Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-2421

LDAPAuthentication Plugin only supports auto-registration for Hierarchical LDAP settings

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 4.2, 5.0
    • Fix Version/s: None
    • Component/s: DSpace API
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Not Required

      Description

      Admittedly, with this bug, I don't have a local LDAP to test against. But, I'm logging this based on these recent dspace-tech threads (and based on skimming the code):

      http://dspace.2283337.n4.nabble.com/LDAP-authentication-tc4676303.html
      http://dspace.2283337.n4.nabble.com/LDAP-autoregister-tp4676218.html
      http://dspace.2283337.n4.nabble.com/Shibboleth-login-on-DSpace-4-2-td4676747.html
      http://dspace.2283337.n4.nabble.com/DSpace-tech-user-profile-td4676691.html

      As far as I can tell, the LDAPAuthentication plugin looks like it will ONLY support auto-registration for Hierarchical LDAP. It seemingly does NOT work properly if you only specify "object_context" (and not the various Hierarchical search.* settings).

      Looking more closely at the LDAPAuthentication class, it looks like the user fields (email, givenname, surname, etc.) are only loaded whenever "SpeakerToLDAP.getDNOfUser()" is called:
      https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java#L396

      However, getDNOfUser() is ONLY called when either "search.anonymous=true" OR "search.user" is specified..see:
      https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java#L202

      This seems to imply that, if you have a flat structure in LDAP (i.e. all users are simply under "object_context"), while individuals can authenticate successfully, auto-registration will NEVER work properly (as the user's name, email, etc is never queried from LDAP).

      This behavior seems to be exactly the same as what is reported on 'dspace-tech'.

      Until this bug is fixed, I suspect one could "workaround" this by simply specifying "search.anonymous=true" or "search.user" on a flat LDAP scheme. For more info, see the LDAP Docs: https://wiki.duraspace.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-ConfiguringHierarchicalLDAPAuthentication

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              tdonohue Tim Donohue
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: