SUNScholar/User Management

From Libopedia
Jump to: navigation, search 
This wiki page relates to the system build and maintenance of: http://scholar.sun.ac.za

Contents

Introduction

This/These procedure/s assume/s that you have used the three step process to install an Ubuntu server with DSpace software.

Digital assets must only be managed by users authorised to do so. Dspace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning.

After that is done, it is then up to the repository manager to define privileges for individuals on the repository.

See: http://en.wikipedia.org/wiki/Ldap for more info.

Requirements

Secure network connections

Setup secure internet/network connections before doing LDAP connections.

Campus LDAP server

Please note: For LDAP to work correctly then ALL the user credentials MUST be in ONE LDAP server or replicated using ONE directory tree structure.

If for example, you have seperate servers for staff and students, then LDAP authentication setup is extremely difficult and very risky to maintain in the long term.

Ask the campus IT LDAP system administrators to give you the following details of the campus LDAP servers.

  • hostnames
  • canonical context
  • object context
  • search context
List of open source LDAP server products.

If you do not have an LDAP server on campus, then check the links below and consider starting one.

How to sync with a Microsoft Active Directory

If you want to sync with an existing Microsoft AD server, then check the links below.

Step 1. Check local LDAP on local server

Login to the server: 

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01

To check LDAP works, first install the following: 

sudo apt-get install ldap-utils ldap-auth-config

Fill in all the details requested during installation

Go to the following folder: 

sudo  cd /etc/ldap

Copy the original ldap.conf: 

sudo  cp ldap.conf ldap.conf-orig

Delete the original: 

sudo  rm ldap.conf

Create a link to the master ldap.conf 

sudo  ln -s ../ldap.conf

Examples

Example listing of ldap files. 

root@ir1:/etc/ldap# ls -l
total 8
lrwxrwxrwx 1 root root  12 2010-09-17 20:13 ldap.conf -> ../ldap.conf
-rw-r--r-- 1 root root 245 2011-12-19 18:19 ldap.conf.dpkg-new
-rw-r--r-- 1 root root 245 2010-09-17 20:12 ldap.conf-orig

Example ldap.conf file. 

###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##

#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host stbldap01.sun.ac.za stbldap02.sun.ac.za

# The distinguished name of the search base.
base ou=USERS,o=SU

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com

# The port.
# Optional: default is 389.
port 636

Conduct LDAP search

Now run a search on the LDAP server: 

sudo  ldapsearch -x cn=hgibson

Use whatever filters and attributes that are needed for your campus LDAP server. If the search is successful then you may continue to setup Dspace below.

Step 2. Setup the DSpace configuration to use LDAP

The settings in the /home/dspace/dspace-1.8.2-src-release/dspace/config/modules/authentication.cfg file.

Open the config files as follows: 

nano /home/dspace/dspace-1.8.2-src-release/dspace/config/modules/authentication.cfg

Add the following to the bottom of the file. 

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
	org.dspace.authenticate.LDAPAuthentication, \
	org.dspace.authenticate.PasswordAuthentication
NANO Editor Help
  1. Save the file by typing CTL+O and then pressing Enter.
  2. To exit "nano" type CTL+X.

Now modify the ldap config file as follows. 

nano /home/dspace/dspace-1.8.2-src-release/dspace/config/modules/authentication-ldap.cfg

Example DSpace LDAP config

See example config below. 

#---------------------------------------------------------------#
#------------LDAP AUTHENTICATION CONFIGURATIONS-----------------#
#---------------------------------------------------------------#
# Configuration properties used by the LDAP Authentication      #
# plugin, when it is enabled.                                   #
#---------------------------------------------------------------#
#
# In order to enable LDAP Authentication, you must first ensure the
# 'org.dspace.authenticate.LDAPAuthentication' OR 
# 'org.dspace.authenticate.LDAPHierarchicalAuthentication'
# class is added to the list of enabled AuthenticationMethods in 'authenticate.cfg'.  
# See 'authenticate.cfg' for more info.
#
# If LDAP is enabled, then new users will be able to register
# by entering their username and  password without being sent the
# registration token. If users do not have a username and password,
# then they  can still register and login with just their email address
# the same way they do now.
#
# For providing any special privileges to LDAP users,
# you will still need to extend the SiteAuthenticator class to
# automatically put people who have a netid into a special
# group.  You might also want to give certain email addresses
# special privileges. Refer to the DSpace documentation for more
# information about how to do this.
#
# It may be necessary to obtain the values of these settings from the
# LDAP server administrators as LDAP configuration will vary from server
# to server.

# This setting will enable or disable LDAP authentication in DSpace.
# With the setting off, users will be required to register and login with
# their email address.  With this setting on, users will be able to login
# and register with their LDAP user ids and passwords.
# This setting is only used by the JSPUI.
enable = true


##### LDAP AutoRegister Settings #####

# This will turn LDAP autoregistration on or off.  With this
# on, a new EPerson object will be created for any user who
# successfully authenticates against the LDAP server when they
# first login.  With this setting off, the user
# must first register to get an EPerson object by
# entering their ldap username and password and filling out
# the forms.
autoregister = true


# This is the url to the institution's ldap server. The /o=myu.edu
# may or may not be required depending on the LDAP server setup.
# A server may also require the ldaps:// protocol.
#provider_url = ldap://ldap.myu.edu/o=myu.edu
provider_url = ldap://stbldap01.sun.ac.za:389
provider_url = ldap://stbldap02.sun.ac.za:389

# This is the unique identifier field in the LDAP directory
# where the username is stored.
#id_field = uid
id_field = cn

# This is the object context used when authenticating the
# user.  It is appended to the id_field and username.
# For example uid=username,ou=people,o=myu.edu.  This must match
# the LDAP server configuration.
#object_context = ou=people,o=myu.edu
object_context = ou=USERS,o=SU

# This is the search context used when looking up a user's
# LDAP object to retrieve their data for autoregistering.
# With autoregister turned on, when a user authenticates
# without an EPerson object, a search on the LDAP directory to
# get their name and email address is initiated so that DSpace
# can create a EPerson object for them.  So after we have authenticated against
# uid=username,ou=people,o=byu.edu we now search in ou=people
# for filtering on [uid=username].  Often the
# search_context is the same as the object_context
# parameter.  But again this depends on each individual LDAP server
# configuration.
#search_context = ou=people
search_context = ou=USERS,o=SU

# This is the LDAP object field where the user's email address
# is stored.  "mail" is the default and the most common for
# LDAP servers.  If the mail field is not found the username
# will be used as the email address when creating the eperson
# object.
#email_field = mail
email_field = mail

# This is the LDAP object field where the user's last name is
# stored.  "sn" is the default and is the most common for LDAP
# servers.  If the field is not found the field will be left
# blank in the new eperson object.
#surname_field = sn
surname_field = sn

# This is the LDAP object field where the user's given names
# are stored.  This may not be used or set in all LDAP instances.
# If the field is not found the field will be left blank in the
# new eperson object.
#givenname_field = givenName
givenname_field = fullName

# This is the field where the user's phone number is stored in
# the LDAP directory.  If the field is not found the field
# will be left blank in the new eperson object.
#phone_field = telephoneNumber


##### LDAP users group #####

# If required, a group name can be given here, and all users who log in
# to LDAP will automatically become members of this group. This is useful
# if you want a group made up of all internal authenticated users.
#login.specialgroup = group-name


##### Hierarchical LDAP Settings #####

# If your users are spread out across a hierarchical tree on your
# LDAP server, you will need to use the following stackable authentication
# class:
#  plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
#        org.dspace.authenticate.LDAPHierarchicalAuthentication
#
# You can optionally specify the search scope. If anonymous access is not
# enabled on your LDAP server, you will need to specify the full DN and
# password of a user that is allowed to bind in order to search for the
# users.

# This is the search scope value for the LDAP search during
# autoregistering. This will depend on your LDAP server setup.
# This value must be one of the following integers corresponding
# to the following values:
# object scope : 0
# one level scope : 1
# subtree scope : 2
#search_scope = 2

# The full DN and password of a user allowed to connect to the LDAP server
# and search for the DN of the user trying to log in. If these are not specified,
# the initial bind will be performed anonymously.
#search.user = cn=admin,ou=people,o=myu.edu
#search.password = password

# If your LDAP server does not hold an email address for a user, you can use
# the following field to specify your email domain. This value is appended
# to the netid in order to make an email address. E.g. a netid of 'user' and
# netid_email_domain as '@example.com' would set the email of the user
# to be 'user@example.com
#netid_email_domain = @example.com
NANO Editor Help
  1. Save the file by typing CTL+O and then pressing Enter.
  2. To exit "nano" type CTL+X.

Please note: The above configuration uses the insecure LDAP port 389, you may want to test using the insecure port of 389 and then move to the secure port of 636.

Step 3. Rebuild DSpace

Rebuild the DSpace webapps using the custom rebuild script.

Command Line Help

Go to: http://www.ubuntu.sun.ac.za/wiki/index.php/SelfHelp for more help about the command line programs used in this procedure.

References

Back to Customisation
Retrieved from "http://wiki.lib.sun.ac.za/index.php?title=SUNScholar/User_Management&oldid=18653"
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox
Print/export