Versions Compared

Old Version 7

changes.mady.by.user Robin Taylor

Saved on

compared with

New Version Current

changes.mady.by.user Ivan Masár

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

When configuring your Shibboleth Service Provider there are two paradigms you may use: Active or Lazy Sessions. Active sessions is where the mobmod_shib module is configured to product a protect a URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead apache will allow access to any URL, and when the application wants to it may initiate an authenticated session. The Lazy Session method is preferable for most DSpace installations where you want public access to most of DSpace but restricted access to limited areas - such as administration.

...

When configuring your Shibboleth Service Provider there are two paradigms you may use: Active or Lazy Sessions. Active sessions is where the mobmod_shib module is configured to product a protect a URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead apache will allow access to any URL, and when the application wants to it may initiate an authenticated session. The Lazy Session method is preferable for most DSpace installations where you want public access to most of DSpace but restricted access to limited areas - such as administration.

...

Configuration File:

[dspace]/config/modules/authentication-shibboleth.cfg

Property:

lazysession

Example Value:

lazysession = true

Informational Note:

Whether to use lazy sessions or active sessions.

Property:

lazysession.loginurl

Example Value:

lazysession.loginurl = /Shibboleth.sso/Login

Informational Note:

The url to start a shibboleth session (only for lazy sessions)

Property:

lazysession.secure

Example Value:

lazysession.secure = true

Informational Note:

Force HTTPS when authenticating (only for lazy sessions)

Property:

netid-header

Example Value:

netid-header = SHIB-NETID

Informational Note:

The HTTP header where shibboleth will supply a user's NetID.

Property:

email-header

Example Value:

email-header = SHIB-MAIL

Informational Note:

The HTTP header where the shibboleth will supply a user's email address.

Property:

email-use-tomcat-remote-user

Example Value:

email-use-tomcat-remote-user = false

Informational Note:

Used when a netid or email heades are not available should shibboleth authentication fall back to using Tomcat's remote user feature.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

Should we allow new users to be registered automatically?

Property:

sword.compatability

Example Value:

sword.compatability = true

Informational Note:

Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions.

Property:

firstname-header

Example Value:

firstname-header = SHIB_GIVENNAME

Informational Note:

The HTTP header where the shibboleth will supply a user's given name.

Property:

lastname-header

Example Value:

lastname-header = SHIB_SN

Informational Note:

The HTTP header where the shibboleth will supply a user's sur name.

Property:

eperson.metadata

Example Value:

Code Block
eperson.metadata = \
 SHIB-telephone => phone, \
 SHIB-cn => cn

Informational Note:

Additional user attributes mapping, multiple attributes may be stored
 for each user. The left side is the Shibboleth-based metadata Header
 and the right side is the eperson metadata field to map the attribute to.

Property:

eperson.metadata.autocreate

Example Value:

eperson.metadata.autocreate = true

Informational Note:

If the eperson metadata field is not found, should it be automatically created?

Property:

role-header

Example Value:

role-header = SHIB_SCOPED_AFFILIATION

Informational Note:

The shibboleth header to do role-based mappings (see section on roll based mapping section above)

Property:

role-header.ignore-scope

Example Value:

role-header.ignore-scope = true

Informational Note:

Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes)

Property:

role-header.ignore-value

Example Value:

role-header.ignore-value = false

Informational Note:

Weather to ignore the attribute's value (everything before the @ sign for scoped attributes)

Property:

role.[affiliation-attribute]

Example Value:

Code Block
role.faculty = Faculty, Member \
 role.staff = Staff, Member \
 role.student = Students, Member

Informational Note:

Mapping of affiliation values to DSpace groups. (See the roll role-based mapping section above)

...

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

Property:

enable

Example Value:

enable = false

Informational Note:

This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms.

Property:

provider_url

Example Value:

provider_url = ldap://ldap.myu.edu/o=myu.edu

Informational Note:

This is the url to your institution's LDAP server. You may or may not need the /"o=myu.edu" part at the end, but make sure to include the slash after domain name. Your server may also require the ldaps:// protocol.

Property:

id_field

Example Value:

id_field = uid

Explanation:

This is the unique identifier field in the LDAP directory where the username is stored.

Property:

object_context

Example Value:

object_context = ou=people, o=myu.edu

Informational Note:

This is the object context used when authenticating the user. It is appended to the id_field and username. For example uid=username,ou=people,o=myu.edu. You will need to modify this to match your LDAP configuration.

Property:

search_context

Example Value:

search_context = ou=people

Informational Note:

This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With autoregister turned on, when a user authenticates without an EPerson object we search the LDAP directory to get their name and email address so that we can create one for them. So after we have authenticated against uid=username,ou=people,o=byu.edu we now search in ou=people for filtering on [uid=username]. Often the search_context is the same as the object_context parameter. But again this depends on your LDAP server configuration.

Property:

email_field

Example Value:

email_field = mail

Informational Note:

This is the LDAP object field where the user's email address is stored. "mail" is the default and the most common for LDAP servers. If the mail field is not found the username will be used as the email address when creating the eperson object.

Property:

surname_field

Example Value:

surname_field = sn

Informational Note:

This is the LDAP object field where the user's last name is stored. "sn" is the default and is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object.

Property:

givenname_field

Example Value:

givenname_field = givenName

Informational Note:

This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object.

Property:

phone_field

Example Value:

phone_field = telephoneNumber

Informational Note:

This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object.

Property:

login.specialgroup

Example Value:

login.specialgroup = group-name

Informational Note:

If required, a group name can be given here, and all users who log into LDAP will automatically become members of this group. This is useful if you want a group made up of all internal authenticated users. (Remember to log on as the administrator, add this to the "Groups" with read rights).

Enabling Hierarchical LDAP Authentication

If your users are spread out across a hierarchical tree on your LDAP server, you may wish to instead use the Hierarchical LDAP Authentication plugin.

To enable Hierarchical LDAP Authentication, you must ensure the org.dspace.authenticate.LDAPHierarchicalAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

...

Configuration File:

...

[dspace]/config/modules/authentication.cfg

...

Property:

...

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Property:
Anchor
login.groupmap
login.groupmap
login.groupmap.*
Example Value:login.groupmap.1 = ou=Students:ALL_STUDENTS 
login.groupmap.2 = ou=Employees:ALL_EMPLOYEES 
login.groupmap.3 = ou=Faculty:ALL_FACULTY 
Informational Note:

If user's DN in LDAP is in the following form:

cn=jdoe,OU=Students,OU=Users,dc=example,dc=edu

that user would get assigned to the ALL_STUDENTS DSpace group on login.

Note 1: This group must already exist in DSpace.

Note 2: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together.

Enabling Hierarchical LDAP Authentication

Info

Please note, that DSpace 3.0 doesn't contain the LDAPHierarchicalAuthentication class anymore. This functionality is now supported by LDAPAuthentication, which uses the same configuration options. See Upgrading From 1.8.x to 3.x for information about upgrading.

If your users are spread out across a hierarchical tree on your LDAP server, you may wish to have DSpace search for the user name in your tree. Here's how it works:

  1. DSpace gets the user name from the login form
  2. DSpace binds to LDAP as an administrative user with right to search in DNs (LDAP may be configured to allow anonymous users to search)
  3. DSpace searches for the user name as within DNs (username is a part of full DN)
  4. DSpace binds with the found full DN and password from login form
  5. DSpace logs user in if LDAP reports successful authentication; refuses login otherwise

...

Example Value:

...

Configuring Hierarchical LDAP Authentication

...

Code Block
ip.MY_UNIVERSITY = 10.1.2.3, \                  # Full IP
13.5, \                      # Partial IP
11.3.4.5/24, \               # with CIDR
12.7.8.9/255.255.128.0, \    # with netmask
2001:18e8::32                # IPv6 too
Warning

Please, beware that in DSpace 3.0-3.2, the CIDR and netmask notations are broken:

Jira
serverDuraSpace JIRA
serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5
keyDS-1235

 

Negative matches can be set by prepending the entry with a '-'. For example if you want to include all of a class B network except for users of a contained class c network, you could use: 111.222,-111.222.333.

...