Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add missing configs, cleanup of other explanations

...

surnamefieldsurnamefield = snlogin.groupmap.*

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

Property:

enable

Example Value:

enable = false

Informational Note:

This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms.

Property:

provider_url

Example Value:

provider_url = ldap://ldap.myu.edu/o=myu.edu

Informational Note:

This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. (This field has no default value)

Property:

id_field

Example Value:

id_field = uid

Explanation:

This is the unique identifier field in the LDAP directory where the username is stored. (This field has no default value)

Property:

object_context

Example Value:

object_context = ou=people, o=myu.edu

Informational Note:

This is the LDAP object context used to use when authenticating the user. By default, DSpace will use this value to create the user's DN in order to attempt to authenticate them. It is appended to the id_field and username. For example uid=username,ou=people,o=myu.edu. You will need to modify this to match your LDAP configuration.

Property:

search_context

(This field has no default value)

If your users do NOT all exist under a single "object_context" in LDAP, then you should ignore this setting and INSTEAD use the Hierarchical LDAP Authentication settings below (especially see "search.user" or "search.anonymous")

Property:

search_context

Example Value:

search

Example Value:

search_context = ou=people

Informational Note:

This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With autoregister turned on=true, when a user authenticates without an EPerson object we search the LDAP directory to get their name (id_field) and email address (email_field) so that we can create one for them. So after we have authenticated against uid=username,ou=people,o=byu.edu we now search in ou=people for filtering on [uid=username]. Often the search_context is the same as the object_context parameter. But again this depends on your LDAP server configuration. (This field has no default value, and it MUST be specified when either search.anonymous=true or search.user is specified)

Property:

email_field

Example Value:

email_field = mail

Informational Note:

This is the LDAP object field where the user's email address is stored. "mail" is the default and the most common for LDAP servers. (This field has no default value)

If the mail "email_field" is not found the username will be used as the email address when creating the eperson object.unspecified, or the user has no email address in LDAP, his/her username (id_field value) will be saved as the email in DSpace (or appended to netid_email_domain, when specified)

Property:netid_email_domain
Example Value:netid_email_domain = @example.com
Informational Note:

This is the LDAP object field where the user's last name is stored. "sn" is the default and is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object.

Property:

givenname_field

Example Value:

givenname_field = givenName

Informational Note:

This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object.

If your LDAP server does not hold an email address for a user (i.e. no email_field), you can use the following field to specify your email domain. This value is appended to the netid (id_field) in order to make an email address (which is then stored in the DSpace EPerson). For example, a netid of 'user' and netid_email_domain as @example.com would set the email of the user to be user@example.com

Please note: this field will only be used if "email_field" is unspecified OR the user in question has no email address stored in LDAP. If both "email_field" and "netid_email_domain" are unspecified, then the "id_field" will be used as the email address.

Property:

surname

Property:

phone_field

Example Value:

phonesurname_field = telephoneNumbersn

Informational Note:

This is the LDAP object field where the user's phone number last name is stored in the LDAP directory. "sn" is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object. (This field has no default value)

Property:

login.specialgroupgivenname_field

Example Value:

login.specialgroup = group-namegivenname_field = givenName

Informational Note:If

required, a group name can be given here, and all users who log into LDAP will automatically become members of this group. This is useful if you want a group made up of all internal authenticated users. (Remember to log on as the administrator, add this to the "Groups" with read rights).

Property:
Anchor
login.groupmaplogin.groupmap
Example Value:login.groupmap.1 = ou=Students:ALL_STUDENTS 
login.groupmap.2 = ou=Employees:ALL_EMPLOYEES 
login.groupmap.3 = ou=Faculty:ALL_FACULTY 

the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. (This field has no default value)

Property:

phone_field

Example Value:

phone_field = telephoneNumber

Informational Note:

This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. (This field has no default value)

Property:

login.specialgroup

Example Value:

login.specialgroup = group-name

Informational Note:

If specified, all users who successfully login via LDAP will automatically become members of this DSpace Group (for the remainder of their current, logged in session). This DSpace Group must already exist (it will not be automatically created).
This is useful if you want a DSpace Group made up of all internal authenticated users. This DSpace Group can then be used to bestow special permissions on any users who have authenticated via LDAP (e.g. you could allow anyone authenticated via LDAP to view special, on campus only collections or similar)

Property:
Anchor
login.groupmap
login.groupmap
login.groupmap.*
Example Value:login.groupmap.1 = ou=Students:ALL_STUDENTS 
login.groupmap.2 = ou=Employees:ALL_EMPLOYEES 
login.groupmap.3 = ou=Faculty:ALL_FACULTY 
Informational Note:

The left part of the value (before the ":") must correspond to a portion of a user's DN (unless "login.group.attribute" is specified..please see below). The right part of the value corresponds to the name of an existing DSpace group.

For example, if the authenticated user's DN in LDAP is in the following form:

cn=jdoe,OU=Students,OU=Users,dc=example,dc=edu

that user would get assigned to the ALL_STUDENTS DSpace group for the remainder of their current session.

However, if that same user later graduates and is employed by the university, their DN in LDAP may change to:

cn=jdoe,OU=Employees,OU=Users,dc=example,dc=edu

Upon logging into DSpace after that DN change, the authenticated user would now be assigned to the ALL_EMPLOYEES DSpace group for the remainder of their current session.

Note: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together.

Property:login.groupmap.attribute
Example Value:login.groupmap.attribute = group
Informational Note:

The value of the "login.groupmap.attribute" should specify the name of a single LDAP attribute. If this property is uncommented, it changes the meaning of the left part of "login.groupmap.*" (see above) as follows:

  • If the authenticated user has this LDAP attribute, look up the value of this LDAP attribute in the left part (before the ":") of the login.groupmap.* value
  • If that LDAP value is found in any "login.groupmap.*" field, assign this authenticated user to the DSpace Group specified by the right part (after the ":") of the login.groupmap.* value.

For example:

  • login.groupmap.attribute = group
  • login.groupmap.1 = mathematics:Mathematics_Group

The above would ensure that any authenticated users where their LDAP "group" attribute equals "mathematics" would be added to the DSpace Group named "Mathematics_Group" for the remainder of their current session. However, if that same user logged in later with a new LDAP "group" value of "computer science", he/she would no longer be a member of the "Mathematics_Group" in DSpace.

Informational Note:If user's DN in LDAP is in the following form:
cn=jdoe,OU=Students,OU=Users,dc=example,dc=edu

that user would get assigned to the ALL_STUDENTS DSpace group on login.

Note 1: This group must already exist in DSpace.

Note 2: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together.

Enabling Hierarchical LDAP Authentication

Info

Please note, that DSpace 3.0 doesn't contain the LDAPHierarchicalAuthentication class anymore. This functionality is now supported by LDAPAuthentication, which uses the same configuration options. See Upgrading From 1.8.x to 3.x for information about upgradinguses the same configuration options.

If your users are spread out across a hierarchical tree on your LDAP server, you may wish to have DSpace search for the user name in your tree. Here's how it works:

...

Hierarchical LDAP Authentication shares all the above standard LDAP configurations, but has some additional settings.

You can optionally specify the search scope. If anonymous access is not enabled on your LDAP server, you will need to specify the full DN and password of a user that is allowed to bind in order to search for the users.

has some additional settings.

You can optionally specify the search scope. If anonymous access is not enabled on your LDAP server, you will need to specify the full DN and password of a user that is allowed to bind in order to search for the users.

search_scope_scope 2 is the search scope value during autoregistering. This will depend on your LDAP server setup. This value must be one of the following integers corresponding to the following values:
object scope : 0
one level scope : 1
subtree scope : 2

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

Property:

search_scope

Example Value:

search_scope = 2

Informational Note:

This is the search scope value for the LDAP search during autoregistering (autoregister=true). This will depend on your LDAP server setup, and is only really necessary if your users are spread out across a hierarchical tree on your LDAP server. This value must be one of the following integers corresponding to the following values:
 object scope : 0 
 one level scope : 1 
 subtree scope : 2

Property:

search.anonymous

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

Property:

Example Value:

search

.anonymous =

true

Informational Note:

If true, DSpace will anonymously search LDAP for the DN of the user trying to login to DSpace. This

setting is "false" by default. By default, DSpace will either use "search.user" to authenticate for the LDAP search

, or if "search.user" is unspecified, DSpace will just use the "object_context" value to create the user's DN.

Property:

search.user
search.password

Example Value:

search.user = cn=admin,ou=people,o=myu.edu
search.password = password

Informational Note:

The full DN and password of a user allowed to connect to the LDAP server and search for the DN of the user trying to log in. If these are not specified, the initial bind will be performed anonymously.

Property:

netid_email_domain

Example Value:

netid_email_domain = @example.com

Informational Note:

If your LDAP server does not hold an email address for a user, you can use the following field to specify your email domain. This value is appended to the netid in order to make an email address. E.g. a netid of 'user' and netid_email_domain as @example.com would set the email of the user to be user@example.comlogin. By default, if unspecified, DSpace will either search LDAP anonymously for the user's DN (when search.anonymous=true), or will use the "object_context" value to create the user's DN.

IP Authentication

Enabling IP Authentication

...