Difference between revisions of "SUNScholar/Researcher Authorisation"

Latest revision as of 00:03, 10 June 2016

Back to After Installation Tasks

BACK TO OPERATIONAL GUIDE

Introduction

Digital assets must only be managed by users authorised to do so. DSpace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning. After that is done, it is then up to the repository manager to define privileges for individuals on the repository.

See: http://en.wikipedia.org/wiki/Ldap for more info.

PLEASE NOTE:

For LDAP to work correctly consistently, it is suggested that ALL the user credentials MUST be in ONE LDAP server or replicated using ONE directory tree structure.
If for example, you have seperate servers for staff and students, then LDAP authentication setup is extremely difficult and very risky to maintain in the long term.

Requirements

Secure LDAP server network connections

*** Ensure you enable secure internet/network connections before doing LDAP connections. ***

Step 1. Server Firewall

Step 2. Secure Connections

Campus LDAP server connection parameters

Ask the campus IT LDAP system administrators to give you the following details of the campus LDAP servers.

hostnames
canonical context
object context
search context

Procedure

Step 1 - Local server LDAP configuration

Step 2 - DSpace configuration

Step 3 - Update XMLUI messages

Step 4 - Configure XMLUI logins

LDAP Products

If you do not have an LDAP server on campus, then check the links below and consider starting one.

Microsoft Active Directory Integration

If you want to sync with an existing Microsoft AD server, then check the links below.

Other Authentication Methods

IP Address Access

Shibboleth

X509 Certificate

YouTube Video

References

https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins

@@ Line 1: / Line 1: @@
 <center>
-  '''[[SUNScholar/Customisation|Back to Customisation]]'''
+  '''[[SUNScholar/Install DSpace/S11|Back to After Installation Tasks]]'''
+ '''[[SUNScholar/Operational_Guide|BACK TO OPERATIONAL GUIDE]]'''
 </center>
-===<font color="red">'''''PLEASE NOTE''''':</font>===
-*''During the upgrade from DSpace 1.8.2 to 3.2, the ldap config changed and it seems a bug was introduced: https://jira.duraspace.org/browse/DS-1781. Take special note of the "'''netid_email_domain = @example.com'''" parameter at the bottom of the file. If you do not specify an ''@example.com'' email suffix, then you will get '''null''' suffix errors for eperson email addreses.''
-*''For LDAP to work correctly then ALL the user credentials MUST be in ONE LDAP server or replicated using ONE directory tree structure.''
 ==Introduction==
-Digital assets must only be managed by users authorised to do so. DSpace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning.
+Digital assets must only be managed by users authorised to do so. DSpace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning. After that is done, it is then up to the [[SUNScholar/Operational_Guide|repository manager to define privileges]] for individuals on the repository.
-After that is done, it is then up to the repository manager to define privileges for individuals on the repository.
+See: http://en.wikipedia.org/wiki/Ldap for more info.
-See: http://en.wikipedia.org/wiki/Ldap for more info.
+===<font color="red">'''PLEASE NOTE:'''</font>===
+*''For LDAP to work correctly consistently, it is suggested that ALL the user credentials MUST be in ONE LDAP server or replicated using ONE directory tree structure.''
+*''If for example, you have seperate servers for staff and students, then LDAP authentication setup is extremely difficult and very risky to maintain in the long term.''
 ==Requirements==
-===Secure network connections===
+===Secure LDAP server network connections===
-'''<font color="red">Setup secure internet/network connections before doing LDAP connections.</font>'''
+'''<font color="red">*** Ensure you enable secure internet/network connections before doing LDAP connections. ***</font>'''
-*'''[[SUNScholar/Firewall|Step 1. Server Firewall]]'''
+===='''[[SUNScholar/Firewall|Step 1. Server Firewall]]'''====
-*'''[[SUNScholar/Secure_Internet_Connections|Step 2. Secure Connections]]'''
+===='''[[SUNScholar/Secure_Internet_Connections|Step 2. Secure Connections]]'''====
-===Campus LDAP server===
-If for example, you have seperate servers for staff and students, then LDAP authentication setup is extremely difficult and very risky to maintain in the long term.
+===Campus LDAP server connection parameters===
 Ask the campus IT LDAP system administrators to give you the following details of the campus LDAP servers.
 * hostnames
@@ Line 29: / Line 27: @@
 * search context
-;List of open source LDAP server products.
+==Procedure==
+===[[SUNScholar/Researcher Authorisation/Step 1|Step 1 - Local server LDAP configuration]]===
+===[[SUNScholar/Researcher Authorisation/Step 2|Step 2 - DSpace configuration]]===
+===[[SUNScholar/Researcher Authorisation/Step 3|Step 3 - Update XMLUI messages]]===
+===[[SUNScholar/Researcher Authorisation/Step 4|Step 4 - Configure XMLUI logins]]===
+==LDAP Products==
 If you do not have an LDAP server on campus, then check the links below and consider starting one.
 *http://www.openldap.org
-*https://help.ubuntu.com/10.04/serverguide/openldap-server.html
+*http://en.wikipedia.org/wiki/OpenLDAP
+*http://en.wikipedia.org/wiki/List_of_LDAP_software
+*https://help.ubuntu.com/16.04/serverguide/openldap-server.html
+*https://help.ubuntu.com/14.04/serverguide/openldap-server.html
 *https://help.ubuntu.com/12.04/serverguide/openldap-server.html
 *http://www.turnkeylinux.org/openldap
 *http://freeipa.org/page/Main_Page
-*http://directory.fedoraproject.org/wiki/Main_Page
+*http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
-*https://fedorahosted.org/sssd/
-;How to sync with a Microsoft Active Directory
+==Microsoft Active Directory Integration==
 If you want to sync with an existing Microsoft AD server, then check the links below.
+*https://wiki.duraspace.org/display/DSPACE/LDAP+Hierarchical+Authentication+with+Active+Directory
 *http://en.wikipedia.org/wiki/Active_Directory
 *http://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx
@@ Line 48: / Line 56: @@
 *http://www.papercut.com/products/ng/manual/ch-sys-mgmt-user-group-sync.html
-==[[SUNScholar/Researcher Authorisation/Step 1|Step 1 - Local LDAP configuration]]==
+==Other Authentication Methods==
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-StackableAuthenticationMethod(s)
-==[[SUNScholar/Researcher Authorisation/Step 2|Step 2 - DSpace configuration]]==
-==[[SUNScholar/Researcher Authorisation/Step 3|Step 3 - Update XMLUI]]==
-==[[SUNScholar/Researcher Authorisation/Step 4|Step 4 - Configure XMLUI]]==
-==[[SUNScholar/Rebuild_DSpace|Step 5 - Rebuild DSpace]]==
-==Other Access Methods==
 *https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-StackableAuthenticationMethod(s)
 *https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-StackableAuthenticationMethod(s)
 ===IP Address Access===
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-IPAuthentication
 *https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-IPAuthentication
 *https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-IPAuthentication
 ===Shibboleth===
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
 *https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
 *https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
 ===X509 Certificate===
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
 *https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
 *https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
+==YouTube Video==
+<html5media width="560" height="315">https://www.youtube.com/watch?v=2aV4aqN_baQ</html5media>
 ==References==
 *https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins
-*https://wiki.duraspace.org/display/DSDOC5x/Functional+Overview#FunctionalOverview-UserManagement
+*https://wiki.duraspace.org/display/DSDOC5x/Managing+User+Accounts
 ----
 *https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins
-*https://wiki.duraspace.org/display/DSDOC4x/Functional+Overview#FunctionalOverview-UserManagement
+*https://wiki.duraspace.org/display/DSDOC4x/Managing+User+Accounts
 ----
-*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-LDAPAuthentication
+*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins
-----
+[[Category:System Administration]]
-*https://wiki.duraspace.org/display/DSPACE/LDAP+Hierarchical+Authentication+with+Active+Directory
+[[Category:Operations]]
-*http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
+[[Category:Installation]]
-*http://en.wikipedia.org/wiki/OpenLDAP
+__NOTOC__
-*http://en.wikipedia.org/wiki/List_of_LDAP_software
-*http://opensource.com/business/14/5/four-open-source-alternatives-LDAP
-*http://vinzlinux.blogspot.in/2015/01/openldap-server-and-client_59.html