[Duraspace] [Dspace-tech] LDAP Authentication

Hilton Gibson hilton.gibson at gmail.com
Thu May 13 12:45:33 SAST 2010


Hi Sean

Your setup looks good.
What do your DSpace logs say.

Cheers

hg

On 13 May 2010 11:53, Sean Carte <sean.carte at gmail.com> wrote:

> I've got a simple ldap server configured primarily to allow
> authentication for EZProxy; now I'd like to be able to get DSpace to
> use it for authentication. But I can't get it to work.
>
> I followed the DSpace configuration steps outlined at
> <http://ir.sun.ac.za/wiki/index.php/User_Management>, and have the
> following in my dspace.cfg:
>
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
>        org.dspace.authenticate.LDAPAuthentication, \
>        org.dspace.authenticate.PasswordAuthentication
>
> ldap.enable = true
> ldap.provider_url = ldap://localhost:389/
> ldap.id_field = uid
> ldap.object_context = ou=People,dc=esal,dc=ac,dc=za
> ldap.search_context = ou=People
> ldap.email_field = mail
> ldap.surname_field = sn
> ldap.givenname_field = givenName
> ldap.phone_field = telephoneNumber
> webui.ldap.autoregister = false
>
> DSpace and LDAP are running on the same server, and I can use
> ldapsearch to return information on a user:
>
> root at uzspace:~# ldapsearch -xLLL -b "dc=esal,dc=ac,dc=za" 'uid=UZP0899'
> dn: uid=UZP0899,ou=People,dc=esal,dc=ac,dc=za
> objectClass: inetOrgPerson
> cn: Carte,S R
> sn: Carte
> uid: UZP0899
> mail:
>
> But DSpace returns an invalid username/password message when I try to
> log in using its LDAP authentication. The following is what gets
> output when running slapd in debug:
>
> root at uzspace:~# slapd -d 2
> @(#) $OpenLDAP: slapd 2.4.9 (Mar 31 2009 07:12:16) $
>        buildd at rothera
> :/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
> /etc/ldap/slapd.conf: line 111: rootdn is always granted unlimited
> privileges.
> /etc/ldap/slapd.conf: line 129: rootdn is always granted unlimited
> privileges.
> slapd starting
> ldap_read: want=8, got=8
>  0000:  30 39 02 01 01 60 34 02                            09...`4.
> ldap_read: want=51, got=51
>  0000:  01 03 04 29 75 69 64 3d  55 5a 50 30 38 39 39 2c   ...)uid=UZP0899,
>  0010:  6f 75 3d 50 65 6f 70 6c  65 2c 64 63 3d 65 73 61   ou=People,dc=esa
>  0020:  6c 2c 64 63 3d 61 63 2c  64 63 3d 7a 61 80 04 37   l,dc=ac,dc=za..x
>  0030:  33 32 36                                           xxx
> ldap_read: want=8 error=Resource temporarily unavailable
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
> ldap_read: want=8, got=8
>  0000:  30 76 02 01 02 63 54 04                            0v...cT.
> ldap_read: want=112, got=112
>  0000:  09 6f 75 3d 50 65 6f 70  6c 65 0a 01 01 0a 01 03   .ou=People......
>  0010:  02 01 00 02 01 00 01 01  00 a0 10 a3 0e 04 03 75   ...............u
>  0020:  69 64 04 07 55 5a 50 30  38 39 39 30 26 04 04 6d   id..UZP08990&..m
>  0030:  61 69 6c 04 09 67 69 76  65 6e 4e 61 6d 65 04 02   ail..givenName..
>  0040:  73 6e 04 0f 74 65 6c 65  70 68 6f 6e 65 4e 75 6d   sn..telephoneNum
>  0050:  62 65 72 a0 1b 30 19 04  17 32 2e 31 36 2e 38 34   ber..0...2.16.84
>  0060:  30 2e 31 2e 31 31 33 37  33 30 2e 33 2e 34 2e 32   0.1.113730.3.4.2
> ldap_read: want=8 error=Resource temporarily unavailable
>  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
> ldap_read: want=8, got=8
>  0000:  30 22 02 01 03 42 00 a0                            0"...B..
> ldap_read: want=28, got=28
>  0000:  1b 30 19 04 17 32 2e 31  36 2e 38 34 30 2e 31 2e   .0...2.16.840.1.
>  0010:  31 31 33 37 33 30 2e 33  2e 34 2e 32               113730.3.4.2
> ldap_read: want=8 error=Resource temporarily unavailable
>
> And here is the debug output when successfully authenticating using
> the OCLC EZProxy login:
>
> root at uzspace:~# slapd -d 2
> @(#) $OpenLDAP: slapd 2.4.9 (Mar 31 2009 07:12:16) $
>        buildd at rothera
> :/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
> /etc/ldap/slapd.conf: line 111: rootdn is always granted unlimited
> privileges.
> /etc/ldap/slapd.conf: line 129: rootdn is always granted unlimited
> privileges.
> slapd starting
> ldap_read: want=8, got=8
>  0000:  30 0c 02 01 01 60 07 02                            0....`..
> ldap_read: want=6, got=6
>  0000:  01 03 04 00 80 00                                  ......
> ldap_read: want=8 error=Resource temporarily unavailable
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
> 0....a........
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
> 0....a........
> ldap_read: want=8, got=8
>  0000:  30 7a 02 01 02 63 75 04                            0z...cu.
> ldap_read: want=116, got=116
>  0000:  1d 6f 75 3d 50 65 6f 70  6c 65 2c 64 63 3d 65 73
> .ou=People,dc=es
>  0010:  61 6c 2c 64 63 3d 61 63  2c 64 63 3d 7a 61 0a 01
> al,dc=ac,dc=za..
>  0020:  02 0a 01 00 02 01 02 02  01 00 01 01 00 a0 27 a3
> ..............'.
>  0030:  15 04 0b 6f 62 6a 65 63  74 43 6c 61 73 73 04 06
> ...objectClass..
>  0040:  70 65 72 73 6f 6e a3 0e  04 03 75 69 64 04 07 55
> person....uid..U
>  0050:  5a 50 30 38 39 39 30 1c  04 0b 6c 64 61 70 43 74
> ZP08990...ldapCt
>  0060:  78 2d 3e 64 6e 04 0d 6c  6f 67 69 6e 44 69 73 61
> x->dn..loginDisa
>  0070:  62 6c 65 64                                        bled
> ldap_read: want=8 error=Resource temporarily unavailable
> <= bdb_equality_candidates: (uid) not indexed
>  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
>  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
>  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
>  0030:  7a 61 30 00                                        za0.
> ldap_write: want=52, written=52
>  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
>  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
>  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
>  0030:  7a 61 30 00                                        za0.
>  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
> 0....e........
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
> 0....e........
> ldap_read: want=8, got=8
>  0000:  30 39 02 01 01 60 34 02                            09...`4.
> ldap_read: want=51, got=51
>  0000:  01 03 04 29 75 69 64 3d  55 5a 50 30 38 39 39 2c
> ...)uid=UZP0899,
>  0010:  6f 75 3d 50 65 6f 70 6c  65 2c 64 63 3d 65 73 61
> ou=People,dc=esa
>  0020:  6c 2c 64 63 3d 61 63 2c  64 63 3d 7a 61 80 04 37
> l,dc=ac,dc=za..x
>  0030:  33 32 36                                           xxx
> ldap_read: want=8 error=Resource temporarily unavailable
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
> 0....a........
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
> 0....a........
> ldap_read: want=8, got=8
>  0000:  30 81 8b 02 01 02 63 81                            0.....c.
> ldap_read: want=134, got=134
>  0000:  85 04 29 75 69 64 3d 55  5a 50 30 38 39 39 2c 6f
> ..)uid=UZP0899,o
>  0010:  75 3d 50 65 6f 70 6c 65  2c 64 63 3d 65 73 61 6c
> u=People,dc=esal
>  0020:  2c 64 63 3d 61 63 2c 64  63 3d 7a 61 0a 01 00 0a
> ,dc=ac,dc=za....
>  0030:  01 00 02 01 00 02 01 00  01 01 00 87 0b 6f 62 6a
> .............obj
>  0040:  65 63 74 63 6c 61 73 73  30 3c 04 16 70 61 73 73
> ectclass0<..pass
>  0050:  77 6f 72 64 45 78 70 69  72 61 74 69 6f 6e 54 69
> wordExpirationTi
>  0060:  6d 65 04 13 70 61 73 73  77 6f 72 64 41 6c 6c 6f
> me..passwordAllo
>  0070:  77 43 68 61 6e 67 65 04  0d 6c 6f 67 69 6e 44 69
> wChange..loginDi
>  0080:  73 61 62 6c 65 64                                  sabled
> ldap_read: want=8 error=Resource temporarily unavailable
>  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
>  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
>  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
>  0030:  7a 61 30 00                                        za0.
> ldap_write: want=52, written=52
>  0000:  30 32 02 01 02 64 2d 04  29 75 69 64 3d 55 5a 50
> 02...d-.)uid=UZP
>  0010:  30 38 39 39 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64
> 0899,ou=People,d
>  0020:  63 3d 65 73 61 6c 2c 64  63 3d 61 63 2c 64 63 3d
> c=esal,dc=ac,dc=
>  0030:  7a 61 30 00                                        za0.
>  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
> 0....e........
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00
> 0....e........
> ldap_read: want=8, got=7
>  0000:  30 05 02 01 03 42 00                               0....B.
> ldap_read: want=8, got=0
>
> ldap_read: want=8, got=7
>  0000:  30 05 02 01 03 42 00                               0....B.
> ldap_read: want=8, got=0
>
> The EZProxy LDAP configuration seems to consist of the following:
> ::LDAP
> URL
> ldap://localhost/ou=People,dc=esal,dc=ac,dc=za?uid?sub?(objectClass=person)
> IfUnauthenticated; Stop
> /LDAP
>
> I have tried an alternative ldap.search.context of
> 'ou=People,dc=esal,dc=ac,dc=za' in dspace.cfg, but that didn't seem to
> make any difference.
>
> Any ideas as to where I've gone wrong?
>
> Sean
> --
> Sean Carte
> esAL Library Systems Manager
> +27 72 898 8775
> +27 31 373 2490
> fax: 0866741254
> http://esal.dut.ac.za/
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>



-- 
Hilton Gibson
Systems Administrator
JSG Library Room 1025D
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Cell: +27 846 464 758
Email: hgibson__AT__sun.ac.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lib.sun.ac.za/pipermail/duraspace/attachments/20100513/3bd8d21c/attachment.html>


More information about the Duraspace mailing list