Difference between revisions of "SUNScholar/Researcher Authorisation/Step 2"
Jump to navigation
Jump to search
(Created page with "<center> ''' BACK TO RESEARCHER AUTHORISATION''' </center>") |
|||
| (18 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<center> | <center> | ||
| − | '''[[SUNScholar/Researcher Authorisation| | + | '''[[SUNScholar/Researcher Authorisation/Step_3|NEXT - STEP 3]]''' |
</center> | </center> | ||
| + | |||
| + | ==<font color="red">'''''PLEASE NOTE''''':</font>== | ||
| + | During the upgrade from DSpace 1.8.2 to 3.2, the ldap config changed and it seems a bug was introduced: https://jira.duraspace.org/browse/DS-1781. | ||
| + | |||
| + | Take special note of the "'''netid_email_domain = @example.com'''" parameter at the bottom of the file. | ||
| + | |||
| + | If you do not specify an ''@example.com'' email suffix, then you will get '''null''' suffix errors for eperson email addresses. | ||
| + | |||
| + | ==Step 2 - DSpace configuration== | ||
| + | ===Step 2.1 - Enable LDAP=== | ||
| + | Edit the following file: | ||
| + | |||
| + | nano $HOME/{{Source}}/dspace/config/modules/authentication.cfg | ||
| + | |||
| + | Add LDAP authentication, see example below. | ||
| + | <pre> | ||
| + | plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ | ||
| + | org.dspace.authenticate.LDAPAuthentication, \ | ||
| + | org.dspace.authenticate.PasswordAuthentication | ||
| + | </pre> | ||
| + | |||
| + | ===Step 2.2 - Configure LDAP=== | ||
| + | Now modify the ldap config file as follows. | ||
| + | nano $HOME/{{Source}}/dspace/config/modules/authentication-ldap.cfg | ||
| + | |||
| + | {{ | ||
| + | Quote | DSpace 6 changes | The example below applies to DSpace 5. For DSpace 6: All configuration options require an authentication-ldap prefix (e.g. authentication-ldap.provider_url), and all commas in the contexts need to be escaped with a backslash. | ||
| + | }} | ||
| + | |||
| + | <pre> | ||
| + | #---------------------------------------------------------------# | ||
| + | #------------LDAP AUTHENTICATION CONFIGURATIONS-----------------# | ||
| + | #---------------------------------------------------------------# | ||
| + | # Configuration properties used by the LDAP Authentication # | ||
| + | # plugin, when it is enabled. # | ||
| + | #---------------------------------------------------------------# | ||
| + | # | ||
| + | # In order to enable LDAP Authentication, you must first ensure the | ||
| + | # 'org.dspace.authenticate.LDAPAuthentication' | ||
| + | # class is added to the list of enabled AuthenticationMethods in 'authenticate.cfg'. | ||
| + | # See 'authenticate.cfg' for more info. | ||
| + | # | ||
| + | # If LDAP is enabled, then new users will be able to register | ||
| + | # by entering their username and password without being sent the | ||
| + | # registration token. If users do not have a username and password, | ||
| + | # then they can still register and login with just their email address | ||
| + | # the same way they do now. | ||
| + | # | ||
| + | # For providing any special privileges to LDAP users, | ||
| + | # you will still need to extend the SiteAuthenticator class to | ||
| + | # automatically put people who have a netid into a special | ||
| + | # group. You might also want to give certain email addresses | ||
| + | # special privileges. Refer to the DSpace documentation for more | ||
| + | # information about how to do this. | ||
| + | # | ||
| + | # It may be necessary to obtain the values of these settings from the | ||
| + | # LDAP server administrators as LDAP configuration will vary from server | ||
| + | # to server. | ||
| + | |||
| + | # This setting will enable or disable LDAP authentication in DSpace. | ||
| + | # With the setting off, users will be required to register and login with | ||
| + | # their email address. With this setting on, users will be able to login | ||
| + | # and register with their LDAP user ids and passwords. | ||
| + | # This setting is only used by the JSPUI. | ||
| + | enable = true | ||
| + | |||
| + | |||
| + | ##### LDAP AutoRegister Settings ##### | ||
| + | |||
| + | # This will turn LDAP autoregistration on or off. With this | ||
| + | # on, a new EPerson object will be created for any user who | ||
| + | # successfully authenticates against the LDAP server when they | ||
| + | # first login. With this setting off, the user | ||
| + | # must first register to get an EPerson object by | ||
| + | # entering their ldap username and password and filling out | ||
| + | # the forms. | ||
| + | autoregister = false | ||
| + | |||
| + | |||
| + | # This is the url to the institution's ldap server. The /o=myu.edu | ||
| + | # may or may not be required depending on the LDAP server setup. | ||
| + | # A server may also require the ldaps:// protocol. | ||
| + | #provider_url = ldap://ldap.myu.edu/o=myu.edu | ||
| + | provider_url = ldap://stbldap01.sun.ac.za:389 | ||
| + | provider_url = ldap://stbldap02.sun.ac.za:389 | ||
| + | |||
| + | # This is the unique identifier field in the LDAP directory | ||
| + | # where the username is stored. | ||
| + | #id_field = uid | ||
| + | id_field = cn | ||
| + | |||
| + | # This is the object context used when authenticating the | ||
| + | # user. It is appended to the id_field and username. | ||
| + | # For example uid=username,ou=people,o=myu.edu. This must match | ||
| + | # the LDAP server configuration. | ||
| + | #object_context = ou=people,o=myu.edu | ||
| + | object_context = ou=USERS,o=SU | ||
| + | |||
| + | # This is the search context used when looking up a user's | ||
| + | # LDAP object to retrieve their data for autoregistering. | ||
| + | # With autoregister turned on, when a user authenticates | ||
| + | # without an EPerson object, a search on the LDAP directory to | ||
| + | # get their name and email address is initiated so that DSpace | ||
| + | # can create a EPerson object for them. So after we have authenticated against | ||
| + | # uid=username,ou=people,o=byu.edu we now search in ou=people | ||
| + | # for filtering on [uid=username]. Often the | ||
| + | # search_context is the same as the object_context | ||
| + | # parameter. But again this depends on each individual LDAP server | ||
| + | # configuration. | ||
| + | #search_context = ou=people | ||
| + | search_context = ou=USERS,o=SU | ||
| + | |||
| + | # This is the LDAP object field where the user's email address | ||
| + | # is stored. "mail" is the default and the most common for | ||
| + | # LDAP servers. If the mail field is not found the username | ||
| + | # will be used as the email address when creating the eperson | ||
| + | # object. | ||
| + | email_field = mail | ||
| + | |||
| + | # This is the LDAP object field where the user's last name is | ||
| + | # stored. "sn" is the default and is the most common for LDAP | ||
| + | # servers. If the field is not found the field will be left | ||
| + | # blank in the new eperson object. | ||
| + | surname_field = sn | ||
| + | |||
| + | # This is the LDAP object field where the user's given names | ||
| + | # are stored. This may not be used or set in all LDAP instances. | ||
| + | # If the field is not found the field will be left blank in the | ||
| + | # new eperson object. | ||
| + | givenname_field = givenName | ||
| + | |||
| + | # This is the field where the user's phone number is stored in | ||
| + | # the LDAP directory. If the field is not found the field | ||
| + | # will be left blank in the new eperson object. | ||
| + | phone_field = telephoneNumber | ||
| + | |||
| + | |||
| + | ##### LDAP users group ##### | ||
| + | |||
| + | # If required, a group name can be given here, and all users who log in | ||
| + | # to LDAP will automatically become members of this group. This is useful | ||
| + | # if you want a group made up of all internal authenticated users. | ||
| + | login.specialgroup = Maties | ||
| + | |||
| + | |||
| + | ##### Hierarchical LDAP Settings ##### | ||
| + | |||
| + | # If your users are spread out across a hierarchical tree on your | ||
| + | # LDAP server, you will need to search the tree to find the full DN of | ||
| + | # the user who is logging in. | ||
| + | # | ||
| + | # * If anonymous search is allowed on your LDAP server, you will need to set | ||
| + | # search.anonymous = true | ||
| + | # * If not, you will need to specify the full DN and password of a | ||
| + | # user that is allowed to bind in order to search for the users. | ||
| + | # * If neither search.anonymous is true, nor search.user is specified, | ||
| + | # LDAP will not do the hierarchical search for a DN and will assume | ||
| + | # a flat directory structure. | ||
| + | |||
| + | # This is the optional search scope value for the LDAP search during | ||
| + | # autoregistering. This will depend on your LDAP server setup. | ||
| + | # This value must be one of the following integers corresponding | ||
| + | # to the following values: | ||
| + | # object scope : 0 | ||
| + | # one level scope : 1 | ||
| + | # subtree scope : 2 | ||
| + | #search_scope = 2 | ||
| + | |||
| + | # If true, the initial bind will be performed anonymously. | ||
| + | search.anonymous = false | ||
| + | |||
| + | # The full DN and password of a user allowed to connect to the LDAP server | ||
| + | # and search for the DN of the user trying to log in. | ||
| + | #search.user = cn=admin,ou=people,o=myu.edu | ||
| + | #search.password = password | ||
| + | |||
| + | # If your LDAP server does not hold an email address for a user, you can use | ||
| + | # the following field to specify your email domain. This value is appended | ||
| + | # to the netid in order to make an email address. E.g. a netid of 'user' and | ||
| + | # netid_email_domain as '@example.com' would set the email of the user | ||
| + | # to be 'user@example.com | ||
| + | netid_email_domain = @sun.ac.za | ||
| + | |||
| + | # Take the left part of the groupmap value (before the ":") and look it up | ||
| + | # in user's full DN. If it's found, assign user to the DSpace group | ||
| + | # specified by the right part of the groupmap value (after the ":"). | ||
| + | # One user may belong to multiple groups. | ||
| + | #login.groupmap.1 = ou=ldap-dept1:dspace-group1 | ||
| + | #login.groupmap.2 = ou=ldap-dept2:dspace-groupA | ||
| + | #login.groupmap.3 = ou=ldap-dept3:dspace-groupA | ||
| + | |||
| + | # If this property is uncommented, it changes the meaning of the left part of | ||
| + | # the groupmap value (before the ":") as follows. | ||
| + | # The value of login.groupmap.attribute specifies the name of an LDAP attribute. | ||
| + | # If user has this attribute, look up the value of this attribute in the left | ||
| + | # part of the groupmap value (before the ":"). If it's found, assign user to | ||
| + | # the DSpace group specified by the right part of the groupmap value (after | ||
| + | # the ":"). | ||
| + | #login.groupmap.attribute = group | ||
| + | #login.groupmap.1 = ldap-dept1:dspace-group1 | ||
| + | #login.groupmap.2 = ldap-dept2:dspace-groupA | ||
| + | #login.groupmap.3 = ldap-dept3:dspace-groupA | ||
| + | </pre> | ||
| + | ---- | ||
| + | '''Please note:''' The above configuration uses the insecure LDAP port '''389''', you may want to test using the insecure port of '''389''' and then move to the secure port of '''636'''. | ||
| + | ---- | ||
| + | [[Category:System Administration]] | ||
Latest revision as of 13:55, 21 November 2018
NEXT - STEP 3
Contents
PLEASE NOTE:
During the upgrade from DSpace 1.8.2 to 3.2, the ldap config changed and it seems a bug was introduced: https://jira.duraspace.org/browse/DS-1781.
Take special note of the "netid_email_domain = @example.com" parameter at the bottom of the file.
If you do not specify an @example.com email suffix, then you will get null suffix errors for eperson email addresses.
Step 2 - DSpace configuration
Step 2.1 - Enable LDAP
Edit the following file:
nano $HOME/source/dspace/config/modules/authentication.cfg
Add LDAP authentication, see example below.
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \ org.dspace.authenticate.LDAPAuthentication, \ org.dspace.authenticate.PasswordAuthentication
Step 2.2 - Configure LDAP
Now modify the ldap config file as follows.
nano $HOME/source/dspace/config/modules/authentication-ldap.cfg
Note: DSpace 6 changes
The example below applies to DSpace 5. For DSpace 6: All configuration options require an authentication-ldap prefix (e.g. authentication-ldap.provider_url), and all commas in the contexts need to be escaped with a backslash.
#---------------------------------------------------------------# #------------LDAP AUTHENTICATION CONFIGURATIONS-----------------# #---------------------------------------------------------------# # Configuration properties used by the LDAP Authentication # # plugin, when it is enabled. # #---------------------------------------------------------------# # # In order to enable LDAP Authentication, you must first ensure the # 'org.dspace.authenticate.LDAPAuthentication' # class is added to the list of enabled AuthenticationMethods in 'authenticate.cfg'. # See 'authenticate.cfg' for more info. # # If LDAP is enabled, then new users will be able to register # by entering their username and password without being sent the # registration token. If users do not have a username and password, # then they can still register and login with just their email address # the same way they do now. # # For providing any special privileges to LDAP users, # you will still need to extend the SiteAuthenticator class to # automatically put people who have a netid into a special # group. You might also want to give certain email addresses # special privileges. Refer to the DSpace documentation for more # information about how to do this. # # It may be necessary to obtain the values of these settings from the # LDAP server administrators as LDAP configuration will vary from server # to server. # This setting will enable or disable LDAP authentication in DSpace. # With the setting off, users will be required to register and login with # their email address. With this setting on, users will be able to login # and register with their LDAP user ids and passwords. # This setting is only used by the JSPUI. enable = true ##### LDAP AutoRegister Settings ##### # This will turn LDAP autoregistration on or off. With this # on, a new EPerson object will be created for any user who # successfully authenticates against the LDAP server when they # first login. With this setting off, the user # must first register to get an EPerson object by # entering their ldap username and password and filling out # the forms. autoregister = false # This is the url to the institution's ldap server. The /o=myu.edu # may or may not be required depending on the LDAP server setup. # A server may also require the ldaps:// protocol. #provider_url = ldap://ldap.myu.edu/o=myu.edu provider_url = ldap://stbldap01.sun.ac.za:389 provider_url = ldap://stbldap02.sun.ac.za:389 # This is the unique identifier field in the LDAP directory # where the username is stored. #id_field = uid id_field = cn # This is the object context used when authenticating the # user. It is appended to the id_field and username. # For example uid=username,ou=people,o=myu.edu. This must match # the LDAP server configuration. #object_context = ou=people,o=myu.edu object_context = ou=USERS,o=SU # This is the search context used when looking up a user's # LDAP object to retrieve their data for autoregistering. # With autoregister turned on, when a user authenticates # without an EPerson object, a search on the LDAP directory to # get their name and email address is initiated so that DSpace # can create a EPerson object for them. So after we have authenticated against # uid=username,ou=people,o=byu.edu we now search in ou=people # for filtering on [uid=username]. Often the # search_context is the same as the object_context # parameter. But again this depends on each individual LDAP server # configuration. #search_context = ou=people search_context = ou=USERS,o=SU # This is the LDAP object field where the user's email address # is stored. "mail" is the default and the most common for # LDAP servers. If the mail field is not found the username # will be used as the email address when creating the eperson # object. email_field = mail # This is the LDAP object field where the user's last name is # stored. "sn" is the default and is the most common for LDAP # servers. If the field is not found the field will be left # blank in the new eperson object. surname_field = sn # This is the LDAP object field where the user's given names # are stored. This may not be used or set in all LDAP instances. # If the field is not found the field will be left blank in the # new eperson object. givenname_field = givenName # This is the field where the user's phone number is stored in # the LDAP directory. If the field is not found the field # will be left blank in the new eperson object. phone_field = telephoneNumber ##### LDAP users group ##### # If required, a group name can be given here, and all users who log in # to LDAP will automatically become members of this group. This is useful # if you want a group made up of all internal authenticated users. login.specialgroup = Maties ##### Hierarchical LDAP Settings ##### # If your users are spread out across a hierarchical tree on your # LDAP server, you will need to search the tree to find the full DN of # the user who is logging in. # # * If anonymous search is allowed on your LDAP server, you will need to set # search.anonymous = true # * If not, you will need to specify the full DN and password of a # user that is allowed to bind in order to search for the users. # * If neither search.anonymous is true, nor search.user is specified, # LDAP will not do the hierarchical search for a DN and will assume # a flat directory structure. # This is the optional search scope value for the LDAP search during # autoregistering. This will depend on your LDAP server setup. # This value must be one of the following integers corresponding # to the following values: # object scope : 0 # one level scope : 1 # subtree scope : 2 #search_scope = 2 # If true, the initial bind will be performed anonymously. search.anonymous = false # The full DN and password of a user allowed to connect to the LDAP server # and search for the DN of the user trying to log in. #search.user = cn=admin,ou=people,o=myu.edu #search.password = password # If your LDAP server does not hold an email address for a user, you can use # the following field to specify your email domain. This value is appended # to the netid in order to make an email address. E.g. a netid of 'user' and # netid_email_domain as '@example.com' would set the email of the user # to be 'user@example.com netid_email_domain = @sun.ac.za # Take the left part of the groupmap value (before the ":") and look it up # in user's full DN. If it's found, assign user to the DSpace group # specified by the right part of the groupmap value (after the ":"). # One user may belong to multiple groups. #login.groupmap.1 = ou=ldap-dept1:dspace-group1 #login.groupmap.2 = ou=ldap-dept2:dspace-groupA #login.groupmap.3 = ou=ldap-dept3:dspace-groupA # If this property is uncommented, it changes the meaning of the left part of # the groupmap value (before the ":") as follows. # The value of login.groupmap.attribute specifies the name of an LDAP attribute. # If user has this attribute, look up the value of this attribute in the left # part of the groupmap value (before the ":"). If it's found, assign user to # the DSpace group specified by the right part of the groupmap value (after # the ":"). #login.groupmap.attribute = group #login.groupmap.1 = ldap-dept1:dspace-group1 #login.groupmap.2 = ldap-dept2:dspace-groupA #login.groupmap.3 = ldap-dept3:dspace-groupA
Please note: The above configuration uses the insecure LDAP port 389, you may want to test using the insecure port of 389 and then move to the secure port of 636.
