LDAP Authentication + Dspace 7.6 + CentOS

111 views
Skip to first unread message

Emith Suárez Romero

unread,
Mar 7, 2024, 11:40:42 AM3/7/24
to DSpace Technical Support

Hello, I can't get authentication to work in Dspace 7.6 using LDAP. I would like to comment a little on everything as I have it. All PCs are running CentOS7. In one I have LDAP and in another I have Dspace7.6. Add that Dspace is http://ip and everything works correctly (Solr, Tomcat, Backend and Frontend). I can access it with email normally but not from an LDAP user. I would like to share the configurations I have so far and the (positive) connectivity tests of the ldap + user with the Dspace PC... Thank you and let's see if what I show you can help me with. I have used the official documentation all the time.

authentication.cfg

# LDAP authentication/authorization. See authentication-ldap.cfg for default configuration.

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.LDAPAuthentication

 

 

authentication-ldap.cfg

#---------------------------------------------------------------#

#------------LDAP AUTHENTICATION CONFIGURATIONS-----------------#

#---------------------------------------------------------------#

# Configuration properties used by the LDAP Authentication      #

# plugin, when it is enabled.                                   #

#---------------------------------------------------------------#

 

#

# If LDAP is enabled, then new users will be able to register

# by entering their username and  password without being sent the

# registration token. If users do not have a username and password,

# then they  can still register and login with just their email address

# the same way they do now.

#

# For providing any special privileges to LDAP users,

# you will still need to extend the SiteAuthenticator class to

# automatically put people who have a netid into a special

# group.  You might also want to give certain email addresses

# special privileges. Refer to the DSpace documentation for more

# information about how to do this.

#

# It may be necessary to obtain the values of these settings from the

# LDAP server administrators as LDAP configuration will vary from server

# to server.

 

# This setting will enable or disable LDAP authentication in DSpace.

# With the setting off, users will be required to register and login with

# their email address.  With this setting on, users will be able to login

# and register with their LDAP user ids and passwords.

authentication-ldap.enable = true

 

 

##### LDAP AutoRegister Settings #####

 

# This will turn LDAP autoregistration on or off.  With this

# on, a new EPerson object will be created for any user who

# successfully authenticates against the LDAP server when they

# first login.  With this setting off, the user

# must first register to get an EPerson object by

# entering their ldap username and password and filling out

# the forms.

authentication-ldap.autoregister = true

 

 

# This is the url to the institution's ldap server. The "o=myu.edu"

# part may or may not be required depending on the LDAP server setup,

# but make sure to include the slash after domain name.

# A server may also require the ldaps:// protocol.

# Note: Prepend commas with a backslash to escape them

authentication-ldap.provider_url = ldap://ds.intranet.despace.es

autenticación-LDAP.starttls = true

 

# This is the unique identifier field in the LDAP directory

# where the username is stored.

authentication-ldap.id_field = uid

 

# This is the object context used when authenticating the

# user.  It is appended to the id_field and username.

# For example uid=username,ou=people,ou=faculties,o=myu.edu.  This must match

# the LDAP server configuration.

# Note: Prepend commas with a backslash to escape them

authentication-ldap.object_context = o= ds.intranet.despace.es

 

# This is the search context used when looking up a user's

# LDAP object to retrieve their data for autoregistering.

# With autoregister turned on, when a user authenticates

# without an EPerson object, a search on the LDAP directory to

# get their name and email address is initiated so that DSpace

# can create a EPerson object for them.  So after we have authenticated against

# uid=username,ou=people,o=byu.edu we now search in ou=people

# for filtering on [uid=username].  Often the

# search_context is the same as the object_context

# parameter.  But again this depends on each individual LDAP server

# configuration.

# Note: Prepend commas with a backslash to escape them

authentication-ldap.search_context = o= ds.intranet.despace.es

 

# This is the LDAP object field where the user's email address

# is stored.  "mail" is the default and the most common for

# LDAP servers.  If the mail field is not found the username

# will be used as the email address when creating the eperson

# object.

authentication-ldap.email_field = mail

 

# This is the LDAP object field where the user's last name is

# stored.  "sn" is the default and is the most common for LDAP

# servers.  If the field is not found the field will be left

# blank in the new eperson object.

authentication-ldap.surname_field = sn

 

# This is the LDAP object field where the user's given names

# are stored.  This may not be used or set in all LDAP instances.

# If the field is not found the field will be left blank in the

# new eperson object.

authentication-ldap.givenname_field = givenName

 

# This is the field where the user's phone number is stored in

# the LDAP directory.  If the field is not found the field

# will be left blank in the new eperson object.

# authentication-ldap.phone_field = telephoneNumber

 

 

##### LDAP users group #####

 

# If required, a group name can be given here, and all users who log in

# to LDAP will automatically become members of this group. This is useful

# if you want a group made up of all internal authenticated users.

#authentication-ldap.login.specialgroup = group-name

 

 

##### Hierarchical LDAP Settings #####

 

# If your users are spread out across a hierarchical tree on your

# LDAP server, you will need to search the tree to find the full DN of

# the user who is logging in.

 

# * If anonymous search is allowed on your LDAP server, you will need to set

#   search.anonymous = true

# * If not, you will need to specify the full DN and password of a

#   user that is allowed to bind in order to search for the users.

# * If neither search.anonymous is true, nor search.user is specified,

#   LDAP will not do the hierarchical search for a DN and will assume

#   a flat directory structure.

 

# This is the optional search scope value for the LDAP search during

# autoregistering. This will depend on your LDAP server setup.

# This value must be one of the following integers corresponding

# to the following values:

# object scope : 0

# one level scope : 1

# subtree scope : 2

#authentication-ldap.search_scope = 2

 

# If true, the initial bind will be performed anonymously.

authentication-ldap.search.anonymous = true

 

# The full DN and password of a user allowed to connect to the LDAP server

# and search for the DN of the user trying to log in.

# Note: Prepend commas with a backslash to escape them

authentication-ldap.search.user = 52955890c

authentication-ldap.search.password = C3nt0s7!

 

# If your LDAP server does not hold an email address for a user, you can use

# the following field to specify your email domain. This value is appended

# to the netid in order to make an email address. E.g. a netid of 'user' and

# netid_email_domain as '@example.com' would set the email of the user

# to be 'us...@example.com

authentication-ldap.netid_email_domain = @ds .intranet.despace.es

 

# Take the left part of the groupmap value (before the ":") and look it up

# in user's full DN. If it's found, assign user to the DSpace group

# specified by the right part of the groupmap value (after the ":").

# One user may belong to multiple groups.

#authentication-ldap.login.groupmap.1 = ou=ldap-dept1:dspace-group1

#authentication-ldap.login.groupmap.2 = ou=ldap-dept2:dspace-groupA

#authentication-ldap.login.groupmap.3 = ou=ldap-dept3:dspace-groupA

 

# If this property is uncommented, it changes the meaning of the left part of

# the groupmap value (before the ":") as follows.

# The value of login.groupmap.attribute specifies the name of an LDAP attribute.

# If user has this attribute, look up the value of this attribute in the left

# part of the groupmap value (before the ":"). If it's found, assign user to

# the DSpace group specified by the right part of the groupmap value (after

# the ":").

#authentication-ldap.login.groupmap.attribute = group

#authentication-ldap.login.groupmap.1 = ldap-dept1:dspace-group1

#authentication-ldap.login.groupmap.2 = ldap-dept2:dspace-groupA

#authentication-ldap.login.groupmap.3 = ldap-dept3:dspace-groupA

 

# Enables support for StartTLS (default is false). If this flag is true be sure provider_url looks like:

# ldap://ldap.myu.edu:389

#authentication-ldap.starttls=true

 

-------------------------------------------------------------------------------------------------------------

 

 

 

dspace/logs/dspace.cfg

 

.

.

.

2024-03-07 15:32:37,504 INFO  unknown unknown org.dspace.authenticate.PasswordAuthentication @ anonymous::authenticate:attempting password auth of user=52955890c

2024-03-07 15:32:37,507 INFO  unknown unknown org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=52955890c, result=4

2024-03-07 15:32:37,508 ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401)

org.springframework.security.authentication.BadCredentialsException: Login failed

                at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticateNewLogin(EPersonRestAuthenticationProvider.java:150) ~[classes/:7.6]

                at

.

.

.

                at java.lang.Thread.run(Thread.java:833) [?:?]

 

Test LDAP in DSPACE 7.6 PC

ldapsearch -H ldap://ds.intranet.dspace.es/ -x -b "" -s base          

               

dnsHostName: dscentos.DS.intranet.dspace.es

ldapServiceName: intranet.dspace.es:dscentos$@DS.INTRANET.DSPACE.ES

serverName: CN=DSCENTOS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config

 uration,DC=intranet,DC=dspace,DC=es

.

.

.

isSynchronized: TRUE

isGlobalCatalogReady: TRUE

domainFunctionality: 6

forestFunctionality: 6

domainControllerFunctionality: 6

 

# search result

search: 2

result: 0 Success

 

# numResponses: 2

# numEntries: 1

 

 

ldapsearch -H ldap://ds.intranet.dspace.es/ -x -b "" -s base -D '5295...@ds.intranet.dspace.es' -w 'C3nt0s!'

.

.

.

isGlobalCatalogReady: TRUE

domainFunctionality: 6

forestFunctionality: 6

domainControllerFunctionality: 6

 

# search result

search: 2

result: 0 Success

 

# numResponses: 2

# numEntries: 1

Reply all
Reply to author
Forward
0 new messages