All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
...
Existing Authentication Methods include
org.dspace.authenticate.PasswordAuthentication
) (DEFAULT)org.dspace.authenticate.ShibAuthentication
)org.dspace.authenticate.LDAPAuthentication
)org.dspace.authenticate.IPAuthentication
)org.dspace.authenticate.X509Authentication
)...
The default method org.dspace.authenticate.PasswordAuthentication
has the following properties:
/password-login
. The password log-in servlet (org.dspace.app.webui.servlet.PasswordServlet
) contains code that will resume the original request if authentication is successful, as per step 3. described above.authentication.password.domain.valid = example.com
Example options might be '@example.com
' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk
' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain....
If you are currently using Email based authentication (either 1 or 2) and want to upgrade to NetID based authentication then there is an easy path. Simply enable shibboleth to pass the NetID attribute and set the netid-header below to the correct value. When a user attempts to log in to DSpace first DSpace will look for an EPerson with the passed NetID, however when this fails DSpace will fall back to email based authentication. Then DSpace will update the user's EPerson account record to set their netted NetID so all future authentications for this user will be based upon nettedNetID. One thing to note is that DSpace will prevent an account from switching NetIDs. If an account all ready already has a NetID set and then they try and authenticate with a different NetID the authentication will fail.
...
Configuration File: |
| ||
---|---|---|---|
Property: |
| ||
Example Value: |
| ||
Informational Note: | Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive"). | ||
Property: |
| ||
Example Value: | authentication-shibboleth. | ||
Informational Note: | The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login" | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true". | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Used when a netid or email headers are not available should Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above. | ||
Property: |
| ||
Example Value | authentication-shibboleth.reconvert.attributes = false | ||
Informational Note: | Shibboleth attributes are by default UTF-8 encoded. Some servlet container automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8. As the attributes already were UTF-8 encoded it may be necessary to reconvert them. If you set this property true, DSpace converts all shibboleth attributes retrieved from the servlet container from UTF-8 to ISO-8859-1 and uses the result as if it were UTF-8. This procedure restores the shibboleth attributes if the servlet container wrongly converted them from ISO-8859-1 to UTF-8. Set this true, if you notice character encoding problems within shibboleth attributes. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Should we allow new users to be registered automatically? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | SWORD compatibility will allow this authentication method to work when using SWORD. SWORD relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for SWORD sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The HTTP header where the shibboleth will supply a user's surname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Additional user attributes mapping, multiple attributes may be stored for each user. The left side is the Shibboleth-based metadata Header and the right side is the eperson metadata field to map the attribute to. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | If the eperson metadata field is not found, should it be automatically created? | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | The shibboleth header to do role-based mappings. See This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file. See the Role-based Groups section above for more info. | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Weather to ignore the attribute's value (everything before the @ sign for scoped attributes) | ||
Property: |
| ||
Example Value: |
| ||
Informational Note: | Mapping of affiliation values to DSpace groups. See the Role-based Groups section above for more info. |
If you are unfamiliar with LDAP, the following introduction to some of its terminology might come in handy:
https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
...
If you want to give any special privileges to LDAP users, create a stackable authentication method to automatically put people who have a netid into a special group. You might also want to give certain email addresses special privileges. Refer to the Custom Authentication Code section below for more information about how to do this.
...
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This setting will enable or disable LDAP authentication in DSpace. With the setting off, users will be required to register and login with their email address. With this setting on, users will be able to login and register with their LDAP user ids and passwords. |
Property: |
|
Example Value: |
|
Informational Note: | This will turn LDAP autoregistration on or off. With this on, a new EPerson object will be created for any user who successfully authenticates against the LDAP server when they first login. With this setting off, the user must first register to get an EPerson object by entering their ldap username and password and filling out the forms. |
Property: |
|
Example Value: |
|
Informational Note: | This is the url to your institution's LDAP server. You may or may not need the /o=myu.edu part at the end. Your server may also require the ldaps:// protocol. (This field has no default value) NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
Property: |
|
Example Value: | authentication-ldap.starttls = false |
Informational Note: | Should we issue StartTLS after establishing TCP connection in order to initiate an encrypted connection?
|
Property: |
|
Example Value: |
|
Explanation: | This is the unique identifier field in the LDAP directory where the username is stored. (This field has no default value) |
Property: |
|
Example Value: |
|
Informational Note: | This is the LDAP object context to use when authenticating the user. By default, DSpace will use this value to create the user's DN in order to attempt to authenticate them. It is appended to the id_field and username. For example If your users do NOT all exist under a single "object_context" in LDAP, then you should ignore this setting and INSTEAD use the Hierarchical LDAP Authentication settings below (especially see " NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
Property: |
|
Example Value: |
|
Informational Note: | This is the search context used when looking up a user's LDAP object to retrieve their data for autoregistering. With NOTE: As of DSpace 6, commas (,) are now a special character in the Configuration system. Therefore, be careful to escape any required commas in this configuration by adding a backslash (\) before each comma, e.g. "\," |
Property: |
|
Example Value: |
|
Informational Note: | This is the LDAP object field where the user's email address is stored. "mail" is the most common for LDAP servers. (This field has no default value) If the "email_field" is unspecified, or the user has no email address in LDAP, his/her username (id_field value) will be saved as the email in DSpace (or appended to |
Property: | authentication-ldap.netid_email_domain |
Example Value: | authentication-ldap.netid_email_domain = @example.com |
Informational Note: | If your LDAP server does not hold an email address for a user (i.e. no Please note: this field will only be used if " |
Property: |
|
Example Value: |
|
Informational Note: | This is the LDAP object field where the user's last name is stored. " |
Property: | authentication-ldap.givenname_field |
Example Value: |
|
Informational Note: | This is the LDAP object field where the user's given names are stored. I'm not sure how common the givenName field is in different LDAP instances. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) |
Property: |
|
Example Value: |
|
Informational Note: | This is the field where the user's phone number is stored in the LDAP directory. If the field is not found the field will be left blank in the new eperson object. (This field has no default value) |
Property: |
|
Example Value: |
|
Informational Note: | If specified, all user sessions successfully logged in via LDAP will automatically become members of this DSpace Group (for the remainder of their current, logged in session). This DSpace Group must already exist (it will not be automatically created). |
Property: | authentication-ldap.login.groupmap.* |
Example Value: | authentication-ldap.login.groupmap.1 = ou=Students:ALL_STUDENTS authentication-ldap.login.groupmap.2 = ou=Employees:ALL_EMPLOYEES authentication-ldap.login.groupmap.3 = ou=Faculty:ALL_FACULTY |
Informational Note: | The left part of the value (before the ":") must correspond to a portion of a user's DN (unless " For example, if the authenticated user's DN in LDAP is in the following form:
that user would get assigned to the ALL_STUDENTS DSpace group for the remainder of their current session. However, if that same user later graduates and is employed by the university, their DN in LDAP may change to:
Upon logging into DSpace after that DN change, the authenticated user would now be assigned to the ALL_EMPLOYEES DSpace group for the remainder of their current session. Note: This option can be used independently from the login.specialgroup option, which will put all LDAP users into a single DSpace group. Both options may be used together. |
Property: | authentication-ldap.login.groupmap.attribute |
Example Value: | authentication-ldap.login.groupmap.attribute = group |
Informational Note: | The value of the "
For example:
The above would ensure that any authenticated users where their LDAP "group" attribute equals "mathematics" would be added to the DSpace Group named "Mathematics_Group" for the remainder of their current session. However, if that same user logged in later with a new LDAP "group" value of "computer science", he/she would no longer be a member of the "Mathematics_Group" in DSpace. |
...
Hierarchical LDAP Authentication shares all the above standard LDAP configurations, but has some additional settings.
...