SUNScholar/Researcher Authorisation/Step 2

NEXT - STEP 3

PLEASE NOTE:
During the upgrade from DSpace 1.8.2 to 3.2, the ldap config changed and it seems a bug was introduced: https://jira.duraspace.org/browse/DS-1781.

Take special note of the "netid_email_domain = @example.com" parameter at the bottom of the file.

If you do not specify an @example.com email suffix, then you will get null suffix errors for eperson email addresses.

Step 2.1 - Enable LDAP
Edit the following file:

nano $HOME//dspace/config/modules/authentication.cfg

Add LDAP authentication, see example below. plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ org.dspace.authenticate.LDAPAuthentication, \ org.dspace.authenticate.PasswordAuthentication

Step 2.2 - Configure LDAP
Now modify the ldap config file as follows. nano $HOME//dspace/config/modules/authentication-ldap.cfg See example config below.
 * 1) LDAP AUTHENTICATION CONFIGURATIONS-#
 * 2) Configuration properties used by the LDAP Authentication      #
 * 3) plugin, when it is enabled.                                   #
 * 4) In order to enable LDAP Authentication, you must first ensure the
 * 5) 'org.dspace.authenticate.LDAPAuthentication'
 * 6) class is added to the list of enabled AuthenticationMethods in 'authenticate.cfg'.
 * 7) See 'authenticate.cfg' for more info.
 * 8) If LDAP is enabled, then new users will be able to register
 * 9) by entering their username and  password without being sent the
 * 10) registration token. If users do not have a username and password,
 * 11) then they  can still register and login with just their email address
 * 12) the same way they do now.
 * 13) For providing any special privileges to LDAP users,
 * 14) you will still need to extend the SiteAuthenticator class to
 * 15) automatically put people who have a netid into a special
 * 16) group.  You might also want to give certain email addresses
 * 17) special privileges. Refer to the DSpace documentation for more
 * 18) information about how to do this.
 * 19) It may be necessary to obtain the values of these settings from the
 * 20) LDAP server administrators as LDAP configuration will vary from server
 * 21) to server.
 * 1) group.  You might also want to give certain email addresses
 * 2) special privileges. Refer to the DSpace documentation for more
 * 3) information about how to do this.
 * 4) It may be necessary to obtain the values of these settings from the
 * 5) LDAP server administrators as LDAP configuration will vary from server
 * 6) to server.
 * 1) to server.

enable = true
 * 1) This setting will enable or disable LDAP authentication in DSpace.
 * 2) With the setting off, users will be required to register and login with
 * 3) their email address.  With this setting on, users will be able to login
 * 4) and register with their LDAP user ids and passwords.
 * 5) This setting is only used by the JSPUI.


 * 1) LDAP AutoRegister Settings #####

autoregister = false
 * 1) This will turn LDAP autoregistration on or off.  With this
 * on, a new EPerson object will be created for any user who
 * 1) successfully authenticates against the LDAP server when they
 * 2) first login.  With this setting off, the user
 * 3) must first register to get an EPerson object by
 * 4) entering their ldap username and password and filling out
 * 5) the forms.

provider_url = ldap://stbldap01.sun.ac.za:389 provider_url = ldap://stbldap02.sun.ac.za:389
 * 1) This is the url to the institution's ldap server. The /o=myu.edu
 * 2) may or may not be required depending on the LDAP server setup.
 * 3) A server may also require the ldaps:// protocol.
 * 4) provider_url = ldap://ldap.myu.edu/o=myu.edu

id_field = cn
 * 1) This is the unique identifier field in the LDAP directory
 * 2) where the username is stored.
 * 3) id_field = uid

object_context = ou=USERS,o=SU
 * 1) This is the object context used when authenticating the
 * 2) user.  It is appended to the id_field and username.
 * 3) For example uid=username,ou=people,o=myu.edu.  This must match
 * 4) the LDAP server configuration.
 * 5) object_context = ou=people,o=myu.edu

search_context = ou=USERS,o=SU
 * 1) This is the search context used when looking up a user's
 * 2) LDAP object to retrieve their data for autoregistering.
 * 3) With autoregister turned on, when a user authenticates
 * 4) without an EPerson object, a search on the LDAP directory to
 * 5) get their name and email address is initiated so that DSpace
 * 6) can create a EPerson object for them.  So after we have authenticated against
 * 7) uid=username,ou=people,o=byu.edu we now search in ou=people
 * 8) for filtering on [uid=username].  Often the
 * 9) search_context is the same as the object_context
 * 10) parameter.  But again this depends on each individual LDAP server
 * 11) configuration.
 * 12) search_context = ou=people

email_field = mail
 * 1) This is the LDAP object field where the user's email address
 * 2) is stored.  "mail" is the default and the most common for
 * 3) LDAP servers.  If the mail field is not found the username
 * 4) will be used as the email address when creating the eperson
 * 5) object.

surname_field = sn
 * 1) This is the LDAP object field where the user's last name is
 * 2) stored.  "sn" is the default and is the most common for LDAP
 * 3) servers.  If the field is not found the field will be left
 * 4) blank in the new eperson object.

givenname_field = givenName
 * 1) This is the LDAP object field where the user's given names
 * 2) are stored.  This may not be used or set in all LDAP instances.
 * 3) If the field is not found the field will be left blank in the
 * 4) new eperson object.

phone_field = telephoneNumber
 * 1) This is the field where the user's phone number is stored in
 * 2) the LDAP directory.  If the field is not found the field
 * 3) will be left blank in the new eperson object.


 * 1) LDAP users group #####

login.specialgroup = Maties
 * 1) If required, a group name can be given here, and all users who log in
 * 2) to LDAP will automatically become members of this group. This is useful
 * 3) if you want a group made up of all internal authenticated users.


 * 1) Hierarchical LDAP Settings #####


 * 1) If your users are spread out across a hierarchical tree on your
 * 2) LDAP server, you will need to search the tree to find the full DN of
 * 3) the user who is logging in.
 * 4) * If anonymous search is allowed on your LDAP server, you will need to set
 * 5)   search.anonymous = true
 * 6) * If not, you will need to specify the full DN and password of a
 * 7)   user that is allowed to bind in order to search for the users.
 * 8) * If neither search.anonymous is true, nor search.user is specified,
 * 9)   LDAP will not do the hierarchical search for a DN and will assume
 * 10)   a flat directory structure.
 * 1)   a flat directory structure.


 * 1) This is the optional search scope value for the LDAP search during
 * 2) autoregistering. This will depend on your LDAP server setup.
 * 3) This value must be one of the following integers corresponding
 * 4) to the following values:
 * 5) object scope : 0
 * 6) one level scope : 1
 * 7) subtree scope : 2
 * 8) search_scope = 2

search.anonymous = false
 * 1) If true, the initial bind will be performed anonymously.


 * 1) The full DN and password of a user allowed to connect to the LDAP server
 * 2) and search for the DN of the user trying to log in.
 * 3) search.user = cn=admin,ou=people,o=myu.edu
 * 4) search.password = password

netid_email_domain = @sun.ac.za
 * 1) If your LDAP server does not hold an email address for a user, you can use
 * 2) the following field to specify your email domain. This value is appended
 * 3) to the netid in order to make an email address. E.g. a netid of 'user' and
 * 4) netid_email_domain as '@example.com' would set the email of the user
 * 5) to be 'user@example.com


 * 1) Take the left part of the groupmap value (before the ":") and look it up
 * 2) in user's full DN. If it's found, assign user to the DSpace group
 * 3) specified by the right part of the groupmap value (after the ":").
 * 4) One user may belong to multiple groups.
 * 5) login.groupmap.1 = ou=ldap-dept1:dspace-group1
 * 6) login.groupmap.2 = ou=ldap-dept2:dspace-groupA
 * 7) login.groupmap.3 = ou=ldap-dept3:dspace-groupA


 * 1) If this property is uncommented, it changes the meaning of the left part of
 * 2) the groupmap value (before the ":") as follows.
 * 3) The value of login.groupmap.attribute specifies the name of an LDAP attribute.
 * 4) If user has this attribute, look up the value of this attribute in the left
 * 5) part of the groupmap value (before the ":"). If it's found, assign user to
 * 6) the DSpace group specified by the right part of the groupmap value (after
 * 7) the ":").
 * 8) login.groupmap.attribute = group
 * 9) login.groupmap.1 = ldap-dept1:dspace-group1
 * 10) login.groupmap.2 = ldap-dept2:dspace-groupA
 * 11) login.groupmap.3 = ldap-dept3:dspace-groupA

Please note: The above configuration uses the insecure LDAP port 389, you may want to test using the insecure port of 389 and then move to the secure port of 636.