenLDAP+2.0-Release&format=html
Hopefully that gives you some more hints to go on. Please do report
back on your status to this mailing list, as it might help others in the
future (and it could also help us to enhance our documentation around
configuring the LDAP plugin).
- Tim
On 7/16/2015 8:21 AM, Baker, David A. wrote:
> I'm running DSpace 5.2 and am attempting to enable LDAP authentication with
> our Active Directory. I've been fighting this issue for a couple of weeks
> now, and cannot get authentication to work. Below are the contents of my
> authentication.cfg and authentication-ldap.cfg files as well as the log
> result of the login attempts from the dspace.log file.
>
> I'm not sure if there is something obvious that I have wrong or not. Are
> there any specifics that have to be set for Active Directory setups?
>
> Thanks for any help!
>
> The directory structure is set up like this:
>
>dc=relligar,dc=edu
> _/| \_
>_/ |\_
> /| \
> ou=Staff Accounts ou=Faculty Accounts ou=Student Accounts
> |
> |
>cn=Jones, Jimmy K.
>...
>
>
> dspace.log.2015-07-14
> -
> ...
> 2015-07-14 16:58:23,295 INFO org.dspace.authenticate.PasswordAuthentication
> @
> anonymous:session_id=E1BE13484E845DE6361AFB660E6307FD:ip_addr=172.0.0.1:authenticate:attempting
> password auth of user=krbelcher
> 2015-07-14 16:58:23,358 INFO org.dspace.authenticate.LDAPAuthentication @
> anonymous:session_id=E1BE13484E845DE6361AFB660E6307FD:ip_addr=172.0.0.1:auth:attempting
> trivial auth of user=krbelcher
> 2015-07-14 16:58:23,654 WARN org.dspace.authenticate.LDAPAuthentication @
> anonymous:session_id=E1BE13484E845DE6361AFB660E6307FD:ip_addr=172.0.0.1:ldap_authentication:type=failed_auth
> javax.naming.AuthenticationException\colon; [LDAP\colon; error code 49 -
> 80090308\colon; LdapErr\colon; DSID-0C0903A9, comment\colon;
> AcceptSecurityContext error, data 52e, v1db1 ]
> 2015-07-14 16:58:23,654 INFO org.dspace.authenticate.LDAPAuthentication @
> anonymous:session_id=E1BE13484E845DE6361AFB660E6307FD:ip_addr=172.0.0.1:failed_login:no
> DN found for user krbelcher
> 2015-07-14 16:58:23,654 INFO org.dspace.app.xmlui.utils.AuthenticationUtil @
> anonymous:session_id=E1BE13484E845DE6361AFB660E6307FD:ip_addr=172.0.0.1:failed_login:email=krbelcher,
> realm=null, result=2
> 2015-07-14 16:58:29,764 INFO org.dspace.authenticate.PasswordAuthentication
> @
> anonymous:session_id=E1BE13484E845DE6361AFB660E6307FD:ip_addr=172.0.0.1:authenticate:att
