Test LDAP service upgraded – now with branches

A few weeks ago I made a test LDAP service available (read the blog post) in order to allow people without an LDAP service to test their LDAP-related DSpace patches, or to help people configuring their DSpace LDAP settings by showing them an example with the correct configuration settings.

I’ve been working recently to upgrade the LDAP support in DSpace to allow it to support sub-tree searching. At present it can only authenticate users within a single OU, but many institutions separate their users across a large tree of OUs.

So, I have now released a patch that does this, which will either be included in the upcoming DSpace 1.5.1, or will have to wait for 1.5.2 or 1.6 etc.

In order for me to test this I have had to include more users in my test LDAP service which you are welcome to use too! The patch allows you to specify the DN and password of a user who has full read and search rights overs the LDAP tree in order to identify the DN of the user who is trying to log-in. If you have anonymous access enabled on your server you could comment out the user’s details. The patch then uses that DN and the password provided by the user to re-bind to the LDAP server to make sure their credentials are correct. If you want to make use of this service, here are the settings you’ll need:

  • ldap.provider_url = ldap://ldap.testathon.net:389/
  • ldap.id_field = cn
  • ldap.object_context = OU=users,DC=testathon,DC=net
  • ldap.search_context = OU=users,DC=testathon,DC=net
  • ldap.email_field = mail
  • ldap.surname_field = sn
  • ldap.givenname_field = givenName
  • ldap.phone_field = telephoneNumber
  • ldap.search_scope = 2
  • ldap.search.user = CN=stuart,OU=users,DC=testathon,DC=net
  • ldap.search.password = stuart

There are now nine users, structured as shown below:

As before, all passwords are the same as usernames. 

I hope this is a useful service. Comments welcome! This entry was posted in Uncategorized and tagged , , on by .

45 thoughts on “Test LDAP service upgraded – now with branches

  1. Reuben Pasquini

    Hi Stuart,

    Thanks for the great work on the d-space LDAP code.
    I just put together a patch myself to org.dspace.authentication.LDAP…
    which modifies the LDAP authentication to work with Active Directory
    here at Auburn – including subtree search.

    I think the patch is generic enough that it would
    be of general use, so I sent a message to the dspace-tech e-mail list
    asking about checking the patch into the dspace svn repository, but have received no response so far:
    http://sourceforge.net/mailarchive/forum.php?thread_name=48B67A96.724F.0085.0@auburn.edu&forum_name=dspace-tech

    Is there some other path I should be taking to submit the patch for consideration by the d-space maintainers ?

    Thanks!
    Reuben

  2. stuart Post author

    Hi Reuben,

    Thanks for getting in touch. I’ve got that email sitting in my inbox waiting for me to get around to replying to it – sorry it has taken a little while.

    What changes have you made to make it work with Active Directory?

    It would be great if you could formally submit your patch to the DSpace patch queue (http://sourceforge.net/tracker/?atid=319984&group_id=19984&func=browse). There are a few of us working on a generic LDAP authenticator which will hopefully work with any AD / LDAP system, so it would be good to see what changes you’ve made to see if we can incorporate them too.

    Thanks,

    Stuart

  3. Pingback: Stuart Lewis’ Blog » Blog Archive » Why I love my Slice

  4. Paulo Matos

    Hi Stuart,

    I just added to tracker a small modification in order to support anonymous bind to LDAP.

    Take a look.

    Regards,

    Paulo Matos

  5. stuart Post author

    Hi,

    If I get an hour sometime I will. If not, hopefully the comments in the dspace.cfg configuration file around the hierarchical LDAP section are sufficient.

    Thnaks,

    Stuart

  6. Pingback: Stuart Lewis’ Blog » DSpace 1.5.2 - What’s in it for me?

  7. Hardik

    Hi Stuart
    I want to test LDAP . I have configured dspace.cfg as per above article . Now What Next ?
    Means how to get loggd in ?

  8. Stuart Post author

    Go to the DSpace login screen, pick the user that you wish to log in as (e.g. alice, bob etc), then enter their username ‘alice’ and their password which is the same as their name ‘alice’.

  9. mike

    stuart,
    i have a windows app that i want to test against your ldap server: here is what the app prompts:
    ldap server: ldap.testathon.net
    port: 389
    base: cn
    username: stuart
    pswd: stuart
    i get an error,’invalid dn syntax’ can you please suggest what i may be doing wrong. thank you!!

  10. Hardik

    Hi Stuart

    i have setup above configurations at my local pc.

    when i try to login using above given credentails, it is saying invalid e-mail address and password.

    I am afraid whether it goes at your server to check or not.

  11. John

    Hi Stuart,

    Great resource. I’m just learning ldap and it’s fantastic to have a dummy server to test on.

    Cheers,
    John

  12. Seal

    Hi Stuart, thanks for keeping the test ldap server up !

    One question, for testing an application, it ask for LDAP user filter= …. is it fine to add

    LDAP user filter=(uid=%USERNAME%)
    Where %USERNAME% is supposed to be the username input-box in the login screen.

    Its is for web2project specifically. My Sun Directory 5.2 is not working with this and im testing with your ldap. But at this time is not authenticating either.

    Thanks for any help.

  13. Suresh

    I am trying to get some results using the “ldapsearch” utility against your service. It seems to connect but does not get any valid results: The commands I tried are:

    # ldapsearch -x -h ldap.testathon.net “objectclass=*”
    # ldapsearch -x -h ldap.testathon.net cn

    For everything I get:
    ——–
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: objectclass=*
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1
    —-

    What am I doing wrong?

  14. Suresh

    Thank you for the message.

    I changed the command to:

    # ldapsearch -x -h ldap.testathon.net -D “CN=stuart,OU=users,DC=testathon,DC=net” -w stuart “objectclass=*”

    and the output is the same.

  15. Suresh

    Success!

    I had to add the base dn flag as follows:

    -b “OU=users,DC=testathon,DC=net”

  16. Suresh

    Can i use SASL authentication instead of Simple authentication? I am not able to get the same command with my test LDAP server and I suspect it is because it does not suppot simple authentication.

    I would like to know the syntax of the same ldapsearch command with SASL authentication.

  17. Bela

    Hi Stuart,
    erstmal danke für den Server!

    Ich hätte eine Frage ich versuche mich mit einem Ldap-Plugin hier Anzumelden.
    Eingegeben habe ich: ou=users,dc=testathon,dc=net
    (Ich habe es auch mit ou=Benutzer versucht)
    und ldap://ldap.testathon.net

    egal wie ich mich einlochen versuche es wird immer ausgegeben, dass er den Namen nicht kennt.
    Ich habe es mit nu Stuart und mit users\stuart versucht.

    Hast du eine Ahnung was falsch sein könnte?

  18. Aaron Helton

    Hi Stuart,

    First I want to say thank you to you for keeping the test LDAP server live. I am in the middle of a capabilities test with DSpace right now, pending the procurement of a service provider, and being able to show what’s possible here is a massive help. So I guess this also counts as a report back on someone else using it and finding it useful 🙂

    The reason I am commenting, though, is to inquire about any possibilities of using multiple LDAP servers. My organization is globally distributed and has yet to consolidate all of its LDAP servers (they may not even be trying). If we are limited to one LDAP server, we could only serve a portion of the intended user base. Are you aware of any real efforts on this front? Do you happen to know of any of the registered service providers who may have addressed this?

  19. Charles Wash

    Thank you VERY much for keeping this service online. I was able to build and test out a working LDAP solution in PHP using your service.

    Tip for PHP developers: Be sure to enable the LDAP v3 option before doing ldap_bind() or you’ll get a Protocol Error.

  20. Stuart Post author

    Hi Aaron,

    This would not take too much effort for a service provider to provide (if they claim it is, look for another service provider!). There are two easy modifications that could be made – the first is to chain multiple instances of (renamed) LDAP authentication classes together, each with a different set of configuration settings. The smarter alternative would be to put a for-loop around the LDAP checking code, which again looks up the details of each LDAP server in the configuration file – rather than having one set of LDAP server details in the config file, have multiple.

    Thanks,

    Stuart

  21. dG

    Hi Stuart,

    Many thanks for the server – it’s *really* helped in some LDAP development I’ve been doing in VB.Net

    dG

  22. aks

    Hi Stuart,

    First of all thanks so much for providing LDAP server. I was trying to use this LDAP server with CentOS6 and found that newer OS only supports ldaps://… or TLS for LDAP authentication.

    It would be great help if you can configure authentication for this server.

    thanks in advance!

  23. amjad

    Hi Stuart Lewis & Paulo Matos

    I am trying to bind dspace to ldap. I successfully bind my dspace with the test ldap server created by you (stuart). However, i am unable to connect it to my local ldap.
    Our local ldap requires annonymous binding. Can you please guide me how do i sort out this problem. I am using Dspace 1.6. Our local ldap comprises of 6-level of hierarchy.

  24. amjad

    Hi Stuart,
    I am using Dspace1.6. And the link you sent is dspace 1.8

    just tell me how to set the object and search context

    Thanks,
    Amjad

  25. Rick Morice

    Hi,

    I’ve started work on a project for a client, and I’ve had to use LDAP with Moodle. This helped me put together an Alpha for testing, so many thanks!

    Cheers
    Rick

  26. Stuart Post author

    Sorry, no. I’d either have to use a self signed certificate (which a lot of LDAP clients wouldn’t like talking to because of a lack of trust), or have to pay for a commercial trusted certificate.

  27. Rushabh

    Hi Stuart,

    I tried to connect to this server as below using JNDI

    Can you please help where I may be going wrong. Many thanks.

    // set the LDAP authentication method
    String auth_method = “simple”;
    // set the LDAP client Version
    String ldap_version = “3”;
    // This is our LDAP Server’s IP
    String ldap_host = “ldap.testathon.net”;
    // This is our LDAP Server’s Port
    String ldap_port = “389”;
    // This is our access ID
    String ldap_dn = “CN=stuart,OU=users,DC=testathon,DC=net”;
    // This is our access PW
    String ldap_pw = “stuart”;
    // This is our base DN
    String base_dn = “OU=users,DC=testathon,DC=net”;

    DirContext ctx = null;
    Hashtable env = new Hashtable();

    // Here we store the returned LDAP object data
    String dn = “”;
    // This will hold the returned attribute list
    Attributes attrs;

    env.put(Context.INITIAL_CONTEXT_FACTORY,”com.sun.jndi.ldap.LdapCtxFactory”);
    env.put(Context.PROVIDER_URL,”ldap://” + ldap_host + “:” + ldap_port);
    env.put(Context.SECURITY_AUTHENTICATION, auth_method);
    env.put(Context.SECURITY_PRINCIPAL, ldap_dn);
    env.put(Context.SECURITY_CREDENTIALS, ldap_pw);
    env.put(“java.naming.ldap.version”, ldap_version);

    try{
    System.out.println(“Connecting to host ” + ldap_host + ” at port ” + ldap_port + “…”);
    System.out.println();

    ctx = new InitialDirContext(env);
    System.out.println(“LDAP authentication successful!”);

    It throws exception for unknownhost

    Connecting to host ldap.testathon.net at port 389…

    LDAP connection failed!
    javax.naming.CommunicationException: ldap.testathon.net:389 [Root exception is java.net.UnknownHostException: ldap.testathon.net]
    at com.sun.jndi.ldap.Connection.(Unknown Source)
    at com.sun.jndi.ldap.LdapClient.(Unknown Source)
    at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.(Unknown Source)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
    at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
    at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
    at javax.naming.InitialContext.init(Unknown Source)
    at javax.naming.InitialContext.(Unknown Source)
    at javax.naming.directory.InitialDirContext.(Unknown Source)
    at LDAP_Test.LDAPConnect.main(LDAPConnect.java:52)
    Caused by: java.net.UnknownHostException: ldap.testathon.net
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at java.net.Socket.(Unknown Source)
    at java.net.Socket.(Unknown Source)
    at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
    … 15 more

  28. Stuart Post author

    Hi Rushabh,

    javax.naming.CommunicationException: ldap.testathon.net:389 [Root exception is java.net.UnknownHostException: ldap.testathon.net]

    This suggests that your machine cannot resolve the IP address of ldap.testathon.net. What happens if you try to resolve this manually?

    Do you have an outbound firewall that might be refusing to connect to port 389?

    (Try telnetting to that host, port 389 and see if you can connect).

  29. Vojvodina

    With OpenLDAP I and getting following : Error loading RootDSE entry from ldap.testathon.net:389. Is it possible that Client (in this case using permission CN=stuart,OU=users,DC=testathon,DC=net) is not allowed to retrieve RootDSE entry?

    OpenLDAP is providing following additional details :
    The default schema entry could not be loaded due to inability to access the RootDSE entry. Further processing will be aborted. Try changing your credentials or the server side access control list (ACL).

    —- Thanks

    GK

  30. Dung

    Help me!
    2013-12-22 11:22:24,061 WARN org.dspace.core.PluginManager @ No Configuration entry found for Sequence Plugin interface=org.dspace.plugin.SiteHomeProcessor
    2013-12-22 11:22:41,190 INFO org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=02D674C6D4DD0FA2BD68B70FC45802B9:ip_addr=192.168.1.198:auth:attempting trivial auth of user=user1
    2013-12-22 11:22:41,312 WARN org.dspace.app.webui.servlet.InternalErrorServlet @ :session_id=02D674C6D4DD0FA2BD68B70FC45802B9:internal_error:– URL Was: http://192.168.1.198:8080/dspace/ldap-login
    — Method: POST
    — Parameters were:
    — login_password: *not logged*
    — login_submit: “??ng nh?p ”
    — login_netid: “user1”

    java.lang.NullPointerException
    at java.util.Hashtable.put(Unknown Source)
    at org.dspace.authenticate.LDAPAuthentication$SpeakerToLDAP.getDNOfUser(LDAPAuthentication.java:406)
    at org.dspace.authenticate.LDAPAuthentication.authenticate(LDAPAuthentication.java:202)
    at org.dspace.authenticate.AuthenticationManager.authenticateInternal(AuthenticationManager.java:155)
    at org.dspace.authenticate.AuthenticationManager.authenticate(AuthenticationManager.java:92)
    at org.dspace.app.webui.servlet.LDAPServlet.doDSPost(LDAPServlet.java:72)
    at org.dspace.app.webui.servlet.DSpaceServlet.processRequest(DSpaceServlet.java:115)
    at org.dspace.app.webui.servlet.DSpaceServlet.doPost(DSpaceServlet.java:73)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.dspace.utils.servlet.DSpaceWebappServletFilter.doFilter(DSpaceWebappServletFilter.java:78)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)

  31. Jay

    Stuart,

    Many, many thanks for this. A very useful tool for learning PHP/LDAP.

    Just wondering – would anyone know how to use the PHP ldap_search function to query which OU’s a particular user belonged to? In this case a query for user ‘Ernie’ would return OU “Students”. Furthermore, if there was another OU for “Business Majors” with “Francis, Jenny and Steve” then a query for user “Francis” would return OUs “Students” and “Business Majors”.

    Thanks in advance for any tips.

  32. Timothy

    Thank you so much for this tool. It has helped me immensely. I know this post is very old but I was wondering if you could create a user that is a memberOf multiple groups. That would help so much.

  33. dhaval joshi

    Hi Stuart,

    I tried to connect with ldap setting you mentioned but I was not able to connect today, I was using Apache Directory studio to do that. It worked in past. Could you please look into this issue

    Regards
    Dhaval Joshi

Leave a Reply

Your email address will not be published. Required fields are marked *