All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
...
Since many institutions and organizations have existing authentication systems, DSpace has been designed to allow these to be easily integrated into an existing authentication infrastructure. It keeps a series, or "stack", of authentication methods, so each one can be tried in turn. This makes it easy to add new authentication methods or rearrange the order without changing any existing code. You can also share authentication code with other sites.
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
The configuration property plugin.sequence.org.dspace.authenticate.AuthenticationMethod
defines the authentication stack. It is a comma-separated list of class names. Each of these classes implements a different authentication method
, or way of determining the identity of the user. They are invoked in the order specified until one succeeds.
...
However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
A full list of all available Password Authentication Configurations:
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. |
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to automatically add all password authenticated users to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session. |
Property: |
|
Example Value: |
|
Informational Note: | This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this. |
...
To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
...
...
Code Block |
---|
#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) #### # While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), # you may also need/want to create one for HTTP (*:80) <VirtualHost *:443> ... # PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc) # which you may need/want to add to your VirtualHost # As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings <IfModule mod_shib> # Shibboleth recommends turning on UseCanonicalName # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig UseCanonicalName On # Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users # can access DSpace without first authenticating via Shibboleth. # This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated # (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive <Location /> AuthType shibboleth ShibRequireSession Off require shibboleth # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your # DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to. # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value. #ShibRequestSetting applicationId my-dspace-id </Location> # If a user attempts to access the DSpace shibboleth login page, force them to authenticate via Shib <Location "/shibboleth-login"> AuthType shibboleth ShibRequireSession On # Please note that setting ShibUseHeaders to "On" is a potential security risk. # You may wish to set it to "Off". See the mod_shib docs for details about this setting: # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions # Here's a good guide to configuring Apache + Tomcat when this setting is "Off": # https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications ShibUseHeaders On require valid-user </Location> # Ensure /Shibboleth.sso path (in Apache) can be accessed # By default it may be inaccessible if your Apache security is tight. <Location "/Shibboleth.sso"> Order deny,allow Allow from all # Also ensure Shibboleth/mod_shib responds to this path SetHandler shib </Location> # Finally, you may need to ensure requests to /Shibboleth.sso are NOT redirected redirected # to Tomcat (as they need willto be handled by mod_shib instead). # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING PROXYPASSmod_proxy TO REDIRECT # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:80808009/) # ProxyPass /Shibboleth.sso ! </IfModule> ... </VirtualHost> |
Authentication Methods:
DSpace supports authentication using NetID, or email address. A user's NetID is a unique identifier from the IdP that identifies a particular user. The NetID can be of almost any form such as a unique integer, string, or with Shibboleth 2.0 you can use "targeted ids". You will need to coordinate with your shibboleth federation or identity provider. There are three ways to supply identity information to DSpace:
1) NetID from Shibboleth Header (best)
The NetID-based method is superior because users may change their email address with the identity provider. When this happens DSpace will not be able to associate their new address with their old account.
2) Email address from Shibboleth Header (okay)
In the case where a NetID header is not available or not found DSpace will fall back to identifying a user based-upon their email address.
3) Tomcat's Remote User (worst)
In the event that neither Shibboleth headers are found then as a last resort DSpace will look at Tomcat's remote user field. This is the least attractive option because Tomcat has no way to supply additional attributes about a user. Because of this the autoregister option is not supported if this method is used.
Identity Scheme Migration Strategies:
If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their netted so all future authentications for this user will be based upon netted. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account all ready has a NetID set and then they try and authenticate with a different NetID the authentication will fail.
EPerson Metadata:
One of the primary benefits of using Shibboleth based authentication is receiving additional attributes about users such as their names, telephone numbers, and possibly their academic department or graduation semester if desired. DSpace treats the first and last name attributes differently because they (along with email address) are the three pieces of minimal information required to create a new user account. For both first and last name supply direct mappings to the Shibboleth headers. In additional to the first and last name DSpace supports other metadata fields such as phone, or really anything you want to store on an eperson object. Beyond the phone field, which is accessible in the user's profile screen, none of these additional metadata fields will be used by DSpace out-of-the box. However if you develop any local modification you may access these attributes from the EPerson object. The Vireo ETD workflow system utilizes this to aid students when submitting an ETD.
Role-based Groups:
DSpace is able to place users into pre-defined groups based upon values received from Shibboleth. Using this option you can place all faculty members into a DSpace group when the correct affiliation's attribute is provided. When DSpace does this they are considered 'special groups', these are really groups but the user's membership within these groups is not recorded in the database. Each time a user authenticates they are automatically placed within the pre-defined DSpace group, so if the user loses their affiliation then the next time they login they will no longer be in the group.
Depending upon the shibboleth attributed use in the role-header it may be scoped. Scoped is shibboleth terminology for identifying where an attribute originated from. For example a students affiliation may be encoded as "student@tamu.edu". The part after the @ sign is the scope, and the preceding value is the value. You may use the whole value or only the value or scope. Using this you could generate a role for students and one institution different than students at another institution. Or if you turn on ignore-scope you could ignore the institution and place all students into one group.
The values extracted (a user may have multiple roles) will be used to look up which groups to place the user into. The groups are defined as "role.<role-name>" which is a comma separated list of DSpace groups.
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
| ||
Informational Note: | Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive"). | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login" | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true". | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Used when a netid or email headers are not available should Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above. | ||
Property: |
| ||
Example Value | reconvert.attributes = false | ||
Informational Note: | Shibboleth attributes are by default UTF-8 encoded. Some servlet container automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8. As the attributes already were UTF-8 encoded it may be necessary to reconvert them. If you set this property true, DSpace converts all shibboleth attributes retrieved from the servlet container from UTF-8 to ISO-8859-1 and uses the result as if it were UTF-8. This procedure restores the shibboleth attributes if the servlet container wrongly converted them from ISO-8859-1 to UTF-8. Set this true, if you notice character encoding problems within shibboleth attributes. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Should we allow new users to be registered automatically? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's surname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored for each user. The left side is the Shibboleth-based metadata Header and the right side is the eperson metadata field to map the attribute to. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The shibboleth header to do role-based mappings (see section on roll based mapping section above) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's value (everything before the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups. See the "Role-based Groups" section above for more info. |
To enable LDAP Authentication, you must ensure the org.dspace.authenticate.LDAPAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
If LDAP is enabled, then new users will be able to register by entering their username and password without being sent the registration token. If users do not have a username and password, then they can still register and login with just their email address the same way they do now.
If you want to give any special privileges to LDAP users, create a stackable authentication method to automatically put people who have a netid into a special group. You might also want to give certain email addresses special privileges. Refer to the Custom Authentication Code section below for more information about how to do this.
Here is an explanation of each of the different LDAP configuration parameters:
In addition, here's a sample "ApplicationOverride" configuration for "shibboleth2.xml". This particular "ApplicationOverride" is configured to use the Test IdP provided by http://www.testshib.org/ and is just meant as an example. In order to enable it for testing purposes, you must specify ShibRequestSetting applicationId testshib
in your Apach mod_shib
configuration (see above).
Code Block |
---|
<!-- *** Sample Shibboleth Settings for http://www.testshib.org/ *** -->
<!-- This provides a simple sample of how you could configure -->
<!-- shibboleth2.xml for DSpace sites. -->
<!-- TO ENABLE: You'd need to specify "applicationId" as "testshib" in -->
<!-- your mod_shib settings, e.g. -->
<!-- <Location /> -->
<!-- ... -->
<!-- ShibRequestSetting applicationId testshib -->
<!-- </Location> -->
<ApplicationOverride id="testshib" entityID="http://mydspace.edu/shibboleth" REMOTE_USER="principal-id">
<!-- We'll use a TEST IdP, hosted by the awesome http://www.testshib.org/ testing service. -->
<!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true">
<SSO entityID="https://idp.testshib.org/idp/shibboleth">
SAML2 SAML1
</SSO>
</Sessions>
<!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. -->
<!-- By default, metadata is retrieved from the TEST IdP at http://www.testshib.org -->
<!-- and is cached in a local file named "testshib-idp-metadata.xml". -->
<!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider -->
<MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
backingFilePath="testshib-idp-metadata.xml" reloadInterval="180000"/>
</ApplicationOverride> |
Authentication Methods:
DSpace supports authentication using NetID, or email address. A user's NetID is a unique identifier from the IdP that identifies a particular user. The NetID can be of almost any form such as a unique integer, string, or with Shibboleth 2.0 you can use "targeted ids". You will need to coordinate with your shibboleth federation or identity provider. There are three ways to supply identity information to DSpace:
1) NetID from Shibboleth Header (best)
The NetID-based method is superior because users may change their email address with the identity provider. When this happens DSpace will not be able to associate their new address with their old account.
2) Email address from Shibboleth Header (okay)
In the case where a NetID header is not available or not found DSpace will fall back to identifying a user based-upon their email address.
3) Tomcat's Remote User (worst)
In the event that neither Shibboleth headers are found then as a last resort DSpace will look at Tomcat's remote user field. This is the least attractive option because Tomcat has no way to supply additional attributes about a user. Because of this the autoregister option is not supported if this method is used.
Identity Scheme Migration Strategies:
If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their NetID so all future authentications for this user will be based upon NetID. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account already has a NetID set and then they try and authenticate with a different NetID the authentication will fail.
EPerson Metadata:
One of the primary benefits of using Shibboleth based authentication is receiving additional attributes about users such as their names, telephone numbers, and possibly their academic department or graduation semester if desired. DSpace treats the first and last name attributes differently because they (along with email address) are the three pieces of minimal information required to create a new user account. For both first and last name supply direct mappings to the Shibboleth headers. In additional to the first and last name DSpace supports other metadata fields such as phone, or really anything you want to store on an eperson object. Beyond the phone field, which is accessible in the user's profile screen, none of these additional metadata fields will be used by DSpace out-of-the box. However if you develop any local modification you may access these attributes from the EPerson object. The Vireo ETD workflow system utilizes this to aid students when submitting an ETD.
Role-based Groups:
DSpace is able to place users into pre-defined groups based upon values received from Shibboleth. Using this option you can place all faculty members into a DSpace group when the correct affiliation's attribute is provided. When DSpace does this they are considered 'special groups', these are really groups but the user's membership within these groups is not recorded in the database. Each time a user authenticates they are automatically placed within the pre-defined DSpace group, so if the user loses their affiliation then the next time they login they will no longer be in the group.
Depending upon the shibboleth attributed use in the role-header it may be scoped. Scoped is shibboleth terminology for identifying where an attribute originated from. For example a students affiliation may be encoded as "student@tamu.edu". The part after the @ sign is the scope, and the preceding value is the value. You may use the whole value or only the value or scope. Using this you could generate a role for students and one institution different than students at another institution. Or if you turn on ignore-scope you could ignore the institution and place all students into one group.
The values extracted (a user may have multiple roles) will be used to look up which groups to place the user into. The groups are defined as "role.<role-name>" which is a comma separated list of DSpace groups.
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
| ||
Informational Note: | Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive"). | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login" | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true". | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Used when a netid or email headers are not available should Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above. | ||
Property: |
| ||
Example Value | reconvert.attributes = false | ||
Informational Note: | Shibboleth attributes are by default UTF-8 encoded. Some servlet container automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8. As the attributes already were UTF-8 encoded it may be necessary to reconvert them. If you set this property true, DSpace converts all shibboleth attributes retrieved from the servlet container from UTF-8 to ISO-8859-1 and uses the result as if it were UTF-8. This procedure restores the shibboleth attributes if the servlet container wrongly converted them from ISO-8859-1 to UTF-8. Set this true, if you notice character encoding problems within shibboleth attributes. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Should we allow new users to be registered automatically? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | SWORD compatibility will allow this authentication method to work when using SWORD. SWORD relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for SWORD sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's surname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored for each user. The left side is the Shibboleth-based metadata Header and the right side is the eperson metadata field to map the attribute to. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The shibboleth header to do role-based mappings (see section on roll based mapping section above) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's value (everything before the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups. See the "Role-based Groups" section above for more info. |
If you are unfamiliar with LDAP, the following introduction to some of its terminology might come in handy:
https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
To enable LDAP Authentication, you must ensure the org.dspace.authenticate.LDAPAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
If LDAP is enabled, then new users will be able to register by entering their username and password without being sent the registration token. If users do not have a username and password, then they can still register and login with just their email address the same way they do now.
If you want to give any special privileges to LDAP users, create a stackable authentication method to automatically put people who have a netid into a special group. You might also want to give certain email addresses special privileges. Refer to the Custom Authentication Code section below for more information about how to do this.
Here is an explanation of each of the different LDAP configuration parameters:
Configuration File: |
| ||||||
---|---|---|---|---|---|---|---|
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords. | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms. | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Explanation: | This is the unique identifier field in the LDAP directory where the username is stored. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object context to use when authenticating the user. By default, DSpace will use this value to create the user's DN in order to attempt to authenticate them. It is appended to the id_field and username. For example If your users do NOT all exist under a single "object_context" in LDAP, then you should ignore this setting and INSTEAD use the Hierarchical LDAP Authentication settings below (especially see " | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object field where the user's email address is stored. "mail" is the most common for LDAP servers. (This field has no default value) If the "email_field" is unspecified, or the user has no email address in LDAP, his/her username (id_field value) will be saved as the email in DSpace (or appended to | ||||||
Property: | netid_email_domain | ||||||
Example Value: | netid_email_domain = @example.com | ||||||
Informational Note: | If your LDAP server does not hold an email address for a user (i.e. no Please note: this field will only be used if " | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object field where the user's last name is stored. " | ||||||
Property: | givenname_field | ||||||
Example Value: |
| ||||||
Informational Note: | This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) | ||||||
Property: |
| ||||||
Example Value: |
| ||||||
Informational Note: | If specified, all users who successfully login via LDAP will automatically become members of this DSpace Group (for the remainder of their current, logged in session). This DSpace Group must already exist (it will not be automatically created). | ||||||
Property: |
login.groupmap.* | ||||||
Example Value: | login.groupmap.1 = ou=Students:ALL_STUDENTS login.groupmap.2 = ou=Employees:ALL_EMPLOYEES login.groupmap.3 = ou=Faculty:ALL_FACULTY | ||||||
Informational Note: | The left part of the value (before the ":") must correspond to a portion of a user's DN (unless " For example, if the authenticated user's DN in LDAP is in the following form:
that user would get assigned to the ALL_STUDENTS DSpace group for the remainder of their current session. However, if that same user later graduates and is employed by the university, their DN in LDAP may change to:
Upon logging into DSpace after that DN change, the authenticated user would now be assigned to the ALL_EMPLOYEES DSpace group for the remainder of their current session. Note: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together. | ||||||
Property: | login.groupmap.attribute | ||||||
Example Value: | login.groupmap.attribute = group | ||||||
Informational Note: | The value of the "
For example:
The above would ensure that any authenticated users where their LDAP "group" attribute equals "mathematics" would be added to the DSpace Group named "Mathematics_Group" for the remainder of their current session. However, if that same user logged in later with a new LDAP "group" value of "computer science", he/she would no longer be a member of the "Mathematics_Group" in DSpace. |
Configuration File:
[dspace]/config/modules/authentication-ldap.cfg
Property:
enable
Example Value:
enable = false
Informational Note:
This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords.
Property:
autoregister
Example Value:
autoregister = true
Informational Note:
This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms.
Property:
provider_url
Example Value:
provider_url = ldap://ldap.myu.edu/o=myu.edu
Informational Note:
This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol.
Property:
id_field
Example Value:
id_field = uid
Explanation:
This is the unique identifier field in the LDAP directory where the username is stored.
Property:
object_context
Example Value:
object_context = ou=people, o=myu.edu
Informational Note:
This is the object context used when authenticating the user. It is appended to the id_field and username. For example uid=username,ou=people,o=myu.edu
. You will need to modify this to match your LDAP configuration.
Property:
search_context
Example Value:
search_context = ou=people
Informational Note:
This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With autoregister
turned on, when a user authenticates without an EPerson object we search the LDAP directory to get their name and email address so that we can create one for them. So after we have authenticated against uid=username,ou=people,o=byu.edu we now search in ou=people for filtering on [uid=username]. Often the search_context
is the same as the object_context
parameter. But again this depends on your LDAP server configuration.
Property:
email_field
Example Value:
email_field = mail
Informational Note:
This is the LDAP object field where the user's email address is stored. "mail" is the default and the most common for LDAP servers. If the mail field is not found the username will be used as the email address when creating the eperson object.
Property:
surname_field
Example Value:
surname_field = sn
Informational Note:
This is the LDAP object field where the user's last name is stored. "sn" is the default and is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object.
Property:
givenname_field
Example Value:
givenname_field = givenName
Informational Note:
This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object.
Property:
phone_field
Example Value:
phone_field = telephoneNumber
Informational Note:
This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object.
Property:
login.specialgroup
Example Value:
login.specialgroup = group-name
Informational Note:
If required, a group name can be given here, and all users who log into LDAP will automatically become members of this group. This is useful if you want a group made up of all internal authenticated users. (Remember to log on as the administrator, add this to the "Groups" with read rights).
login.groupmap.1 = ou=Students:ALL_STUDENTS
login.groupmap.2 = ou=Employees:ALL_EMPLOYEES
login.groupmap.3 = ou=Faculty:ALL_FACULTY
cn=jdoe,OU=Students,OU=Users,dc=example,dc=edu
that user would get assigned to the ALL_STUDENTS
DSpace group on login.
Note 1: This group must already exist in DSpace.
Note 2: This option can be used independently from thelogin.specialgroup
option, which will put all LDAP users into a single DSpace group. Both options may be used together.Info |
---|
Please note, that DSpace 3.0 doesn't contain the |
If your users are spread out across a hierarchical tree on your LDAP server, you may wish to have DSpace search for the user name in your tree. Here's how it works:
Hierarchical LDAP Authentication shares all the above standard LDAP configurations, but has some additional settings.
You can optionally specify the search scope. If anonymous access is not enabled on your LDAP server, you will need to specify the full DN and password of a user that is allowed to bind in order to search for the users.
Hierarchical LDAP Authentication shares all the above standard LDAP configurations, but has some additional settings.
You can optionally specify the search scope. If anonymous access is not enabled on your LDAP server, you will need to specify the full DN and password of a user that is allowed to bind in order to search for the users.
Configuration File:
[dspace]/config/modules/authentication-ldap.cfg
Property:
search_scope
Example Value:
search_scope = 2
Informational Note:
This is the search scope value for the LDAP search during autoregistering. This will depend on your LDAP server setup. This value must be one of the following integers corresponding to the following values:
object scope : 0
one level scope : 1
subtree scope : 2
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This is the search scope value for the LDAP search during autoregistering ( Please note that " |
Property: |
|
Example Value: |
|
Informational Note: | If true, DSpace will anonymously search LDAP (in the " |
Property: |
|
---|---|
Example Value: |
|
Informational Note: | The full DN and password of a user allowed |
Property:
netid_email_domain
Example Value:
netid_email_domain = @example.com
Informational Note:
netid_email_domain
as @example.com
would set the email of the user to be user@example.com
to connect to the LDAP server and search (in the " |
To enable IP Authentication, you must ensure the org.dspace.authenticate.IPAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
Configuration File: |
|
---|
Once enabled, you are then able to map DSpace groups to IP addresses in authentication-ip.cfg
by setting ip.GROUPNAME = iprange[, iprange ...]
, e.g:
...
<Connector>
tag must include the attribute clientAuth="true"
so the server requests a personal Web certificate from the client.Add the org.dspace.authenticate.X509Authentication
plugin first
to the list of stackable authentication methods in the value of the configuration key plugin.sequence.org.dspace.authenticate.AuthenticationMethod
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
|
Configuration File: |
|
---|
You must also configure DSpace with the same CA certificates as the web server, so it can accept and interpret the clients' certificates. It can share the same keystore file as the web server, or a separate one, or a CA certificate in a file by itself. Configure it by oneof these methods, either the Java keystore
Code Block |
---|
keystore.path = path to Java keystore file keystore.password = password to access the keystore |
...or the separate CA certificate file (in PEM or DER format):
Code Block |
---|
ca.cert = path to certificate file for CA whose client certs to accept. |
autoregister
configuration property to true
. This lets you automatically accept all users with valid personal certificates. The default is false
....