-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 21 Sep 2005, John Finlay wrote:
> The LDAP authentication in DSpace first attempts to bind to the LDAP
> server using the username and password provided by the authenticating
> user. Once bound to the server it can then search the LDAP for the
> user's properties and set them in the DSpace EPerson record. The
> options in the dspace.cfg file allow you to append the correct DN to the
> username entered by the authenticating user.
That is definitely too simple for the general case.
> I have seen cases where users have different DN's.
I should think so. You can't have two objects with the same Distinguished
Name. I think we're actually talking about multiple contexts -- that is,
some User objects are subordinate to one OU, others to another, and so on:
CN=mwood, OU=Library, O=Our University
CN=jsmith, OU=Engineering, O=Our University
rather than one big pile of User objects in a single container. Back when
we ran Netware 4, I did something like that so that departments could
easily manage their own accounts.
> In this case you
> will have to modify the LDAPServlet.java file to first bind with a
> privileged LDAP account, and search by the given username for the
> correct DN.
Perhaps not so very privileged. The binding DN's object need only have
enough privilege to search from the search-base DN on down as far as the
search depth requires. In many directories every user has such
privileges. I've used my own plain-vanilla user account for the initial
bind when testing authentication of new services. But I can imagine
settings in which that wouldn't work.
> Once you have the correct DN, you can bind again to LDAP
> using that DN and the password entered by the user. This double bind
> authentication scenario would probably be good to have as an option in
> DSpace, if somebody wants to do it and submit a patch.
Apache's mod_auth_ldap does that, for example.
- --
Mark H. Wood, Lead System Programmer mw...@IUPUI.Edu
Open-source executable: $0.00. Source: $0.00 Control: priceless!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 -
http://pgpenvelope.sourceforge.net/
iD8DBQFDMscUs/NR4JuTKG8RAqDPAKCpaZawtf9bnEDuLaFpAs32iM8SNwCbBqoH
4o4Z//m4gmxPDDBAyaPkC4M=
=sLsg
-----END PGP SIGNATURE-----