Page History
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="30d5c053c4496c66-edff1662-4401451b-b2ce833b-763bc10d88f8dd8ae1d0d26b"><ac:plain-text-body><![CDATA[ | Configuration File: | | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: |
|
...
- Use of inbuilt e-mail address/password-based log-in. This is achieved by forwarding a request that is attempting an action requiring authorization to the password log-in servlet,
/password-login
. The password log-in servlet (org.dspace.app.webui.servlet.PasswordServlet
) contains code that will resume the original request if authentication is successful, as per step 3. described above. - Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
- Users are not members of any special (dynamic) e-person groups
- You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg:
authentication.password.domain.valid = example.com
Example options might be '@example.com
' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk
' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.
Shibboleth Authentication
...
Detailed instructions for installing Shibboleth on DSpace may be found at https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15.
...
- By explicitly specifying to the user which attribute (header) carries the email address.
- By turning on the user-email-using-tomcat=true which means the software will attempt to acquire the user's email from Tomcat.
The first option takes Precedence when specified. both options can be enabled to allow for fallback.Property:
authentication.shib.email-header
Example Value:
authentication.shib.email-header = MAIL
Informational Note:
The option specifies that the email comes from the mentioned header. This value is CASE-Sensitive.
Property:
authentication.shib.firstname-header
Example Value:
authentication.shib.firstname-header = SHIB-EP-GIVENNAME
Informational Note:
Optional. Specify the header that carries the user's first name. This is going to be used for the creation of new-user.
Property:
authentication.shib.lastname-header
Example Value:
authentication.shib.lastname-header = SHIB-EP-SURNAME
Informational Note:
Optional. Specify the header that carries user's last name. This is used for creation of new user.
Property:
authentication.shib.email-use-tomcat-remote-user
Example Value:
authentication.shib.email-use-tomcat-remote-user = true
Informational Note:
This option forces the software to acquire the email from Tomcat.
Property:
authentication.shib.autoregister
Example Value:
authentication.shib.autoregister = true
Informational Note:
Option will allow new users to be registered automatically if the IdP provides sufficient information (and the user does not exist in DSpace).
Property:
Code Block authentication.shib.role-header authentication.shib-role.header.ignore-scope
Example Value:
Code Block authentication.shib.role-header = Shib-EP-ScopedAffiliation authentication.shib-role.header.ignore-scope = true
or
Code Block authentication.shib.role-header = Shib-EP-UnscopedAffiliation authentication.shib-role.header.ignore-scope = false
Informational Note:
These two options specify which attribute that is responsible for providing user's roles to DSpace and unscope the attributes if needed. When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and ignore-scope is defaulted to 'false'. The value is specified in AAP.xml (Shib 1.3.x) or attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive. The values provided in this header are separated by semi-colon or comma. If your service provider (SP) only provides scoped role header, you need to set authentication.shib.role-header.ignore-Scope as 'true'. For example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation, you name to make your settings as in the example value above.
Property:
authentication.shib.default-roles
Example Value:
authentication.shib.default-roles = Staff, Walk-ins
Informational Note:
When user is fully authN or IdP but would not like to release his/her roles to DSpace (for privacy reasons?), what should the default roles be given to such user. The values are separated by semi-colon or comma.
Property:
Code Block authentication.shib.role.Senior\ Researcher authentication.shib.role.Librarian
Example Value:
Code Block authentication.shib.role.Senior\ Researcher = Researcher, Staff authentication.shib.role.Librarian = Administrator
Informational Note:
The following mappings specify role mapping between IdP and Dspace. The left side of the entry is IdP's role (prefixed with 'authentication.shib.role.') which will be mapped to the right entry from DSpace. DSpace's group as indicated on the right entry has to EXIST in DSpace, otherwise user will be identified as 'anonymous'. Multiple values on the right entry should be separated by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping will be done when the IdP groups entry are not listed below (i.e. if 'X' group in IdP is not specified here, then it will be mapped to 'X' group in DSpace if it exists, otherwise it will be mapped to simply 'anonymous'). Given sufficient demand, future release could support regex for the mapping special characters need to be escaped by '\'
...
LDAP Authentication
You can enable LDAP authentication by adding its method to the stack in the DSpace configuration, e.g.
...
Standard LDAP Configuration | |||
Property: | | ||
Example Value: | | ||
Informational Note: | This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. | ||
Property: | | ||
Example Value: | | ||
Explanation: | This is the unique identifier field in the LDAP directory where the username is stored. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the object context used when authenticating the user. It is appended to the ldap.id_field and username. For example | ||
Property: | | ||
Example Value: | | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8f05bf038afdd863-fb453f1b-482447d2-84c685a7-dc5315011dcea65a591bb314"><ac:plain-text-body><![CDATA[ | Informational Note: | This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With ldap.autoregister turned on, when a user authenticates without an EPerson object we search the LDAP directory to get their name and email address so that we can create one for them. So after we have authenticated against uid=username,ou=people,o=byu.edu we now search in ou=people for filtering on [uid=username]. Often the | ]]></ac:plain-text-body></ac:structured-macro> |
Property: | | ||
Example Value: | | ||
Informational Note: | This is the LDAP object field where the user's email address is stored. "mail" is the default and the most common for LDAP servers. If the mail field is not found the username will be used as the email address when creating the eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the LDAP object field where the user's last name is stored. "sn" is the default and is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. | ||
Property: | | ||
Example Value: | | ||
Informational Note: | This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms. | ||
LDAP Users Group | |||
Property: | | ||
Example Value: | | ||
Informational Note: | If required, a group name can be given here, and all users who log into LDAP will automatically become members of this group. This is useful if you want a group made up of all internal authenticated users. (Remember to log on as the administrator, add this to the "Groups" with read rights). |
Hierarchical LDAP
...
Authentication
If your users are spread out across a hierarchical tree on your LDAP server, you will need to use the following stackable authentication class:
...
Property: | |
Example Value: | |
Informational Note: | This is the search scope value for the LDAP search during autoregistering. This will depend on your LDAP server setup. This value must be one of the following integers corresponding to the following values: |
Property: | |
Example Value: | |
Informational Note: | The full DN and password of a user allowed to connect to the LDAP server and search for the DN of the user trying to log in. If these are not specified, the initial bind will be performed anonymously. |
Property: | |
Example Value: | |
Informational Note: | If your LDAP server does not hold an email address for a user, you can use the following field to specify your email domain. This value is appended to the netid in order to make an email address. E.g. a netid of 'user' and |
IP Authentication
...
You can enable IP authentication by adding its method to the stack in the DSpace configuration, e.g.:
...