Versions Compared

Old Version 23

changes.mady.by.user Scott Phillips

Saved on

compared with

New Version 24

changes.mady.by.user Scott Phillips

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="23a3e802a249ee2a-62748ff4-43b64c0f-843fa09b-a2367c3f163ebdcf9a477058"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:

Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
 org.dspace.authenticate.PasswordAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="035e8f31ff18c786-a93df035-41924c08-910eb923-5eb743bc1343353165188fdb"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:

Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
 org.dspace.authenticate.PasswordAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="31c24f8db615fe91-2501dfcc-41ca4127-b0a1ba1a-6f4784439987a4e0864cac4f"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-password.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

domain.valid

Example Value:

domain.value = @mit.edu, .ac.uk

Informational Note:

This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses.

Property:

login.specialgroup

Example Value:

login.specialgroup = My DSpace Group

Informational Note:

This option allows you automatically add all password authenticated users to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cdc658b2c0d85429-41263bc2-4df743d0-b09098c4-3de1fcb5c1ab5dbe8f329c6c"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:

Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
 org.dspace.authenticate.ShibAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="128925e24970efae-c1294d11-4297451e-b96db490-10d531f72b4467ea2df7a3c8"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-shibboleth.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

email-header

Example Value:

email-header = MAIL

Informational Note:

The option specifies that the email comes from the mentioned header. This value is CASE-Sensitive.

Property:

firstname-header

Example Value:

firstname-header = SHIB-EP-GIVENNAME

Informational Note:

Optional. Specify the header that carries the user's first name. This is going to be used for the creation of new-user.

Property:

lastname-header

Example Value:

lastname-header = SHIB-EP-SURNAME

Informational Note:

Optional. Specify the header that carries user's last name. This is used for creation of new user.

Property:

email-use-tomcat-remote-user

Example Value:

email-use-tomcat-remote-user = true

Informational Note:

This option forces the software to acquire the email from Tomcat.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

Option will allow new users to be registered automatically if the IdP provides sufficient information (and the user does not exist in DSpace).

Property:

Code Block
role-header
role-header.ignore-scope

Example Value:

Code Block
role-header = Shib-EP-ScopedAffiliation
role-header.ignore-scope = true

or

Code Block
role-header = Shib-EP-UnscopedAffiliation
role-header.ignore-scope = false

Informational Note:

These two options specify which attribute that is responsible for providing user's roles to DSpace and unscope the attributes if needed. When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and ignore-scope is defaulted to 'false'. The value is specified in AAP.xml (Shib 1.3.x) or attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive. The values provided in this header are separated by semi-colon or comma. If your service provider (SP) only provides scoped role header, you need to set role-header.ignore-Scope as 'true'. For example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation, you name to make your settings as in the example value above.

Property:

default-roles

Example Value:

default-roles = Staff, Walk-ins

Informational Note:

When user is fully authN or IdP but would not like to release his/her roles to DSpace (for privacy reasons?), what should the default roles be given to such user. The values are separated by semi-colon or comma.

Property:

Code Block
role.Senior\ Researcher
role.Librarian

Example Value:

Code Block
role.Senior\ Researcher = Researcher, Staff
role.Librarian = Administrator

Informational Note:

The following mappings specify role mapping between IdP and Dspace. The left side of the entry is IdP's role (prefixed with 'role.') which will be mapped to the right entry from DSpace. DSpace's group as indicated on the right entry has to EXIST in DSpace, otherwise user will be identified as 'anonymous'. Multiple values on the right entry should be separated by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping will be done when the IdP groups entry are not listed below (i.e. if 'X' group in IdP is not specified here, then it will be mapped to 'X' group in DSpace if it exists, otherwise it will be mapped to simply 'anonymous'). Given sufficient demand, future release could support regex for the mapping special characters need to be escaped by '\'

...

See for more information on installing and configuring a Shibboleth Service Provider: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

Sessions:

When configuring your Shibboleth Service Provider there are two paradigms you may use: Active or Lazy Sessions. Active sessions is where the mob_shib module is configured to product a URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead apache will allow access to any URL, and when the application wants to it may initiate an authenticated session. The Lazy Session method is preferable for most DSpace installations where you want public access to most of DSpace but restricted access to limited areas - such as administration.

Authentication Methods:

DSpace supports authentication using NetID, or email address. A user's NetID is a unique identifier from the IdP that identifies a particular user. The NetID can be of almost any form such as a unique integer, string, or with Shibboleth 2.0 you can use "targeted ids". You will need to coordinate with your shibboleth federation or identity provider. There are three ways to supply identity information to DSpace:

...

In the case where a NetID header is not available or not found DSpace will fall back to identifying a user based-upon their email address.
 
3) Tomcat's Remote User (worst)
 
In the event that neither Shibboleth headers are found then as a last resort DSpace will look at Tomcat's remote user field. This is the least attractive option because Tomcat has no way to supply additional attributes about a user. Because of this the autoregister option is not supported if this method is used.

Identity Scheme Migration Strategies:

If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their netted so all future authentications for this user will be based upon netted. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account all ready has a NetID set and then they try and authenticate with a different NetID the authentication will fail.

EPerson Metadata:

One of the primary benefits of using Shibboleth based authentication is receiving additional attributes about users such as their names, telephone numbers, and possibly their academic department or graduation semester if desired. DSpace treats the first and last name attributes differently because they (along with email address) are the three pieces of minimal information required to create a new user account. For both first and last name supply direct mappings to the Shibboleth headers. In additional to the first and last name DSpace supports other metadata fields such as phone, or really anything you want to store on an eperson object. Beyond the phone field, which is accessible in the user's profile screen, none of these additional metadata fields will be used by DSpace out-of-the box. However if you develop any local modification you may access these attributes from the EPerson object. The Vireo ETD workflow system utilizes this to aid students when submitting an ETD.

Role-based Groups:

DSpace is able to place users into pre-defined groups based upon values received from Shibboleth. Using this option you can place all faculty members into a DSpace group when the correct affiliation's attribute is provided. When DSpace does this they are considered 'special groups', these are really groups but the user's membership within these groups is not recorded in the database. Each time a user authenticates they are automatically placed within the pre-defined DSpace group, so if the user loses their affiliation then the next time they login they will no longer be in the group.
 
Depending upon the shibboleth attributed use in the role-header it may be scoped. Scoped is shibboleth terminology for identifying where an attribute originated from. For example a students affiliation may be encoded as "student@tamu.edu". The part after the @ sign is the scope, and the preceding value is the value. You may use the whole value or only the value or scope. Using this you could generate a role for students and one institution different than students at another institution. Or if you turn on ignore-scope you could ignore the institution and place all students into one group.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="82c5690c06921069-0dee23eb-411b4ab4-a96cb17a-e24f2ebb99823cefac32464c"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/dspace.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

authentication.shib.lazysession

Example Value:

authentication.shib.lazysession = true

Informational Note:

Whether to use lazy sessions or active sessions.

Property:

authentication.shib.lazysession.loginurl

Example Value:

authentication.shib.lazysession.loginurl = /Shibboleth.sso/Login

Informational Note:

The url to start a shibboleth session (only for lazy sessions)

Property:

authentication.shib.lazysession.secure

Example Value:

authentication.shib.lazysession.secure = true

Informational Note:

Force HTTPS when authenticating (only for lazy sessions)

Property:

authentication.shib.netid-header

Example Value:

authentication.shib.netid-header = SHIB-NETID

Informational Note:

The HTTP header where shibboleth will supply a user's NetID.

Property:

authentication.shib.email-header

Example Value:

authentication.shib.email-header = SHIB-MAIL

Informational Note:

The HTTP header where the shibboleth will supply a user's email address.

Property:

authentication.shib.email-use-tomcat-remote-user

Example Value:

authentication.shib.email-use-tomcat-remote-user = false

Informational Note:

Used when a netid or email heades are not available should shibboleth authentication fall back to using Tomcat's remote user feature.

Property:

authentication.shib.autoregister

Example Value:

authentication.shib.autoregister = true

Informational Note:

Should we allow new users to be registered automatically?

Property:

authentication.shib.sword.compatability

Example Value:

authentication.shib.sword.compatability = true

Informational Note:

Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions.

Property:

authentication.shib.firstname-header

Example Value:

authentication.shib.firstname-header = SHIB_GIVENNAME

Informational Note:

The HTTP header where the shibboleth will supply a user's given name.

Property:

authentication.shib.lastname-header

Example Value:

authentication.shib.lastname-header = SHIB_SN

Informational Note:

The HTTP header where the shibboleth will supply a user's sur name.

Property:

authentication.shib.eperson.metadata

Example Value:

Code Block
authentication.shib.eperson.metadata = \
 SHIB-telephone => phone, \
 SHIB-cn => cn

Informational Note:

Additional user attributes mapping, multiple attributes may be stored
 for each user. The left side is the Shibboleth-based metadata Header
 and the right side is the eperson metadata field to map the attribute to.

Property:

authentication.shib.eperson.metadata.autocreate

Example Value:

authentication.shib.eperson.metadata.autocreate = true

Informational Note:

If the eperson metadata field is not found, should it be automatically created?

Property:

authentication.shib.role-header

Example Value:

authentication.shib.role-header = SHIB_SCOPED_AFFILIATION

Informational Note:

The shibboleth header to do role-based mappings (see section on roll based mapping section above)

Property:

authentication.shib.role-header.ignore-scope

Example Value:

authentication.shib.role-header.ignore-scope = true

Informational Note:

Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes)

Property:

authentication.shib.role-header.ignore-value

Example Value:

authentication.shib.role-header.ignore-value = false

Informational Note:

Weather to ignore the attribute's value (everything before the @ sign for scoped attributes)

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0f94035c85b1770c-3fe38584-4c974d1e-aecabc43-eb32650375117e65c7cce8f1"><ac:plain-text-body><![CDATA[

Property:

authentication.shib.role.[affiliation-attribute]

]]></ac:plain-text-body></ac:structured-macro>

Example Value:

Code Block
authentication.shib.role.faculty = Faculty, Member \
 authentication.shib.role.staff = Staff, Member \
 authentication.shib.role.student = Students, Member

Informational Note:

Mapping of affiliation values to DSpace groups.(See the roll based mapping section above)

...

See for more information on installing and configuring a Shibboleth Service Provider: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

Sessions:

When configuring your Shibboleth Service Provider there are two paradigms you may use: Active or Lazy Sessions. Active sessions is where the mob_shib module is configured to product a URL space. No one will be able to access that URL without first authenticating with Shibboleth. Using this method you will need to configure shibboleth to protect the URL: "/shibboleth-login". The alternative, Lazy Session does not protect any specific URL. Instead apache will allow access to any URL, and when the application wants to it may initiate an authenticated session. The Lazy Session method is preferable for most DSpace installations where you want public access to most of DSpace but restricted access to limited areas - such as administration.

Authentication Methods:

DSpace supports authentication using NetID, or email address. A user's NetID is a unique identifier from the IdP that identifies a particular user. The NetID can be of almost any form such as a unique integer, string, or with Shibboleth 2.0 you can use "targeted ids". You will need to coordinate with your shibboleth federation or identity provider. There are three ways to supply identity information to DSpace:

...

In the case where a NetID header is not available or not found DSpace will fall back to identifying a user based-upon their email address.
 
3) Tomcat's Remote User (worst)
 
In the event that neither Shibboleth headers are found then as a last resort DSpace will look at Tomcat's remote user field. This is the least attractive option because Tomcat has no way to supply additional attributes about a user. Because of this the autoregister option is not supported if this method is used.

Identity Scheme Migration Strategies:

If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their netted so all future authentications for this user will be based upon netted. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account all ready has a NetID set and then they try and authenticate with a different NetID the authentication will fail.

EPerson Metadata:

One of the primary benefits of using Shibboleth based authentication is receiving additional attributes about users such as their names, telephone numbers, and possibly their academic department or graduation semester if desired. DSpace treats the first and last name attributes differently because they (along with email address) are the three pieces of minimal information required to create a new user account. For both first and last name supply direct mappings to the Shibboleth headers. In additional to the first and last name DSpace supports other metadata fields such as phone, or really anything you want to store on an eperson object. Beyond the phone field, which is accessible in the user's profile screen, none of these additional metadata fields will be used by DSpace out-of-the box. However if you develop any local modification you may access these attributes from the EPerson object. The Vireo ETD workflow system utilizes this to aid students when submitting an ETD.

Role-based Groups:

DSpace is able to place users into pre-defined groups based upon values received from Shibboleth. Using this option you can place all faculty members into a DSpace group when the correct affiliation's attribute is provided. When DSpace does this they are considered 'special groups', these are really groups but the user's membership within these groups is not recorded in the database. Each time a user authenticates they are automatically placed within the pre-defined DSpace group, so if the user loses their affiliation then the next time they login they will no longer be in the group.
 
Depending upon the shibboleth attributed use in the role-header it may be scoped. Scoped is shibboleth terminology for identifying where an attribute originated from. For example a students affiliation may be encoded as "student@tamu.edu". The part after the @ sign is the scope, and the preceding value is the value. You may use the whole value or only the value or scope. Using this you could generate a role for students and one institution different than students at another institution. Or if you turn on ignore-scope you could ignore the institution and place all students into one group.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="39bb32d993dcfc77-e7420877-45574302-b86d9c71-fbf9bc3646baa0c61199c3a5"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-shibboleth.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

lazysession

Example Value:

lazysession = true

Informational Note:

Whether to use lazy sessions or active sessions.

Property:

lazysession.loginurl

Example Value:

lazysession.loginurl = /Shibboleth.sso/Login

Informational Note:

The url to start a shibboleth session (only for lazy sessions)

Property:

lazysession.secure

Example Value:

lazysession.secure = true

Informational Note:

Force HTTPS when authenticating (only for lazy sessions)

Property:

netid-header

Example Value:

netid-header = SHIB-NETID

Informational Note:

The HTTP header where shibboleth will supply a user's NetID.

Property:

email-header

Example Value:

email-header = SHIB-MAIL

Informational Note:

The HTTP header where the shibboleth will supply a user's email address.

Property:

email-use-tomcat-remote-user

Example Value:

email-use-tomcat-remote-user = false

Informational Note:

Used when a netid or email heades are not available should shibboleth authentication fall back to using Tomcat's remote user feature.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

Should we allow new users to be registered automatically?

Property:

sword.compatability

Example Value:

sword.compatability = true

Informational Note:

Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions.

Property:

firstname-header

Example Value:

firstname-header = SHIB_GIVENNAME

Informational Note:

The HTTP header where the shibboleth will supply a user's given name.

Property:

lastname-header

Example Value:

lastname-header = SHIB_SN

Informational Note:

The HTTP header where the shibboleth will supply a user's sur name.

Property:

eperson.metadata

Example Value:

Code Block
eperson.metadata = \
 SHIB-telephone => phone, \
 SHIB-cn => cn

Informational Note:

Additional user attributes mapping, multiple attributes may be stored
 for each user. The left side is the Shibboleth-based metadata Header
 and the right side is the eperson metadata field to map the attribute to.

Property:

eperson.metadata.autocreate

Example Value:

eperson.metadata.autocreate = true

Informational Note:

If the eperson metadata field is not found, should it be automatically created?

Property:

role-header

Example Value:

role-header = SHIB_SCOPED_AFFILIATION

Informational Note:

The shibboleth header to do role-based mappings (see section on roll based mapping section above)

Property:

role-header.ignore-scope

Example Value:

role-header.ignore-scope = true

Informational Note:

Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes)

Property:

role-header.ignore-value

Example Value:

role-header.ignore-value = false

Informational Note:

Weather to ignore the attribute's value (everything before the @ sign for scoped attributes)

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9936852c982839c5-11864a3f-43b54e53-bf60a5bd-244227d3c7502a1e0b27ba53"><ac:plain-text-body><![CDATA[

Property:

role.[affiliation-attribute]

]]></ac:plain-text-body></ac:structured-macro>

Example Value:

Code Block
role.faculty = Faculty, Member \
 role.staff = Staff, Member \
 role.student = Students, Member

Informational Note:

Mapping of affiliation values to DSpace groups.(See the roll based mapping section above)

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="161094a4eb03c2e2-1f7f73f5-4f6844ce-a16ba825-eb79c7baefcb70152011419c"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:

Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \\\\\
 org.dspace.authenticate.LDAPAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8bb4100dae69c1ea-cef49c87-48474ee6-88bc8702-cabaf77188c0daeed57b854b"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

enable

Example Value:

enable = false

Informational Note:

This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms.

Property:

provider_url

Example Value:

provider_url = ldap://ldap.myu.edu/o=myu.edu

Informational Note:

This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol.

Property:

id_field

Example Value:

id_field = uid

Explanation:

This is the unique identifier field in the LDAP directory where the username is stored.

Property:

object_context

Example Value:

object_context = ou=people, o=myu.edu

Informational Note:

This is the object context used when authenticating the user. It is appended to the id_field and username. For example uid=username,ou=people,o=myu.edu. You will need to modify this to match your LDAP configuration.

Property:

search_context

Example Value:

search_context = ou=people

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="787f0f65adf4aa14-ba17aef5-4b874d52-b07bb0c1-9b1d7c394be25a1736104d8f"><ac:plain-text-body><![CDATA[

Informational Note:

This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With autoregister turned on, when a user authenticates without an EPerson object we search the LDAP directory to get their name and email address so that we can create one for them. So after we have authenticated against uid=username,ou=people,o=byu.edu we now search in ou=people for filtering on [uid=username]. Often the search_context is the same as the object_context parameter. But again this depends on your LDAP server configuration.

]]></ac:plain-text-body></ac:structured-macro>

Property:

email_field

Example Value:

email_field = mail

Informational Note:

This is the LDAP object field where the user's email address is stored. "mail" is the default and the most common for LDAP servers. If the mail field is not found the username will be used as the email address when creating the eperson object.

Property:

surname_field

Example Value:

surname_field = sn

Informational Note:

This is the LDAP object field where the user's last name is stored. "sn" is the default and is the most common for LDAP servers. If the field is not found the field will be left blank in the new eperson object.

Property:

givenname_field

Example Value:

givenname_field = givenName

Informational Note:

This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object.

Property:

phone_field

Example Value:

phone_field = telephoneNumber

Informational Note:

This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object.

Property:

login.specialgroup

Example Value:

login.specialgroup = group-name

Informational Note:

If required, a group name can be given here, and all users who log into LDAP will automatically become members of this group. This is useful if you want a group made up of all internal authenticated users. (Remember to log on as the administrator, add this to the "Groups" with read rights).

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cf889fba5e30a411-0784ef08-4b8b46b3-8c5eb271-76449b827561239ffb48e378"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:

Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \\\\\
 org.dspace.authenticate.LDAPHierarchicalAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="355246957c73c061-ffbc0ff9-46274466-baf4a781-9c1f52f061ca2ebd7a3e313e"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-ldap.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

search_scope

Example Value:

search_scope = 2

Informational Note:

This is the search scope value for the LDAP search during autoregistering. This will depend on your LDAP server setup. This value must be one of the following integers corresponding to the following values:
object scope : 0
one level scope : 1
subtree scope : 2

Property:

search.user
search.password

Example Value:

search.user = cn=admin,ou=people,o=myu.edu
search.password = password

Informational Note:

The full DN and password of a user allowed to connect to the LDAP server and search for the DN of the user trying to log in. If these are not specified, the initial bind will be performed anonymously.

Property:

netid_email_domain

Example Value:

netid_email_domain = @example.com

Informational Note:

If your LDAP server does not hold an email address for a user, you can use the following field to specify your email domain. This value is appended to the netid in order to make an email address. E.g. a netid of 'user' and netid_email_domain as @example.com would set the email of the user to be user@example.com

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9164fb9b27b52f2e-44e7ee8e-46b049f1-802a927f-4ac8c5a1bba8c25266540763"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication.cfg

]]></ac:plain-text-body></ac:structured-macro>

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:

Code Block
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \\\\\
 org.dspace.authenticate.IPAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3c259050a64b266f-683db2f9-400e4eea-9e46925c-29c89026a728fcc8e2c70a13"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-ip.cfg

]]></ac:plain-text-body></ac:structured-macro>

...

  1. See the HTTPS installation instructions to configure your Web server. If you are using HTTPS with Tomcat, note that the <Connector> tag must include the attribute clientAuth="true" so the server requests a personal Web certificate from the client.
  2. Add the org.dspace.authenticate.X509Authentication plugin first to the list of stackable authentication methods in the value of the configuration key plugin.sequence.org.dspace.authenticate.AuthenticationMethod

    <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="226fbb8e7a7cd672-b60d6f6d-42f64b94-b7b8a4a0-59dbdfc0016fa5c4552d2fed"><ac:plain-text-body><![CDATA[

    Configuration File:

    [dspace]/config/modules/authentication.cfg

    ]]></ac:plain-text-body></ac:structured-macro>

    Property:

    plugin.sequence.org.dspace.authenticate.AuthenticationMethod

    Example Value:

    Code Block
    plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \\\\\
 org.dspace.authenticate.X509Authentication, \\\\\
 org.dspace.authenticate.PasswordAuthentication

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9e2ecb5defbf66ff-f7fd0621-43b74da3-b149a490-640b976e1f123755a5a147c3"><ac:plain-text-body><![CDATA[

Configuration File:

[dspace]/config/modules/authentication-x509.cfg

]]></ac:plain-text-body></ac:structured-macro>

...