Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-16

Hierarchical LDAP support - ID: 2057378



    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.1
    • Fix Version/s: 1.5.2
    • Component/s: None
    • Labels:
    • Attachments:
    • Comments:


      The attached file is a new pluggable authentication method to provide
      flexible support for hierarchical LDAP trees (where users are not all in
      the same subtree).

      This patch builds upon two other patches:

      • [2057231] Refactor LDAPServlet to use Stackable Authentication (this
        patch only supports LDAP servers to which you can anonymously bind)
      • [1597831] Patch for Hierarchical LDAP plus Stackable fixes (this does
        not work with LDAP servers which cannot return the DN of a user as one of
        its attributes)

      An additional feature is the ability to set a special group, of which all
      LDAP authenticated users are a member of. This is useful for automatically
      creating a group of all internal users, if you need to restrict items
      internally where you can't rely on IP authentication.

      It requires the following additions to dspace.cfg:

              1. Hierarchical LDAP Settings #####
      1. If your users are spread out across a hierarchical tree on your
      2. LDAP server, you will need to use the following stackable authentication
      3. class:
      4. plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
      5. org.dspace.authenticate.LDAPHierarchicalAuthentication
      6. You can optionally specify the search scope. If anonymous access is not
      7. enabled on your LDAP server, you will need to specify the full DN and
      8. password of a user that is allowed to bind in order to search for the
      9. users.
      1. This is the search scope value for the LDAP search during
      2. autoregistering. This will depend on your LDAP server setup.
      3. This value must be one of the following integers corresponding
      4. to the following values:
      5. object scope : 0
      6. one level scope : 1
      7. subtree scope : 2
        #ldap.search_scope = 2
      1. The full DN and password of a user allowed to connect to the LDAP server
      2. and search for the DN of the user trying to log in.
        #ldap.search.user = cn=admin,ou=people,o=myu.edut
        #ldap.search.password = password
              1. LDAP users group #####
      1. If required, a group name can be given here, and all users who log in
      2. to LDAP will automatically become members of this group. This is useful
      3. if you want a group made up of all internal authenticated users.
        #ldap.login.specialgroup = group-name




            stuartlewis Stuart Lewis
            kipkorir2008 Charles Kiplagat
            0 Vote for this issue
            0 Start watching this issue