DSpace 5.X: Switching auth method from LDAP to Shibboleth

100 views
Skip to first unread message

Evelthon Prodromou

unread,
Feb 10, 2023, 6:06:53 AM2/10/23
to DSpace Technical Support

Hello all,

Shibboleth SP is configured properly and attributes are released.

The problem is with Epersons that were previously created with LDAP authentication. When the same user attempts to authenticate via Shibboleth a failure occurs and the following error is logged:

ERROR org.dspace.authenticate.ShibAuthentication @ The identified EPerson based upon Shibboleth email header, 'mail'='us...@domain.com', is locked to another netid: 'a_username'. This might be a possible hacking attempt to steal another
users credentials. If the user's netid has changed you will need to manually change it to the correct value or unset it in the database.

What is the proper way for Identity Scheme Migration (LDAP to Shibboleth)?


kind regards,

Evelthon

Mark H. Wood

unread,
Feb 10, 2023, 8:24:41 AM2/10/23
to dspac...@googlegroups.com
I'm only guessing here, but it appears that the Shibboleth attribute
that you are using for netid has different values for the same account
than the LDAP attribute that you have been using. Does your IDP offer
another attribute which tracks the LDAP service's attribute?

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc

Evelthon Prodromou

unread,
Feb 14, 2023, 1:21:55 AM2/14/23
to DSpace Technical Support
Hello Mark,
Thank you  for your reply.

eduPersonPrincipalName is close but not exactly the same. Will have to review my options.

Evelthon

Mohammad S. AlMutairi

unread,
Feb 14, 2023, 2:54:23 AM2/14/23
to DSpace Technical Support
Hello Evelthon,

Have you thought about scripting a bulk modification of the users netid? (  [dspace]/bin/dspace user --modify -h ).

Evelthon Prodromou

unread,
Feb 14, 2023, 3:49:15 AM2/14/23
to DSpace Technical Support
Hello Mohammad,

No I have not. Will look into it. Thank you for the tip.

E.

Mohammad S. AlMutairi

unread,
Feb 14, 2023, 9:07:24 AM2/14/23
to DSpace Technical Support
You bet

** From the error message you got:
"If the user's netid has changed you will need to manually change it to the correct value or unset it in the database."

I think it would be much faster and easier if you can sort and unset the netid data for the affected AD users by nulling their netid values in the netid column in dapsce --> eperson --> netid column. You should test it first on a single user.

Best of luck

BR
Reply all
Reply to author
Forward
0 new messages