ldap.login.groupmap.attribute not working

[Diego Spano]

Hi. I have my Dspace instance connected with my LDAP server (Active directory). I need to assign a dspace group based on LDAP group where the user belongs. I think this is possible with the feature "ldap.login.groupmap.attribute". In other words, I want that users taht belong to LDAP group named "students" be part of DSpace group named "GroupA". I created "GroupA" in DSpace, the user can login with no problem but the groups is not assigned!.

This is my authentication-ldap.cfg  configuration:

#---------------------------------------------------------------#

#------------LDAP AUTHENTICATION CONFIGURATIONS-----------------#

#---------------------------------------------------------------#

authentication-ldap.enable = true

authentication-ldap.autoregister = true

authentication-ldap.provider_url = ldap://prod.local:389/

authentication-ldap.id_field = sAMAccountName

authentication-ldap.object_context = OU=TEST\,DC=prod\,DC=local

authentication-ldap.search_context = OU=TEST\,DC=prod\,DC=local

authentication-ldap.email_field = mail

##### LDAP users group #####

#authentication-ldap.login.specialgroup = GrupoLDAP

authentication-ldap.search_scope = 2

authentication-ldap.search.anonymous = false

authentication-ldap.search.user = yy...@prod.local

authentication-ldap.search.password = xxxxxxx

authentication-ldap.netid_email_domain = @prod.org

# If this property is uncommented, it changes the meaning of the left part of

# the groupmap value (before the ":") as follows.

# The value of login.groupmap.attribute specifies the name of an LDAP attribute.

# If user has this attribute, look up the value of this attribute in the left

# part of the groupmap value (before the ":"). If it's found, assign user to

# the DSpace group specified by the right part of the groupmap value (after

# the ":").

authentication-ldap.login.groupmap.attribute = memberof

authentication-ldap.login.groupmap.1 = students:GroupA

I also tried with "authentication-ldap.login.groupmap.attribute = group" but the problem still remains. Any help!?

Thanks in advance.

Diego

[Tim Donohue]

Hi Diego,

I'd recommend asking these questions on the Tech Support list (dspace-tech), as this Community list is generally less technical in nature.

From past experience, I've found that LDAP configuration can be hard to get exactly "correct".  It often takes a lot of debugging to understand exactly which fields are being returned from your LDAP, and what values come back in those fields.

I've found that commandline tools like "ldapsearch" can be very beneficial in debugging LDAP issues:

https://linux.die.net/man/1/ldapsearch

ldapsearch is available on most Linux operating systems (e.g. in Ubuntu/Debian you can install it by installing "ldap-utils" package).  It returns the responses directly from your LDAP system to allow you to configure your DSpace appropriately. So, for example, you should be able to run queries like this (be sure to replace the variables in square brackets with the values from your authentication-ldap.cfg file.

# Attempt to connect to [provider-url] as [search.user] (will prompt for password)
ldapsearch -x -H [provider_url] -D [search.user] -W  

# Attempt to list the first 100 users in a given [search_context], returning the "cn", "mail" and "sn" fields for each

ldapsearch -x -H [provider_url] -D [search.user] -W -b [search_context] -z 100 cn mail sn  

# Attempt to find the first 100 users whose [id_field] starts with the letter "t", returning the [id_field], "cn", "mail" and "sn" fields for each

ldapsearch -x -H [provider_url]  -D [search.user] -W -b [search_context] -z 100 -s sub "([id_field]=t*)" [id_field] cn mail sn

As you can see, querying LDAP can start to allow you to better get a sense of how to set each of these settings in your authentication-ldap.cfg appropriately.  If you are still stuck, you should look in your DSpace logs for any ERROR messages that may be thrown when you login via LDAP, or you could temporarily turn on debugging (on a test server) and the DSpace logs will display more information about what results are coming back from LDAP.

I hope that helps. I'll also take this opportunity to update the LDAP configuration docs with these example ways of debugging the problem.

- Tim

--
You received this message because you are subscribed to the Google Groups "DSpace Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-communi...@googlegroups.com.
To post to this group, send email to dspace-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-community.
For more options, visit https://groups.google.com/d/optout.

--

Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

[Diego Spano]

Thanks Tim. I managed to get the info from ldapsearch. My user in LDAP has 4 occurrences of field "memberOf". In one of those I have this value: 

memberOf: CN=soporte tecnico,OU=deSistema,OU=Grupos,OU=ORG,DC=org,DC=local

So how should I configure login.groupmap?. I tried many ways with no success:

authentication-ldap.login.groupmap.attribute = memberOf

authentication-ldap.login.groupmap.1 = CN=soporte tecnico,OU=deSistema,OU=Grupos,OU=ORG,DC=org,DC=local:Group1

authentication-ldap.login.groupmap.attribute = memberOf

authentication-ldap.login.groupmap.1 = soporte tecnico:Group1

authentication-ldap.login.groupmap.attribute = memberOf

authentication-ldap.login.groupmap.1 = "CN=soporte tecnico,OU=deSistema,OU=Grupos,OU=ORG,DC=org,DC=local":Group1

authentication-ldap.login.groupmap.attribute = memberOf

authentication-ldap.login.groupmap.1 = CN\=soporte tecnico\,OU\=deSistema\,OU\=Grupos\,OU\=ORG\,DC\=org\,DC\=local :Group1

I can login correctly so LDAP authentication is working OK, but groupmap feature is not available!

Any help?

Thanks in advance.

Diego

[Tim Donohue]

Hi Diego,

When you specify a "groupmap.attribute" then the value must match *exactly* (ignoring case however).

However, assuming you are using DSpace 6.x, any commas will need to be escaped (i.e. "\,") because commas are a special character in the new Configuration System.

So, my best guess would be that this should work:

authentication-ldap.login.groupmap.attribute = memberOf

authentication-ldap.login.groupmap.1 = CN=soporte tecnico\,OU=deSistema\,OU=Grupos\,OU=ORG\,DC=org\,DC=local:Group1

If you are using DSpace 5.x or below, you should not need to escape the commas.

However, that said, you noted that the "memberOf" field has *multiple values* in your LDAP.  It's highly possible that the DSpace configuration only checks against the *first value*, as that is what the documentation implies: https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-LDAPAuthentication

The documentation says that DSpace will "look up the value of this LDAP attribute in the left part (before the ":") of the authentication-ldap.login.groupmap.* value". That implies to me that DSpace is only expecting the "groupmap.attribute" to have a single value.  It's possible that the fact that this attribute has multiple values is the issue you are encountering.  It might be worth looking at whether you can use a different "attribute".  Or, you could consider leaving the "attribute" unspecified, in which case DSpace will do a "fuzzy match" against the DN of the logged in user.  (Again, this is noted in the documentation & configuration file.)

Good luck,

Tim

[Diego Spano]

Hi Tim. Now it works. This is the right way as you pointed:

​

authentication-ldap.login.groupmap.attribute = memberOf

authentication-ldap.login.groupmap.1 = CN=soporte tecnico\,OU=deSistema\,OU=Grupos\,OU=ORG\,DC=org\,DC=local:Group1

I also have to say that it works with the first occurrence of the attribute.

Thanks.

Diego