[Duraspace] [Dspace-tech] LDAP Authentication
Hilton Gibson
hilton.gibson at gmail.com
Thu May 13 12:45:33 SAST 2010
Hi Sean
Your setup looks good.
What do your DSpace logs say.
Cheers
hg
On 13 May 2010 11:53, Sean Carte <sean.carte at gmail.com> wrote:
> I've got a simple ldap server configured primarily to allow
> authentication for EZProxy; now I'd like to be able to get DSpace to
> use it for authentication. But I can't get it to work.
>
> I followed the DSpace configuration steps outlined at
> <http://ir.sun.ac.za/wiki/index.php/User_Management>, and have the
> following in my dspace.cfg:
>
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
> org.dspace.authenticate.LDAPAuthentication, \
> org.dspace.authenticate.PasswordAuthentication
>
> ldap.enable = true
> ldap.provider_url = ldap://localhost:389/
> ldap.id_field = uid
> ldap.object_context = ou=People,dc=esal,dc=ac,dc=za
> ldap.search_context = ou=People
> ldap.email_field = mail
> ldap.surname_field = sn
> ldap.givenname_field = givenName
> ldap.phone_field = telephoneNumber
> webui.ldap.autoregister = false
>
> DSpace and LDAP are running on the same server, and I can use
> ldapsearch to return information on a user:
>
> root at uzspace:~# ldapsearch -xLLL -b "dc=esal,dc=ac,dc=za" 'uid=UZP0899'
> dn: uid=UZP0899,ou=People,dc=esal,dc=ac,dc=za
> objectClass: inetOrgPerson
> cn: Carte,S R
> sn: Carte
> uid: UZP0899
> mail:
>
> But DSpace returns an invalid username/password message when I try to
> log in using its LDAP authentication. The following is what gets
> output when running slapd in debug:
>
> root at uzspace:~# slapd -d 2
> @(#) $OpenLDAP: slapd 2.4.9 (Mar 31 2009 07:12:16) $
> buildd at rothera
> :/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
> /etc/ldap/slapd.conf: line 111: rootdn is always granted unlimited
> privileges.
> /etc/ldap/slapd.conf: line 129: rootdn is always granted unlimited
> privileges.
> slapd starting
> ldap_read: want=8, got=8
> 0000: 30 39 02 01 01 60 34 02 09...`4.
> ldap_read: want=51, got=51
> 0000: 01 03 04 29 75 69 64 3d 55 5a 50 30 38 39 39 2c ...)uid=UZP0899,
> 0010: 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 65 73 61 ou=People,dc=esa
> 0020: 6c 2c 64 63 3d 61 63 2c 64 63 3d 7a 61 80 04 37 l,dc=ac,dc=za..x
> 0030: 33 32 36 xxx
> ldap_read: want=8 error=Resource temporarily unavailable
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
> ldap_read: want=8, got=8
> 0000: 30 76 02 01 02 63 54 04 0v...cT.
> ldap_read: want=112, got=112
> 0000: 09 6f 75 3d 50 65 6f 70 6c 65 0a 01 01 0a 01 03 .ou=People......
> 0010: 02 01 00 02 01 00 01 01 00 a0 10 a3 0e 04 03 75 ...............u
> 0020: 69 64 04 07 55 5a 50 30 38 39 39 30 26 04 04 6d id..UZP08990&..m
> 0030: 61 69 6c 04 09 67 69 76 65 6e 4e 61 6d 65 04 02 ail..givenName..
> 0040: 73 6e 04 0f 74 65 6c 65 70 68 6f 6e 65 4e 75 6d sn..telephoneNum
> 0050: 62 65 72 a0 1b 30 19 04 17 32 2e 31 36 2e 38 34 ber..0...2.16.84
> 0060: 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 32 0.1.113730.3.4.2
> ldap_read: want=8 error=Resource temporarily unavailable
> 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... ....
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... ....
> ldap_read: want=8, got=8
> 0000: 30 22 02 01 03 42 00 a0 0"...B..
> ldap_read: want=28, got=28
> 0000: 1b 30 19 04 17 32 2e 31 36 2e 38 34 30 2e 31 2e .0...2.16.840.1.
> 0010: 31 31 33 37 33 30 2e 33 2e 34 2e 32 113730.3.4.2
> ldap_read: want=8 error=Resource temporarily unavailable
>
> And here is the debug output when successfully authenticating using
> the OCLC EZProxy login:
>
> root at uzspace:~# slapd -d 2
> @(#) $OpenLDAP: slapd 2.4.9 (Mar 31 2009 07:12:16) $
> buildd at rothera
> :/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
> /etc/ldap/slapd.conf: line 111: rootdn is always granted unlimited
> privileges.
> /etc/ldap/slapd.conf: line 129: rootdn is always granted unlimited
> privileges.
> slapd starting
> ldap_read: want=8, got=8
> 0000: 30 0c 02 01 01 60 07 02 0....`..
> ldap_read: want=6, got=6
> 0000: 01 03 04 00 80 00 ......
> ldap_read: want=8 error=Resource temporarily unavailable
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
> 0....a........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
> 0....a........
> ldap_read: want=8, got=8
> 0000: 30 7a 02 01 02 63 75 04 0z...cu.
> ldap_read: want=116, got=116
> 0000: 1d 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 65 73
> .ou=People,dc=es
> 0010: 61 6c 2c 64 63 3d 61 63 2c 64 63 3d 7a 61 0a 01
> al,dc=ac,dc=za..
> 0020: 02 0a 01 00 02 01 02 02 01 00 01 01 00 a0 27 a3
> ..............'.
> 0030: 15 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 06
> ...objectClass..
> 0040: 70 65 72 73 6f 6e a3 0e 04 03 75 69 64 04 07 55
> person....uid..U
> 0050: 5a 50 30 38 39 39 30 1c 04 0b 6c 64 61 70 43 74
> ZP08990...ldapCt
> 0060: 78 2d 3e 64 6e 04 0d 6c 6f 67 69 6e 44 69 73 61
> x->dn..loginDisa
> 0070: 62 6c 65 64 bled
> ldap_read: want=8 error=Resource temporarily unavailable
> <= bdb_equality_candidates: (uid) not indexed
> 0000: 30 32 02 01 02 64 2d 04 29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
> 0010: 30 38 39 39 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
> 0020: 63 3d 65 73 61 6c 2c 64 63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
> 0030: 7a 61 30 00 za0.
> ldap_write: want=52, written=52
> 0000: 30 32 02 01 02 64 2d 04 29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
> 0010: 30 38 39 39 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
> 0020: 63 3d 65 73 61 6c 2c 64 63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
> 0030: 7a 61 30 00 za0.
> 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00
> 0....e........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00
> 0....e........
> ldap_read: want=8, got=8
> 0000: 30 39 02 01 01 60 34 02 09...`4.
> ldap_read: want=51, got=51
> 0000: 01 03 04 29 75 69 64 3d 55 5a 50 30 38 39 39 2c
> ...)uid=UZP0899,
> 0010: 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 65 73 61
> ou=People,dc=esa
> 0020: 6c 2c 64 63 3d 61 63 2c 64 63 3d 7a 61 80 04 37
> l,dc=ac,dc=za..x
> 0030: 33 32 36 xxx
> ldap_read: want=8 error=Resource temporarily unavailable
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
> 0....a........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
> 0....a........
> ldap_read: want=8, got=8
> 0000: 30 81 8b 02 01 02 63 81 0.....c.
> ldap_read: want=134, got=134
> 0000: 85 04 29 75 69 64 3d 55 5a 50 30 38 39 39 2c 6f
> ..)uid=UZP0899,o
> 0010: 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 65 73 61 6c
> u=People,dc=esal
> 0020: 2c 64 63 3d 61 63 2c 64 63 3d 7a 61 0a 01 00 0a
> ,dc=ac,dc=za....
> 0030: 01 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a
> .............obj
> 0040: 65 63 74 63 6c 61 73 73 30 3c 04 16 70 61 73 73
> ectclass0<..pass
> 0050: 77 6f 72 64 45 78 70 69 72 61 74 69 6f 6e 54 69
> wordExpirationTi
> 0060: 6d 65 04 13 70 61 73 73 77 6f 72 64 41 6c 6c 6f
> me..passwordAllo
> 0070: 77 43 68 61 6e 67 65 04 0d 6c 6f 67 69 6e 44 69
> wChange..loginDi
> 0080: 73 61 62 6c 65 64 sabled
> ldap_read: want=8 error=Resource temporarily unavailable
> 0000: 30 32 02 01 02 64 2d 04 29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
> 0010: 30 38 39 39 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
> 0020: 63 3d 65 73 61 6c 2c 64 63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
> 0030: 7a 61 30 00 za0.
> ldap_write: want=52, written=52
> 0000: 30 32 02 01 02 64 2d 04 29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
> 0010: 30 38 39 39 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
> 0020: 63 3d 65 73 61 6c 2c 64 63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
> 0030: 7a 61 30 00 za0.
> 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00
> 0....e........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00
> 0....e........
> ldap_read: want=8, got=7
> 0000: 30 05 02 01 03 42 00 0....B.
> ldap_read: want=8, got=0
>
> ldap_read: want=8, got=7
> 0000: 30 05 02 01 03 42 00 0....B.
> ldap_read: want=8, got=0
>
> The EZProxy LDAP configuration seems to consist of the following:
> ::LDAP
> URL
> ldap://localhost/ou=People,dc=esal,dc=ac,dc=za?uid?sub?(objectClass=person)
> IfUnauthenticated; Stop
> /LDAP
>
> I have tried an alternative ldap.search.context of
> 'ou=People,dc=esal,dc=ac,dc=za' in dspace.cfg, but that didn't seem to
> make any difference.
>
> Any ideas as to where I've gone wrong?
>
> Sean
> --
> Sean Carte
> esAL Library Systems Manager
> +27 72 898 8775
> +27 31 373 2490
> fax: 0866741254
> http://esal.dut.ac.za/
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>
--
Hilton Gibson
Systems Administrator
JSG Library Room 1025D
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa
Cell: +27 846 464 758
Email: hgibson__AT__sun.ac.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lib.sun.ac.za/pipermail/duraspace/attachments/20100513/3bd8d21c/attachment.html>
More information about the Duraspace
mailing list