Page History
...
Existing Authentication Methods include
- 81953711 Authentication by Password (class:
org.dspace.authenticate.PasswordAuthentication
) (DEFAULT) - 81953711 Shibboleth Authentication (class:
org.dspace.authenticate.ShibAuthentication
) - 81953711 LDAP Authentication (class:
org.dspace.authenticate.LDAPAuthentication
) - IP Address based Authentication (class:
org.dspace.authenticate.IPAuthentication
) - 81953711 X.509 Certificate Authentication (class:
org.dspace.authenticate.X509Authentication
)
...
The default method org.dspace.authenticate.PasswordAuthentication
has the following properties:
- Use of inbuilt built-in e-mail address/password-based log-in. This is achieved by forwarding a request that is attempting an action requiring authorization to the password log-in servlet,
/password-login
. The password log-in servlet (org.dspace.app.webui.servlet.PasswordServlet
) contains code that will resume the original request if authentication is successful, as per step 3. described above. - Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
- Users are not members of any special (dynamic) e-person groups
- You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg:
authentication.password.domain.valid = example.com
Example options might be '@example.com
' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk
' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.
...
If you want to give any special privileges to LDAP users, create a stackable authentication method to automatically put people who have a netid into a special group. You might also want to give certain email addresses special privileges. Refer to the Custom Authentication Code section below for more information about how to do this.
...
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords. |
Property: |
|
Example Value: |
|
Informational Note: | This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms. |
Property: |
|
Example Value: |
|
Informational Note: | This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. (This field has no default value) NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
Property: |
|
Example Value: | authentication-ldap.starttls = false |
Informational Note: | Should we issue StartTLS after establishing TCP connection in order to initiate an encrypted connection?
|
Property: |
|
Example Value: |
|
Explanation: | This is the unique identifier field in the LDAP directory where the username is stored. (This field has no default value) |
Property: |
|
Example Value: |
|
Informational Note: | This is the LDAP object context to use when authenticating the user. By default, DSpace will use this value to create the user's DN in order to attempt to authenticate them. It is appended to the id_field and username. For example If your users do NOT all exist under a single "object_context" in LDAP, then you should ignore this setting and INSTEAD use the Hierarchical LDAP Authentication settings below (especially see " NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
Property: |
|
Example Value: |
|
Informational Note: | This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
Property: |
|
Example Value: |
|
Informational Note: | This is the LDAP object field where the user's email address is stored. "mail" is the most common for LDAP servers. (This field has no default value) If the "email_field" is unspecified, or the user has no email address in LDAP, his/her username (id_field value) will be saved as the email in DSpace (or appended to |
Property: | authentication-ldap.netid_email_domain |
Example Value: | authentication-ldap.netid_email_domain = @example.com |
Informational Note: | If your LDAP server does not hold an email address for a user (i.e. no Please note: this field will only be used if " |
Property: |
|
Example Value: |
|
Informational Note: | This is the LDAP object field where the user's last name is stored. " |
Property: | authentication-ldap.givenname_field |
Example Value: |
|
Informational Note: | This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) |
Property: |
|
Example Value: |
|
Informational Note: | This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) |
Property: |
|
Example Value: |
|
Informational Note: | If specified, all user sessions successfully logged in via LDAP will automatically become members of this DSpace Group (for the remainder of their current, logged in session). This DSpace Group must already exist (it will not be automatically created). |
Property: | authentication-ldap.login.groupmap.* |
Example Value: | authentication-ldap.login.groupmap.1 = ou=Students:ALL_STUDENTS authentication-ldap.login.groupmap.2 = ou=Employees:ALL_EMPLOYEES authentication-ldap.login.groupmap.3 = ou=Faculty:ALL_FACULTY |
Informational Note: | The left part of the value (before the ":") must correspond to a portion of a user's DN (unless " For example, if the authenticated user's DN in LDAP is in the following form:
that user would get assigned to the ALL_STUDENTS DSpace group for the remainder of their current session. However, if that same user later graduates and is employed by the university, their DN in LDAP may change to:
Upon logging into DSpace after that DN change, the authenticated user would now be assigned to the ALL_EMPLOYEES DSpace group for the remainder of their current session. Note: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together. |
Property: | authentication-ldap.login.groupmap.attribute |
Example Value: | authentication-ldap.login.groupmap.attribute = group |
Informational Note: | The value of the "
For example:
The above would ensure that any authenticated users where their LDAP "group" attribute equals "mathematics" would be added to the DSpace Group named "Mathematics_Group" for the remainder of their current session. However, if that same user logged in later with a new LDAP "group" value of "computer science", he/she would no longer be a member of the "Mathematics_Group" in DSpace. |
...
Hierarchical LDAP Authentication shares all the above standard LDAP configurations, but has some additional settings.
...