Difference between revisions of "SUNScholar/Researcher Authorisation"

Latest revision as of 00:03, 10 June 2016

Back to After Installation Tasks

BACK TO OPERATIONAL GUIDE

Introduction

Digital assets must only be managed by users authorised to do so. DSpace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning. After that is done, it is then up to the repository manager to define privileges for individuals on the repository.

See: http://en.wikipedia.org/wiki/Ldap for more info.

PLEASE NOTE:

For LDAP to work correctly consistently, it is suggested that ALL the user credentials MUST be in ONE LDAP server or replicated using ONE directory tree structure.
If for example, you have seperate servers for staff and students, then LDAP authentication setup is extremely difficult and very risky to maintain in the long term.

Requirements

Secure LDAP server network connections

*** Ensure you enable secure internet/network connections before doing LDAP connections. ***

Step 1. Server Firewall

Step 2. Secure Connections

Campus LDAP server connection parameters

Ask the campus IT LDAP system administrators to give you the following details of the campus LDAP servers.

hostnames
canonical context
object context
search context

Procedure

Step 1 - Local server LDAP configuration

Step 2 - DSpace configuration

Step 3 - Update XMLUI messages

Step 4 - Configure XMLUI logins

LDAP Products

If you do not have an LDAP server on campus, then check the links below and consider starting one.

Microsoft Active Directory Integration

If you want to sync with an existing Microsoft AD server, then check the links below.

Other Authentication Methods

IP Address Access

Shibboleth

X509 Certificate

YouTube Video

References

https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins

@@ Line 1: / Line 1: @@
-<font color="red">'''This procedure assumes that you have used the [[SUNScholar/Dspace|three step process]] to install DSpace.'''</font>
+<center>
+ '''[[SUNScholar/Install DSpace/S11|Back to After Installation Tasks]]'''
-=Introduction=
+ '''[[SUNScholar/Operational_Guide|BACK TO OPERATIONAL GUIDE]]'''
-Digital assets must only be managed by users authorised to do so. Dspace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning. After that is done, it is then up to the repository manager to define which individuals have submitter, reviewer and metadata editor privileges.
+</center>
+==Introduction==
+Digital assets must only be managed by users authorised to do so. DSpace can authenticate using ePerson accounts or using LDAP server accounts. This wiki page describes the method of setting up DSpace to use an institutional LDAP server for user provisioning. After that is done, it is then up to the [[SUNScholar/Operational_Guide|repository manager to define privileges]] for individuals on the repository.
 See: http://en.wikipedia.org/wiki/Ldap for more info.
-=Requirements=
+===<font color="red">'''PLEASE NOTE:'''</font>===
-Ask the campus IT system administrators to give you the following details of the campus LDAP servers.
+*''For LDAP to work correctly consistently, it is suggested that ALL the user credentials MUST be in ONE LDAP server or replicated using ONE directory tree structure.''
+*''If for example, you have seperate servers for staff and students, then LDAP authentication setup is extremely difficult and very risky to maintain in the long term.''
+==Requirements==
+===Secure LDAP server network connections===
+'''<font color="red">*** Ensure you enable secure internet/network connections before doing LDAP connections. ***</font>'''
+===='''[[SUNScholar/Firewall|Step 1. Server Firewall]]'''====
+===='''[[SUNScholar/Secure_Internet_Connections|Step 2. Secure Connections]]'''====
+===Campus LDAP server connection parameters===
+Ask the campus IT LDAP system administrators to give you the following details of the campus LDAP servers.
 * hostnames
 * canonical context
 * object context
 * search context
-See the setup below for example DSpace configuration details.
-=Check LDAP=
-To check LDAP works, first install the following:
- sudo apt-get install ldap-utils ldap-auth-config
-Fill in all the details requested during installation
-Go to the following folder:
- sudo  cd /etc/ldap
-Copy the original ldap.conf:
- sudo  cp ldap.conf ldap.conf-orig
-Delete the original:
- sudo  rm ldap.conf
-Create a link to the master ldap.conf
- sudo  ln -s ../ldap.conf
-Now run a search on the LDAP server:
- sudo  ldapsearch -x cn=hgibson
-Use whatever filters and attributes that are needed for your campus LDAP server. If the search is successful then you may continue to setup Dspace below.
-=Setup Dspace=
-The settings in the '''/home/dspace/dspace-1.7.2-src-release/dspace/config/dspace.cfg''' file.
-Open the config files as follows:
+==Procedure==
+===[[SUNScholar/Researcher Authorisation/Step 1|Step 1 - Local server LDAP configuration]]===
+===[[SUNScholar/Researcher Authorisation/Step 2|Step 2 - DSpace configuration]]===
+===[[SUNScholar/Researcher Authorisation/Step 3|Step 3 - Update XMLUI messages]]===
+===[[SUNScholar/Researcher Authorisation/Step 4|Step 4 - Configure XMLUI logins]]===
- nano /home/dspace/dspace-1.7.2-src-release/dspace/config/dspace.cfg
+==LDAP Products==
+If you do not have an LDAP server on campus, then check the links below and consider starting one.
+*http://www.openldap.org
+*http://en.wikipedia.org/wiki/OpenLDAP
+*http://en.wikipedia.org/wiki/List_of_LDAP_software
+*https://help.ubuntu.com/16.04/serverguide/openldap-server.html
+*https://help.ubuntu.com/14.04/serverguide/openldap-server.html
+*https://help.ubuntu.com/12.04/serverguide/openldap-server.html
+*http://www.turnkeylinux.org/openldap
+*http://freeipa.org/page/Main_Page
+*http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
-And search for the following and modify to suit your campus.
+==Microsoft Active Directory Integration==
-<pre>
+If you want to sync with an existing Microsoft AD server, then check the links below.
-plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
+*https://wiki.duraspace.org/display/DSPACE/LDAP+Hierarchical+Authentication+with+Active+Directory
-	org.dspace.authenticate.LDAPAuthentication, \
+*http://en.wikipedia.org/wiki/Active_Directory
-	org.dspace.authenticate.PasswordAuthentication
+*http://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx
-</pre>
+*http://www.windowsitpro.com/article/ldap/integrate-active-directory-and-openldap
-Above is the stackable mechanism. First LDAP then ePersons are checked for authorisation.
+*http://lsc-project.org/wiki
+*https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync.html
+*http://directory.fedoraproject.org/wiki/Howto:WindowsSync
+*http://www.papercut.com/products/ng/manual/ch-sys-mgmt-user-group-sync.html
-The specific LDAP settings.
+==Other Authentication Methods==
-<pre>
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-StackableAuthenticationMethod(s)
-authentication.password.domain.valid = sun.ac.za
+*https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-StackableAuthenticationMethod(s)
-ldap.enable = true
+*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-StackableAuthenticationMethod(s)
-ldap.provider_url = ldap://stbldap01.sun.ac.za:636
+===IP Address Access===
-ldap.provider_url = ldap://stbldap02.sun.ac.za:636
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-IPAuthentication
-ldap.id_field = cn
+*https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-IPAuthentication
-ldap.object_context = ou=USERS,o=SU
+*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-IPAuthentication
-ldap.search_context = ou=USERS,o=SU
+===Shibboleth===
-ldap.email_field = mail
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
-ldap.surname_field = sn
+*https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
-ldap.givenname_field = fullName
+*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
-webui.ldap.autoregister = true
+===X509 Certificate===
-</pre>
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
-Now [[SUNScholar/Rebuild_Dspace|rebuild your webapps]] and test.
+*https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
+*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
-'''Please note:''' The above configuration uses the secure LDAP port '''636''', you may want to test using the insecure port of '''389''' and then move to the secure port.
+==YouTube Video==
+<html5media width="560" height="315">https://www.youtube.com/watch?v=2aV4aqN_baQ</html5media>
- '''[[SUNScholar/IR|Back to IR Help]]'''
+==References==
+*https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins
+*https://wiki.duraspace.org/display/DSDOC5x/Managing+User+Accounts
+----
+*https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins
+*https://wiki.duraspace.org/display/DSDOC4x/Managing+User+Accounts
+----
+*https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins
+[[Category:System Administration]]
+[[Category:Operations]]
+[[Category:Installation]]
+__NOTOC__