ldap authentication

125 views
Skip to first unread message

Jennifer Johnson

unread,
Sep 19, 2019, 11:32:32 AM9/19/19
to Dataverse Users Community
I'm researching the software and was wondering if it is possible to authenticate using ldap?  if so, do users also have to be in the local database?  found the following link for authenticating but nothing on ldap specifically (so far).  Thanks!


Philip Durbin

unread,
Sep 19, 2019, 3:04:20 PM9/19/19
to dataverse...@googlegroups.com
Hi, unfortunately the answer is a little complicated.

Dataverse does not have first class support for LDAP like it does for Shibboleth/SAML and OAuth but you do have some options.

Option 1 is to use the ORCID OAuth provider and (within ORCID) connect to your LDAP server. Boston College does this (last time I checked): https://groups.google.com/d/msg/dataverse-community/iq2KHLsz5ZA/6t08gJq5BQAJ

Option 2 is to use the Shibboleth provider and somehow hook it up to your LDAP. I'm pretty fuzzy about how this works but my understanding is that QDR does this: http://irclog.iq.harvard.edu/dataverse/2019-06-27#i_99130

Option 3 is to write code and make a pull request to add first class LDAP support to Dataverse. :) You would implement CredentialsAuthenticationProvider just like BuiltinAuthenticationProvider does. We would, of course, help you or your developers get this code merged.

Option 4 if you really mean ADFS (Microsoft Active Directory) instead of LDAP is to follow the instructions at http://guides.dataverse.org/en/4.16/installation/shibboleth.html#shibboleth-and-adfs (and ask if you have any trouble!). There's also a brand new pull request today for people in the Microsoft camp: https://github.com/IQSS/dataverse/pull/6192

There may be more options I'm not thinking of.

I hope this helps!

Phil


On Thu, Sep 19, 2019 at 11:32 AM Jennifer Johnson <dolc...@gmail.com> wrote:
I'm researching the software and was wondering if it is possible to authenticate using ldap?  if so, do users also have to be in the local database?  found the following link for authenticating but nothing on ldap specifically (so far).  Thanks!


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/5c849873-92a4-4486-9e01-cb25f596af29%40googlegroups.com.


--

Jennifer Johnson

unread,
Sep 19, 2019, 3:46:37 PM9/19/19
to Dataverse Users Community
Thank you Philip!  that was extremely helpful

Felipe Ferreira

unread,
Dec 9, 2019, 8:27:59 AM12/9/19
to Dataverse Users Community
Hi Philip

About the Option 4 ADFS, is it possibile to do it from the Dataverse directly to the ADFS or we must install a local shibboleth ?
If so is there any more information on how to setup it directly?

thank you,
Felipe



On Thursday, September 19, 2019 at 9:04:20 PM UTC+2, Philip Durbin wrote:
Hi, unfortunately the answer is a little complicated.

Dataverse does not have first class support for LDAP like it does for Shibboleth/SAML and OAuth but you do have some options.

Option 1 is to use the ORCID OAuth provider and (within ORCID) connect to your LDAP server. Boston College does this (last time I checked): https://groups.google.com/d/msg/dataverse-community/iq2KHLsz5ZA/6t08gJq5BQAJ

Option 2 is to use the Shibboleth provider and somehow hook it up to your LDAP. I'm pretty fuzzy about how this works but my understanding is that QDR does this: http://irclog.iq.harvard.edu/dataverse/2019-06-27#i_99130

Option 3 is to write code and make a pull request to add first class LDAP support to Dataverse. :) You would implement CredentialsAuthenticationProvider just like BuiltinAuthenticationProvider does. We would, of course, help you or your developers get this code merged.

Option 4 if you really mean ADFS (Microsoft Active Directory) instead of LDAP is to follow the instructions at http://guides.dataverse.org/en/4.16/installation/shibboleth.html#shibboleth-and-adfs (and ask if you have any trouble!). There's also a brand new pull request today for people in the Microsoft camp: https://github.com/IQSS/dataverse/pull/6192

There may be more options I'm not thinking of.

I hope this helps!

Phil


On Thu, Sep 19, 2019 at 11:32 AM Jennifer Johnson <dolc...@gmail.com> wrote:
I'm researching the software and was wondering if it is possible to authenticate using ldap?  if so, do users also have to be in the local database?  found the following link for authenticating but nothing on ldap specifically (so far).  Thanks!


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

Philip Durbin

unread,
Dec 9, 2019, 8:55:21 AM12/9/19
to dataverse...@googlegroups.com
Hi Felipe,

If you are looking specifically for ADFS/Microsoft support you might want to try out the brand new Microsoft OAuth provider in Dataverse 4.18: https://github.com/IQSS/dataverse/releases/tag/v4.18

For anyone reading this thread because "LDAP" is in the subject, I'd like to point out that another LDAP option is coming in the next release of Dataverse (the one after 4.18.1). I guess I'll call it "option 5":

Option 5: Use an identity management server that supports LDAP and connect it to Dataverse using OIDC (OpenID connect). For now docs can be found at https://github.com/IQSS/dataverse/blob/4f1bfea64178cad7e7e01130240549db013a1b49/doc/sphinx-guides/source/installation/oidc.rst

I hope this helps. Please keep asking questions and sharing details :)

Thanks,

Phil



On Mon, Dec 9, 2019 at 8:28 AM Felipe Ferreira <fel...@gmail.com> wrote:
Hi Philip

About the Option 4 ADFS, is it possibile to do it from the Dataverse directly to the ADFS or we must install a local shibboleth ?
If so is there any more information on how to setup it directly?

thank you,
Felipe



On Thursday, September 19, 2019 at 9:04:20 PM UTC+2, Philip Durbin wrote:
Hi, unfortunately the answer is a little complicated.

Dataverse does not have first class support for LDAP like it does for Shibboleth/SAML and OAuth but you do have some options.

Option 1 is to use the ORCID OAuth provider and (within ORCID) connect to your LDAP server. Boston College does this (last time I checked): https://groups.google.com/d/msg/dataverse-community/iq2KHLsz5ZA/6t08gJq5BQAJ

Option 2 is to use the Shibboleth provider and somehow hook it up to your LDAP. I'm pretty fuzzy about how this works but my understanding is that QDR does this: http://irclog.iq.harvard.edu/dataverse/2019-06-27#i_99130

Option 3 is to write code and make a pull request to add first class LDAP support to Dataverse. :) You would implement CredentialsAuthenticationProvider just like BuiltinAuthenticationProvider does. We would, of course, help you or your developers get this code merged.

Option 4 if you really mean ADFS (Microsoft Active Directory) instead of LDAP is to follow the instructions at http://guides.dataverse.org/en/4.16/installation/shibboleth.html#shibboleth-and-adfs (and ask if you have any trouble!). There's also a brand new pull request today for people in the Microsoft camp: https://github.com/IQSS/dataverse/pull/6192

There may be more options I'm not thinking of.

I hope this helps!

Phil


On Thu, Sep 19, 2019 at 11:32 AM Jennifer Johnson <dolc...@gmail.com> wrote:
I'm researching the software and was wondering if it is possible to authenticate using ldap?  if so, do users also have to be in the local database?  found the following link for authenticating but nothing on ldap specifically (so far).  Thanks!


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/923896e3-2de2-488a-9863-1078691ff9e4%40googlegroups.com.

Felipe Ferreira

unread,
Dec 9, 2019, 11:20:57 AM12/9/19
to Dataverse Users Community
Hi Phillip,

Thanks for the quick answer.

Any idea on when witll the 4.18.1 will come out? Next month or more then 3 months?
Will it also work for LDAPS ?

thank you
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

Philip Durbin

unread,
Dec 9, 2019, 2:45:50 PM12/9/19
to dataverse...@googlegroups.com
Sorry, I wasn't being clear.

Dataverse 4.18.1 is already out but it doesn't include the new OIDC feature.

The version *after* Dataverse 4.18.1 (probably 4.19) will include the new OIDC feature. We talked about the next release during design standup this morning and it seems like it'll be unlikely that we'd deploy a new release to Harvard Dataverse right before our week long holiday leading up to the new year. So I wouldn't expect a release until early 2020. Fewer than 3 months. :)

OIDC doesn't give you LDAP (or LDAPS) support directly. Rather, OIDC builds on top of OAuth and provides a new mechanism for connecting Dataverse to various authentication providers that support OIDC. In the doc I linked several auth providers are mentioned. Specifically on LDAP, it has this to say, "Using your custom identity management solution might be a workaround when you seek for LDAP support, but don't want to go for services like Microsoft Azure AD et al." The devil is in the details. Your mileage may vary. There be dragons. You should probably consider the OIDC feature somewhat experimental at this point. We don't actually have a use case for OIDC for Harvard Dataverse but I think OIDC support will open up new possibilities. For example, I've already reached out to DataverseNO to see if they can switch from their fork of Dataverse to vanilla Dataverse if they can get the OIDC support for their national auth service working with Dataverse: https://docs.feide.no/service_providers/integration_guide/oauth_oidc/openidconnect.html

I hope this helps. It sounds like what you really want is LDAP support. The basic answer is still no, Dataverse does not support LDAP directly. Hopefully one of the five workarounds will help. We are, of course, willing to review a pull request if anyone reading this wants to add first class support for LDAP to Dataverse. (Please get in touch first before coding though.) Please keep the questions coming!

Thanks,

Phil

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/e7412696-5194-4721-a320-51d4c58f046b%40googlegroups.com.

Oliver Bertuch

unread,
Dec 10, 2019, 6:15:22 AM12/10/19
to Dataverse Users Community
Hi Felipe,

I would love feedback on using OpenID Connect with a local ADFS, so you would not need to use Shibboleth.

At least from what I found from a quick search is that since ADFS 2016, you can also use OIDC with it. That way you will have an option not using the Azure AD cloud service, but re-use your existing local AD.

As I am planning for group and attribute mapping for this provider, this has a chance to be as LDAPish as possible... ;-)

Feel free to open issues and mention me (@poikilotherm) in case you are going to try things out. You can also find me on IRC during my work hours.

Regards,
Oliver

Jonathan Crabtree

unread,
Dec 10, 2019, 9:00:54 AM12/10/19
to dataverse...@googlegroups.com

Oliver,

 

I have had several other groups mention the interest in mapping groups and attributes from LDAP

 

Just FYI

 

Jon

--

You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages