[Duraspace] LDAP Authentication

Sean Carte sean.carte at gmail.com
Tue May 11 10:11:37 SAST 2010


I've got a simple ldap server configured primarily to allow
authentication for EZProxy; now I'd like to be able to get DSpace to
use it for authentication. But I can't get it to work.

I followed the DSpace configuration steps outlined at
<http://ir.sun.ac.za/wiki/index.php/User_Management>, and have the
following in my dspace.cfg:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
        org.dspace.authenticate.LDAPAuthentication, \
        org.dspace.authenticate.PasswordAuthentication

ldap.enable = true
ldap.provider_url = ldap://localhost:389/
ldap.id_field = uid
ldap.object_context = ou=People,dc=esal,dc=ac,dc=za
ldap.search_context = ou=People
ldap.email_field = mail
ldap.surname_field = sn
ldap.givenname_field = givenName
ldap.phone_field = telephoneNumber
webui.ldap.autoregister = false

DSpace and LDPA are running on the same server, and I can use
ldapsearch to return information on a user:

root at uzspace:~# ldapsearch -xLLL -b "dc=esal,dc=ac,dc=za" 'uid=UZP0899'
dn: uid=UZP0899,ou=People,dc=esal,dc=ac,dc=za
objectClass: inetOrgPerson
cn: Carte,S R
sn: Carte
uid: UZP0899
mail:

But DSpace returns an invalid username/password message when I try to
log in using its LDAP authentication. The following is what gets
output when running slapd in debug:

root at uzspace:~# slapd -d 2
@(#) $OpenLDAP: slapd 2.4.9 (Mar 31 2009 07:12:16) $
        buildd at rothera:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
/etc/ldap/slapd.conf: line 111: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 129: rootdn is always granted unlimited privileges.
slapd starting
ldap_read: want=8, got=8
  0000:  30 39 02 01 01 60 34 02                            09...`4.
ldap_read: want=51, got=51
  0000:  01 03 04 29 75 69 64 3d  55 5a 50 30 38 39 39 2c   ...)uid=UZP0899,
  0010:  6f 75 3d 50 65 6f 70 6c  65 2c 64 63 3d 65 73 61   ou=People,dc=esa
  0020:  6c 2c 64 63 3d 61 63 2c  64 63 3d 7a 61 80 04 37   l,dc=ac,dc=za..x
  0030:  33 32 36                                           xxx
ldap_read: want=8 error=Resource temporarily unavailable
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
ldap_read: want=8, got=8
  0000:  30 76 02 01 02 63 54 04                            0v...cT.
ldap_read: want=112, got=112
  0000:  09 6f 75 3d 50 65 6f 70  6c 65 0a 01 01 0a 01 03   .ou=People......
  0010:  02 01 00 02 01 00 01 01  00 a0 10 a3 0e 04 03 75   ...............u
  0020:  69 64 04 07 55 5a 50 30  38 39 39 30 26 04 04 6d   id..UZP08990&..m
  0030:  61 69 6c 04 09 67 69 76  65 6e 4e 61 6d 65 04 02   ail..givenName..
  0040:  73 6e 04 0f 74 65 6c 65  70 68 6f 6e 65 4e 75 6d   sn..telephoneNum
  0050:  62 65 72 a0 1b 30 19 04  17 32 2e 31 36 2e 38 34   ber..0...2.16.84
  0060:  30 2e 31 2e 31 31 33 37  33 30 2e 33 2e 34 2e 32   0.1.113730.3.4.2
ldap_read: want=8 error=Resource temporarily unavailable
  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
ldap_read: want=8, got=8
  0000:  30 22 02 01 03 42 00 a0                            0"...B..
ldap_read: want=28, got=28
  0000:  1b 30 19 04 17 32 2e 31  36 2e 38 34 30 2e 31 2e   .0...2.16.840.1.
  0010:  31 31 33 37 33 30 2e 33  2e 34 2e 32               113730.3.4.2
ldap_read: want=8 error=Resource temporarily unavailable

And here is the debug output when authenticating using the OCLC EZProxy login:

root at uzspace:~# slapd -d 2
@(#) $OpenLDAP: slapd 2.4.9 (Mar 31 2009 07:12:16) $
        buildd at rothera:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
/etc/ldap/slapd.conf: line 111: rootdn is always granted unlimited
privileges.
/etc/ldap/slapd.conf: line 129: rootdn is always granted unlimited
privileges.
slapd starting
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 60 07 02                            0....`..
ldap_read: want=6, got=6
  0000:  01 03 04 00 80 00                                  ......
ldap_read: want=8 error=Resource temporarily unavailable
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0....a........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0....a........
ldap_read: want=8, got=8
  0000:  30 7a 02 01 02 63 75 04                            0z...cu.
ldap_read: want=116, got=116
  0000:  1d 6f 75 3d 50 65 6f 70  6c 65 2c 64 63 3d 65 73
.ou=People,dc=es
  0010:  61 6c 2c 64 63 3d 61 63  2c 64 63 3d 7a 61 0a 01
al,dc=ac,dc=za..
  0020:  02 0a 01 00 02 01 02 02  01 00 01 01 00 a0 27 a3
..............'.
  0030:  15 04 0b 6f 62 6a 65 63  74 43 6c 61 73 73 04 06
...objectClass..
  0040:  70 65 72 73 6f 6e a3 0e  04 03 75 69 64 04 07 55
person....uid..U
  0050:  5a 50 30 38 39 39 30 1c  04 0b 6c 64 61 70 43 74
ZP08990...ldapCt
  0060:  78 2d 3e 64 6e 04 0d 6c  6f 67 69 6e 44 69 73 61
x->dn..loginDisa
  0070:  62 6c 65 64                                        bled
ldap_read: want=8 error=Resource temporarily unavailable
<= bdb_equality_candidates: (uid) not indexed
  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
02...d-.)uid=UZP
  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
0899,ou=People,d
  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
c=esal,dc=ac,dc=
  0030:  7a 61 30 00                                        za0.
ldap_write: want=52, written=52
  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
02...d-.)uid=UZP
  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
0899,ou=People,d
  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
c=esal,dc=ac,dc=
  0030:  7a 61 30 00                                        za0.
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
0....e........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
0....e........
ldap_read: want=8, got=8
  0000:  30 39 02 01 01 60 34 02                            09...`4.
ldap_read: want=51, got=51
  0000:  01 03 04 29 75 69 64 3d  55 5a 50 30 38 39 39 2c
...)uid=UZP0899,
  0010:  6f 75 3d 50 65 6f 70 6c  65 2c 64 63 3d 65 73 61
ou=People,dc=esa
  0020:  6c 2c 64 63 3d 61 63 2c  64 63 3d 7a 61 80 04 37
l,dc=ac,dc=za..x
  0030:  33 32 36                                           xxx
ldap_read: want=8 error=Resource temporarily unavailable
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0....a........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0....a........
ldap_read: want=8, got=8
  0000:  30 81 8b 02 01 02 63 81                            0.....c.
ldap_read: want=134, got=134
  0000:  85 04 29 75 69 64 3d 55  5a 50 30 38 39 39 2c 6f
..)uid=UZP0899,o
  0010:  75 3d 50 65 6f 70 6c 65  2c 64 63 3d 65 73 61 6c
u=People,dc=esal
  0020:  2c 64 63 3d 61 63 2c 64  63 3d 7a 61 0a 01 00 0a
,dc=ac,dc=za....
  0030:  01 00 02 01 00 02 01 00  01 01 00 87 0b 6f 62 6a
.............obj
  0040:  65 63 74 63 6c 61 73 73  30 3c 04 16 70 61 73 73
ectclass0<..pass
  0050:  77 6f 72 64 45 78 70 69  72 61 74 69 6f 6e 54 69
wordExpirationTi
  0060:  6d 65 04 13 70 61 73 73  77 6f 72 64 41 6c 6c 6f
me..passwordAllo
  0070:  77 43 68 61 6e 67 65 04  0d 6c 6f 67 69 6e 44 69
wChange..loginDi
  0080:  73 61 62 6c 65 64                                  sabled
ldap_read: want=8 error=Resource temporarily unavailable
  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
02...d-.)uid=UZP
  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
0899,ou=People,d
  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
c=esal,dc=ac,dc=
  0030:  7a 61 30 00                                        za0.
ldap_write: want=52, written=52
  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
02...d-.)uid=UZP
  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
0899,ou=People,d
  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
c=esal,dc=ac,dc=
  0030:  7a 61 30 00                                        za0.
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
0....e........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
0....e........
ldap_read: want=8, got=7
  0000:  30 05 02 01 03 42 00                               0....B.
ldap_read: want=8, got=0

ldap_read: want=8, got=7
  0000:  30 05 02 01 03 42 00                               0....B.
ldap_read: want=8, got=0

The EZProxy LDAP configuration seems to consist of the following:
::LDAP
URL ldap://localhost/ou=People,dc=esal,dc=ac,dc=za?uid?sub?(objectClass=person)
IfUnauthenticated; Stop
/LDAP

I have tried an alternative ldap.search.context of
'ou=People,dc=esal,dc=ac,dc=za' in dspace.cfg, but that didn't seem to
make any difference.

Any ideas as to where I've gone wrong?

Sean
-- 
Sean Carte
esAL Library Systems Manager
+27 72 898 8775
+27 31 373 2490
fax: 0866741254
http://esal.dut.ac.za/



More information about the Duraspace mailing list