Closed dspace-bot closed 14 years ago
vly said:
[14:13] DS-50 - Major/Improvement - LDAP+Active Directory authentication patch - ID: 2100378 - http://jira.dspace.org/jira/browse/DS-50 - [unassigned / Charles Kiplagat]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14]
[14:14] DS-50
vly said:
[14:14]
See also:
http://wiki.dspace.org/index.php/JIRA_Cleanup#2009-08-25
stuartlewis said:
If this is still an issue, please re-open or resubmit. Hopefully this should work now with the hierarchical LDAP solution introduced in 1.5.2.
Imported from JIRA [DS-50] created by kipkorir2008
Thanks, Stuart -
I'll submit the patch to the queue.
You can grab a zip file that includes only the
changed files here:
http://erwg.lib.auburn.edu/dspace-ldap_20080828.zip
The main changes were:
*. Our A.D. setup does not allow anonymous bind,
and also has user info scattered around the LDAP tree.
To bind an arbitrary user, we pass a distinguished name
of:
DOMAIN\USER-ID
rather than some LDAP path like cn=USER&ou=People&dc=...
We detect this case by allowing the admin
to specify
windows_domain:domain-name
(something like that) as the LDAP object-context in dspace.cfg.
*. Since our user info is scattered through an LDAP tree -
I patched the "lookup user info" part of the code
to specify a recursive JNDI search.
Your last patch may have done the same thing.
*. We would like a user that successfully authenticates against A.D.
to automatically be given certain privileges.
I setup the getSpecialGroups function to accept a list of group-ids in
the
"ldap.dspace.autogroup"
dspace.cfg parameter.
*. I wanted to be able to run a standalone test case against the LDAP
authenticate and search code, so I split out the 'DataFromLDAP'
nested class to an external interface, and include a junit test case.
Also added a few lines to pom.xml to help run the test with verbose
logging, etc.
Cheers,
Reuben
>>> Stuart Lewis 9/6/2008 7:57 AM >>>
Hi Reuben,
Thanks for getting in touch. I¹ve got that email sitting in my inbox
waiting
for me to get around to replying to it - sorry it has taken a little
while.
What changes have you made to make it work with Active Directory?
It would be great if you could formally submit your patch to the DSpace
patch queue
(http://sourceforge.net/tracker/?atid=319984&group_id=19984&func=browse).
There are a few of us working on a generic LDAP authenticator which will
hopefully work with any AD / LDAP system, so it would be good to see what
changes you¹ve made to see if we can incorporate them too.
Thanks,
Stuart
On 28/08/2008 16:14, "Reuben Pasquini" wrote:
> Hello!
>
> I've put together a set of patches to the LDAPAuthentication
> code to get it working against Active Directory at Auburn
> University, support implicit-group member-ids in dspace.cfg,
> and add a JUnit regression test.
> I think the changes are backward compatable and generic,
> but I've only tested the code in my environment.
>
> I hope that we can check this patch into the dspace repository.
> An overview and svn diff follow, and a zip file with
> the modified files is available here:
> http://erwg.lib.auburn.edu/dspace-ldap_20080828.zip
> Please take a look, and let me know what you think.
>
> Cheers,
> Reuben
>
> -----------------------------------
>
> Changes under dspace-api org.dspace.authentication.
>
> *. Moved the
> LDAPAuthentication.SpeakerToLDAP
> nested class out to its own non-nested interface
> with a DefaultSpeakerToLDAP implementation.
>
> *. Refactored SpeakerToLDAP#ldapAuthenticate(...)
> to return a DataFromLDAP POJO data object
> rather than set object member variables.
>
> *. Implemented SpeakerToLDAPCase JUnit test-case
> and PackageTestSuite classes to support simple
> regression tests against SpeakerToLDAP implementations.
> Modified pom.xml so that
> 'mvn test'
> runs with a verbose log4j setting.
>
> *. Modified the way SpeakToLDAP handles the
> ldap.object_context
> dspace.cfg configuration property so that
> if the ldap.object_context matches
> 'WINDOWS_DOMAIN:DOMAIN_NAME',
> then LDAP attempts to bind with
> 'DOMAIN_NAME\NETID'
> rather than
> 'cn=NETID,ldap.object_context'
> . This change allows us to configure LDAP
> to bind with Active Directory out of the box.
>
> *. Modifed the LDAP search for user-info to take a SearchControls
> parameter that specifies a recursive tree-search under the
> ldap.search_context
> tree for a single user-object result.
> Once again - this allows LDAPAuthenticate to work
> with an Active Directory tree that has user objects
> organized into different folders under a tree.
>
> *. Modified LDAPAuthentication.getSpecialGroups
> to access the
> ldap.dspace.autogroup
> dspace.cfg configuration property
> to get the group-ids that an LDAP-authenticated
> user should be an implicit member of.
> This makes it easy to configure a system where
> every user that can authenticate can also
> submit material to some collections.
>
> *. Changed some of the if/else nesting in
> LDAPAuthentication.authenticate
> so that instead of having something like
> if ()
{