Versions Compared

Old Version 10

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 11

changes.mady.by.user Hrafn Malmquist

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor fix

...

Since many institutions and organizations have existing authentication systems, DSpace has been designed to allow these to be easily integrated into an existing authentication infrastructure. It keeps a series, or "stack", of authentication methods, so each one can be tried in turn. This makes it easy to add new authentication methods or rearrange the order without changing any existing code. You can also share authentication code with other sites.

Configuration File:

[dspace]/config/modules/authentication.cfg

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:


Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication


The configuration property plugin.sequence.org.dspace.authenticate.AuthenticationMethod defines the authentication stack. It is a comma-separated list of class names. Each of these classes implements a different authentication method, or way of determining the identity of the user. They are invoked in the order specified until one succeeds.

...

However, to enable Authentication by Password, you must ensure the org.dspace.authenticate.PasswordAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Configuration File:

[dspace]/config/modules/authentication.cfg

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:


Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication


Configuring Authentication by Password

...

A full list of all available Password Authentication Configurations:

Configuration File:

[dspace]/config/modules/authentication-password.cfg

Property:

authentication-password.domain.valid

Example Value:

authentication-password.domain.value = @mit.edu, .ac.uk

Informational Note:

This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses.

Property:

authentication-password.login.specialgroup

Example Value:

authentication-password.login.specialgroup = My DSpace Group

Informational Note:

This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session.

Property:

authentication-password.digestAlgorithm

Example Value:

authentication-password.digestAlgorithm = SHA-512

Informational Note:

This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this.

Shibboleth Authentication

...

To enable Shibboleth Authentication, you must ensure the org.dspace.authenticate.ShibAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Configuration File:

[dspace]/config/modules/authentication.cfg

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:


Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication


Configuring Shibboleth Authentication

...

Code Block
#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) ####
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), 
# you may also need/want to create one for HTTP (*:80)
<VirtualHost *:443>
   ...
   # PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc) 
   # which you may need/want to add to your VirtualHost
   
   # As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings
   <IfModule mod_shib>
       # Shibboleth recommends turning on UseCanonicalName
       # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
       UseCanonicalName On

       # Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users 
       # can access DSpace without first authenticating via Shibboleth. 
       # This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated
       # (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive
       <Location />
         AuthType shibboleth
         ShibRequireSession Off
         require shibboleth
         # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your 
         # DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to. 
         # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value.
         #ShibRequestSetting applicationId my-dspace-id
       </Location>

       # If a user attempts to access the DSpace shibboleth login page, force them to authenticate via Shib
       <Location "/shibboleth-login">
         AuthType shibboleth
         ShibRequireSession On
         # Please note that setting ShibUseHeaders to "On" is a potential security risk. 
         # You may wish to set it to "Off". See the mod_shib docs for details about this setting:
         # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
         # Here's a good guide to configuring Apache + Tomcat when this setting is "Off": 
         # https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications 
         ShibUseHeaders On
         require valid-user
       </Location>
         
       # Ensure /Shibboleth.sso path (in Apache) can be accessed
       # By default it may be inaccessible if your Apache security is tight.
       <Location "/Shibboleth.sso">
         Order deny,allow
         Allow from all
         # Also ensure Shibboleth/mod_shib responds to this path
         SetHandler shib
       </Location>
 
       # Finally, you may need to ensure requests to /Shibboleth.sso are NOT redirected 
       # to Tomcat (as they need to be handled by mod_shib instead).
       # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO REDIRECT
       # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8009/)
       # ProxyPass /Shibboleth.sso !
   </IfModule>
 
   ...
 
</VirtualHost>

 


Sample shibboleth2.xml Configuration

...

Code Block
        <!-- *** Sample Shibboleth Settings for http://www.testshib.org/ ***     -->
        <!-- This provides a simple sample of how you could configure            -->
        <!-- shibboleth2.xml for DSpace sites.                                   -->
        <!-- TO ENABLE: You'd need to specify "applicationId" as "testshib" in   -->
        <!-- your mod_shib settings, e.g.                                        -->
        <!-- <Location />                                                        -->
        <!--     ...                                                             -->
        <!--     ShibRequestSetting applicationId testshib                       -->
        <!-- </Location>                                                         -->
        <ApplicationOverride id="testshib" entityID="http://mydspace.edu/shibboleth" REMOTE_USER="principal-id">

            <!-- We'll use a TEST IdP, hosted by the awesome http://www.testshib.org/ testing service. -->
            <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
            <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true">
               <SSO entityID="https://idp.testshib.org/idp/shibboleth">
                 SAML2 SAML1
               </SSO>
            </Sessions>

            <!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. -->
            <!-- By default, metadata is retrieved from the TEST IdP at http://www.testshib.org -->
            <!-- and is cached in a local file named "testshib-idp-metadata.xml". -->
            <!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider -->
            <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
                          backingFilePath="testshib-idp-metadata.xml" reloadInterval="180000"/>
        </ApplicationOverride>

 

 



DSpace Shibboleth Configuration Options

...

The values extracted (a user may have multiple roles) will be used to look up which groups to place the user into. The groups are defined as "authentication-shibboleth.role.<role-name>" which is a comma separated list of  DSpace groups.

Configuration File:

[dspace]/config/modules/authentication-shibboleth.cfg

Property:

authentication-shibboleth.lazysession

Example Value:

authentication-shibboleth.lazysession = true

Informational Note:

Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive").

Property:

authentication-shibboleth.lazysession.loginurl

Example Value:

authentication-shibboleth.lazysession.loginurl = /Shibboleth.sso/Login

Informational Note:

The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login"

Property:

authentication-shibboleth.lazysession.secure

Example Value:

authentication-shibboleth.lazysession.secure = true

Informational Note:

Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true".

Property:

authentication-shibboleth.netid-header

Example Value:

authentication-shibboleth.netid-header = SHIB-NETID

Informational Note:

The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

authentication-shibboleth.email-header

Example Value:

authentication-shibboleth.email-header = SHIB-MAIL

Informational Note:

The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

authentication-shibboleth.email-use-tomcat-remote-user

Example Value:

authentication-shibboleth.email-use-tomcat-remote-user = false

Informational Note:

Used when a netid or email headers are not available should Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above.

Property:

authentication-shibboleth.reconvert.attributes

Example Valueauthentication-shibboleth.reconvert.attributes = false
Informational Note:Shibboleth attributes are by default UTF-8 encoded. Some servlet container automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8. As the attributes already were UTF-8 encoded it may be necessary to reconvert them. If you set this property true, DSpace converts all shibboleth attributes retrieved from the servlet container from UTF-8 to ISO-8859-1 and uses the result as if it were UTF-8. This procedure restores the shibboleth attributes if the servlet container wrongly converted them from ISO-8859-1 to UTF-8. Set this true, if you notice character encoding problems within shibboleth attributes.

Property:

authentication-shibboleth.autoregister

Example Value:

authentication-shibboleth.autoregister = true

Informational Note:

Should we allow new users to be registered automatically?

Property:

authentication-shibboleth.sword.compatibility

Example Value:

authentication-shibboleth.sword.compatibility = false

Informational Note:

SWORD compatibility will allow this authentication method to work when using SWORD. SWORD relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for SWORD sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions.
WARNING: If you enable this option while ALSO having "PasswordAuthentication" enabled, then you should ensure that "PasswordAuthentication" is listed prior to "ShibAuthentication" in your authentication.cfg file. Otherwise, ShibAuthentication will be used to authenticate all of your users INSTEAD OF PasswordAuthentication.

Property:

authentication-shibboleth.firstname-header

Example Value:

authentication-shibboleth.firstname-header = SHIB_GIVENNAME

Informational Note:

The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

authentication-shibboleth.lastname-header

Example Value:

authentication-shibboleth.lastname-header = SHIB_SN

Informational Note:

The HTTP header where the shibboleth will supply a user's surname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

authentication-shibboleth.eperson.metadata

Example Value:


Code Block
authentication-shibboleth.eperson.metadata = \
 SHIB-telephone => phone, \
 SHIB-cn => cn


Informational Note:

Additional user attributes mapping, multiple attributes may be stored for each user. The left side is the Shibboleth-based metadata Header and the right side is the eperson metadata field to map the attribute to.

Property:

authentication-shibboleth.eperson.metadata.autocreate

Example Value:

authentication-shibboleth.eperson.metadata.autocreate = true

Informational Note:

If the eperson metadata field is not found, should it be automatically created?

Property:

authentication-shibboleth.role-header

Example Value:

authentication-shibboleth.role-header = SHIB_SCOPED_AFFILIATION

Informational Note:

The shibboleth header to do role-based mappings (see section on roll based mapping section above)

Property:

authentication-shibboleth.role-header.ignore-scope

Example Value:

authentication-shibboleth.role-header.ignore-scope = true

Informational Note:

Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes)

Property:

authentication-shibboleth.role-header.ignore-value

Example Value:

authentication-shibboleth.role-header.ignore-value = false

Informational Note:

Weather to ignore the attribute's value (everything before the @ sign for scoped attributes)

Property:

authentication-shibboleth.role.[affiliation-attribute]

Example Value:


Code Block
authentication-shibboleth.role.faculty = Faculty, Member
authentication-shibboleth.role.staff = Staff, Member
authentication-shibboleth.role.student = Students, Member


Informational Note:

Mapping of affiliation values to DSpace groups. See the "Role-based Groups" section above for more info.

LDAP Authentication

Enabling LDAP Authentication

To enable LDAP Authentication, you must ensure the org.dspace.authenticate.LDAPAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Configuration File:

[dspace]/config/modules/authentication.cfg

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:


Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.LDAPAuthentication



Configuring LDAP Authentication

...

Here is an explanation of each of the different LDAP configuration parameters:

login.groupmaplogin.groupmap

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

Property:

authentication-ldap.enable

Example Value:

authentication-ldap.enable = false

Informational Note:

This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords.

Property:

authentication-ldap.autoregister

Example Value:

authentication-ldap.autoregister = true

Informational Note:

This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms.

Property:

authentication-ldap.provider_url

Example Value:

authentication-ldap.provider_url = ldap://ldap.myu.edu/o=myu.edu\,ou=mydept

Informational Note:

This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. (This field has no default value)

NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\,"

Property:

authentication-ldap.starttls

Example Value:authentication-ldap.starttls = false
Informational Note:

Should we issue StartTLS after establishing TCP connection in order to initiate an encrypted connection?
Note: This (TLS) is different from LDAPS:

  • TLS is a tunnel for plain LDAP and is typically recognized on the same port (standard LDAP port: 389)
  • LDAPS is a separate protocol, deprecated in favor of the standard TLS method. (standard LDAPS port: 636)

Property:

authentication-ldap.id_field

Example Value:

authentication-ldap.id_field = uid

Explanation:

This is the unique identifier field in the LDAP directory where the username is stored. (This field has no default value)

Property:

authentication-ldap.object_context

Example Value:

authentication-ldap.object_context = ou=people\,o=myu.edu

Informational Note:

This is the LDAP object context to use when authenticating the user. By default, DSpace will use this value to create the user's DN in order to attempt to authenticate them. It is appended to the id_field and username. For example uid=username\,ou=people\,o=myu.edu. You will need to modify this to match your LDAP configuration. (This field has no default value)

If your users do NOT all exist under a single "object_context" in LDAP, then you should ignore this setting and INSTEAD use the Hierarchical LDAP Authentication settings below (especially see "search.user" or "search.anonymous")

NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\,"

Property:

authentication-ldap.search_context

Example Value:

authentication-ldap.search_context = ou=people

Informational Note:

This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With autoregister=true, when a user authenticates without an EPerson object we search the LDAP directory to get their name (id_field) and email address (email_field) so that we can create one for them. So after we have authenticated against uid=username,ou=people,o=byu.edu we now search in ou=people for filtering on [uid=username]. Often the search_context is the same as the object_context parameter. But again this depends on your LDAP server configuration. (This field has no default value, and it MUST be specified when either search.anonymous=true or search.user is specified)

NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\,"

Property:

authentication-ldap.email_field

Example Value:

authentication-ldap.email_field = mail

Informational Note:

This is the LDAP object field where the user's email address is stored. "mail" is the most common for LDAP servers. (This field has no default value)

If the "email_field" is unspecified, or the user has no email address in LDAP, his/her username (id_field value) will be saved as the email in DSpace (or appended to netid_email_domain, when specified)

Property:authentication-ldap.netid_email_domain
Example Value:authentication-ldap.netid_email_domain = @example.com
Informational Note:

If your LDAP server does not hold an email address for a user (i.e. no email_field), you can use the following field to specify your email domain. This value is appended to the netid (id_field) in order to make an email address (which is then stored in the DSpace EPerson). For example, a netid of 'user' and netid_email_domain as @example.com would set the email of the user to be user@example.com

Please note: this field will only be used if "email_field" is unspecified OR the user in question has no email address stored in LDAP. If both "email_field" and "netid_email_domain" are unspecified, then the "id_field" will be used as the email address.

Property:

authentication-ldap.surname_field

Example Value:

authentication-ldap.surname_field = sn

Informational Note:

This is the LDAP object field where the user's last name is stored. "sn" is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object. (This field has no default value)

Property:

authentication-ldap.givenname_field

Example Value:

authentication-ldap.givenname_field = givenName

Informational Note:

This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. (This field has no default value)

Property:

authentication-ldap.phone_field

Example Value:

authentication-ldap.phone_field = telephoneNumber

Informational Note:

This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. (This field has no default value)

Property:

authentication-ldap.login.specialgroup

Example Value:

authentication-ldap.login.specialgroup = group-name

Informational Note:

If specified, all user sessions successfully logged in via LDAP will automatically become members of this DSpace Group (for the remainder of their current, logged in session). This DSpace Group must already exist (it will not be automatically created).
This is useful if you want a DSpace Group made up of all internal authenticated users. This DSpace Group can then be used to bestow special permissions on any users who have authenticated via LDAP (e.g. you could allow anyone authenticated via LDAP to view special, on campus only collections or similar)

Property:
Anchor
authentication-ldap.login.groupmap.*
Example Value:authentication-ldap.login.groupmap.1 = ou=Students:ALL_STUDENTS 
authentication-ldap.login.groupmap.2 = ou=Employees:ALL_EMPLOYEES 
authentication-ldap.login.groupmap.3 = ou=Faculty:ALL_FACULTY 
Informational Note:

The left part of the value (before the ":") must correspond to a portion of a user's DN (unless "login.group.attribute" is specified..please see below). The right part of the value corresponds to the name of an existing DSpace group.

For example, if the authenticated user's DN in LDAP is in the following form:

cn=jdoe,OU=Students,OU=Users,dc=example,dc=edu

that user would get assigned to the ALL_STUDENTS DSpace group for the remainder of their current session.

However, if that same user later graduates and is employed by the university, their DN in LDAP may change to:

cn=jdoe,OU=Employees,OU=Users,dc=example,dc=edu

Upon logging into DSpace after that DN change, the authenticated user would now be assigned to the ALL_EMPLOYEES DSpace group for the remainder of their current session.

Note: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together.

Property:authentication-ldap.login.groupmap.attribute
Example Value:authentication-ldap.login.groupmap.attribute = group
Informational Note:

The value of the "authentication-ldap.login.groupmap.attribute" should specify the name of a single LDAP attribute. If this property is uncommented, it changes the meaning of the left part of "authentication-ldap.login.groupmap.*" (see above) as follows:

  • If the authenticated user has this LDAP attribute, look up the value of this LDAP attribute in the left part (before the ":") of the authentication-ldap.login.groupmap.* value
  • If that LDAP value is found in any "authentication-ldap.login.groupmap.*" field, assign this authenticated user to the DSpace Group specified by the right part (after the ":") of the authentication-ldap.login.groupmap.* value.

For example:

  • authentication-ldap.login.groupmap.attribute = group
  • authentication-ldap.login.groupmap.1 = mathematics:Mathematics_Group

The above would ensure that any authenticated users where their LDAP "group" attribute equals "mathematics" would be added to the DSpace Group named "Mathematics_Group" for the remainder of their current session. However, if that same user logged in later with a new LDAP "group" value of "computer science", he/she would no longer be a member of the "Mathematics_Group" in DSpace.

Debugging LDAP connection and configuration

...

You can optionally specify the search scope. If anonymous access is not enabled on your LDAP server, you will need to specify the full DN and password of a user that is allowed to bind in order to search for the users.

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

Property:

authentication-ldap.search_scope

Example Value:

authentication-ldap.search_scope = 2

Informational Note:

This is the search scope value for the LDAP search during autoregistering (autoregister=true). This will depend on your LDAP server setup, and is only really necessary if your users are spread out across a hierarchical tree on your LDAP server. This value must be one of the following integers corresponding to the following values:
 object scope : 0 
 one level scope : 1 
 subtree scope : 2

Please note that "search_context" in the LDAP configurations must also be specified.

Property:

authentication-ldap.search.anonymous

Example Value:

authentication-ldap.search.anonymous = true

Informational Note:

If true, DSpace will anonymously search LDAP (in the "search_context") for the DN of the user trying to login to DSpace. This setting is "false" by default. By default, DSpace will either use "search.user" to authenticate for the LDAP search (if search.user is specified), or will use the "object_context" value to create the user's DN.

Property:

authentication-ldap.search.user
authentication-ldap.search.password

Example Value:

authentication-ldap.search.user = cn=admin\,ou=people\,o=myu.edu
authentication-ldap.search.password = password

Informational Note:

The full DN and password of a user allowed to connect to the LDAP server and search (in the "search_context") for the DN of the user trying to login. By default, if unspecified, DSpace will either search LDAP anonymously for the user's DN (when search.anonymous=true), or will use the "object_context" value to create the user's DN.

NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\,"

IP Authentication

Enabling IP Authentication

To enable IP Authentication, you must ensure the org.dspace.authenticate.IPAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Configuration File:

[dspace]/config/modules/authentication.cfg

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:


Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.IPAuthentication


Configuring IP Authentication

Configuration File:

[dspace]/config/modules/authentication-ip.cfg

Once enabled, you are then able to map DSpace groups to IP addresses in authentication-ip.cfg by setting ip.GROUPNAME = iprange[, iprange ...], e.g:

...

  1. See the HTTPS installation instructions to configure your Web server. If you are using HTTPS with Tomcat, note that the <Connector> tag must include the attribute clientAuth="true" so the server requests a personal Web certificate from the client.

  2. Add the org.dspace.authenticate.X509Authentication plugin first to the list of stackable authentication methods in the value of the configuration key plugin.sequence.org.dspace.authenticate.AuthenticationMethod

    Configuration File:

    [dspace]/config/modules/authentication.cfg

    Property:

    plugin.sequence.org.dspace.authenticate.AuthenticationMethod

    Example Value:


    Code Block
    plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.X509Authentication
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication



Configuring X.509 Certificate Authentication

Configuration File:

[dspace]/config/modules/authentication-x509.cfg

  1. You must also configure DSpace with the same CA certificates as the web server, so it can accept and interpret the clients' certificates. It can share the same keystore file as the web server, or a separate one, or a CA certificate in a file by itself. Configure it by oneof these methods, either the Java keystore

    Code Block
    authentication-x509.keystore.path =  path to Java keystore file
authentication-x509.keystore.password =  password to access the keystore

    ...or the separate CA certificate file (in PEM or DER format):

    Code Block
    authentication-x509.ca.cert =  path to certificate file for CA whose client certs to accept.


  2. Choose whether to enable auto-registration: If you want users who authenticate successfully to be automatically registered as new E-Persons if they are not already, set the autoregister configuration property to true. This lets you automatically accept all users with valid personal certificates. The default is false.

...