A few weeks ago I made a test LDAP service available (read the blog post) in order to allow people without an LDAP service to test their LDAP-related DSpace patches, or to help people configuring their DSpace LDAP settings by showing them an example with the correct configuration settings.
I’ve been working recently to upgrade the LDAP support in DSpace to allow it to support sub-tree searching. At present it can only authenticate users within a single OU, but many institutions separate their users across a large tree of OUs.
So, I have now released a patch that does this, which will either be included in the upcoming DSpace 1.5.1, or will have to wait for 1.5.2 or 1.6 etc.
In order for me to test this I have had to include more users in my test LDAP service which you are welcome to use too! The patch allows you to specify the DN and password of a user who has full read and search rights overs the LDAP tree in order to identify the DN of the user who is trying to log-in. If you have anonymous access enabled on your server you could comment out the user’s details. The patch then uses that DN and the password provided by the user to re-bind to the LDAP server to make sure their credentials are correct. If you want to make use of this service, here are the settings you’ll need:
- ldap.provider_url = ldap://ldap.testathon.net:389/
- ldap.id_field = cn
- ldap.object_context = OU=users,DC=testathon,DC=net
- ldap.search_context = OU=users,DC=testathon,DC=net
- ldap.email_field = mail
- ldap.surname_field = sn
- ldap.givenname_field = givenName
- ldap.phone_field = telephoneNumber
- ldap.search_scope = 2
- ldap.search.user = CN=stuart,OU=users,DC=testathon,DC=net
- ldap.search.password = stuart
There are now nine users, structured as shown below:
As before, all passwords are the same as usernames.
I hope this is a useful service. Comments welcome!
Hi Stuart,
Thanks for the great work on the d-space LDAP code.
I just put together a patch myself to org.dspace.authentication.LDAP…
which modifies the LDAP authentication to work with Active Directory
here at Auburn – including subtree search.
I think the patch is generic enough that it would
be of general use, so I sent a message to the dspace-tech e-mail list
asking about checking the patch into the dspace svn repository, but have received no response so far:
http://sourceforge.net/mailarchive/forum.php?thread_name=48B67A96.724F.0085.0@auburn.edu&forum_name=dspace-tech
Is there some other path I should be taking to submit the patch for consideration by the d-space maintainers ?
Thanks!
Reuben
Hi Reuben,
Thanks for getting in touch. I’ve got that email sitting in my inbox waiting for me to get around to replying to it – sorry it has taken a little while.
What changes have you made to make it work with Active Directory?
It would be great if you could formally submit your patch to the DSpace patch queue (http://sourceforge.net/tracker/?atid=319984&group_id=19984&func=browse). There are a few of us working on a generic LDAP authenticator which will hopefully work with any AD / LDAP system, so it would be good to see what changes you’ve made to see if we can incorporate them too.
Thanks,
Stuart
Pingback: Stuart Lewis’ Blog » Blog Archive » Why I love my Slice
Hi Stuart,
I just added to tracker a small modification in order to support anonymous bind to LDAP.
Take a look.
Regards,
Paulo Matos
Hi Paulo,
Thanks for the modification. I have now applied it to SVN ready for DSpace 1.5.2
Thanks,
Stuart
Hi Stuart,
Will you be updating The DSpace Course – ldap config to utilise this patch ?
Regards
Hi,
If I get an hour sometime I will. If not, hopefully the comments in the dspace.cfg configuration file around the hierarchical LDAP section are sufficient.
Thnaks,
Stuart
Pingback: Stuart Lewis’ Blog » DSpace 1.5.2 - What’s in it for me?
Hi Stuart
I want to test LDAP . I have configured dspace.cfg as per above article . Now What Next ?
Means how to get loggd in ?
Go to the DSpace login screen, pick the user that you wish to log in as (e.g. alice, bob etc), then enter their username ‘alice’ and their password which is the same as their name ‘alice’.
stuart,
i have a windows app that i want to test against your ldap server: here is what the app prompts:
ldap server: ldap.testathon.net
port: 389
base: cn
username: stuart
pswd: stuart
i get an error,’invalid dn syntax’ can you please suggest what i may be doing wrong. thank you!!
Hi Stuart
i have setup above configurations at my local pc.
when i try to login using above given credentails, it is saying invalid e-mail address and password.
I am afraid whether it goes at your server to check or not.
Hi Stuart
I don’t know why but it is working now.
Hi Stuart,
Great resource. I’m just learning ldap and it’s fantastic to have a dummy server to test on.
Cheers,
John
Hi Stuart, thanks for keeping the test ldap server up !
One question, for testing an application, it ask for LDAP user filter= …. is it fine to add
LDAP user filter=(uid=%USERNAME%)
Where %USERNAME% is supposed to be the username input-box in the login screen.
Its is for web2project specifically. My Sun Directory 5.2 is not working with this and im testing with your ldap. But at this time is not authenticating either.
Thanks for any help.
Hi – I’m not sure sorry. Have you tried using ‘cn’ instead of ‘uid’ in the filter?
Yes i have tried many ways, im posting to w2p forums, thank you. Your testathon is very helpfull.
I am trying to get some results using the “ldapsearch” utility against your service. It seems to connect but does not get any valid results: The commands I tried are:
# ldapsearch -x -h ldap.testathon.net “objectclass=*”
# ldapsearch -x -h ldap.testathon.net cn
For everything I get:
——–
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
—-
What am I doing wrong?
Perhaps you need to bind with some credentials, as anonymous binding is not allowed.
Thank you for the message.
I changed the command to:
# ldapsearch -x -h ldap.testathon.net -D “CN=stuart,OU=users,DC=testathon,DC=net” -w stuart “objectclass=*”
and the output is the same.
Success!
I had to add the base dn flag as follows:
-b “OU=users,DC=testathon,DC=net”
Can i use SASL authentication instead of Simple authentication? I am not able to get the same command with my test LDAP server and I suspect it is because it does not suppot simple authentication.
I would like to know the syntax of the same ldapsearch command with SASL authentication.
Hi Stuart,
erstmal danke für den Server!
Ich hätte eine Frage ich versuche mich mit einem Ldap-Plugin hier Anzumelden.
Eingegeben habe ich: ou=users,dc=testathon,dc=net
(Ich habe es auch mit ou=Benutzer versucht)
und ldap://ldap.testathon.net
egal wie ich mich einlochen versuche es wird immer ausgegeben, dass er den Namen nicht kennt.
Ich habe es mit nu Stuart und mit users\stuart versucht.
Hast du eine Ahnung was falsch sein könnte?
hello Stuart
If i try to connect to the server, i always get an invalid credentials error.
what can i do?
Thanks good example testing OK! Bogotá, Colombia
Hi Stuart,
First I want to say thank you to you for keeping the test LDAP server live. I am in the middle of a capabilities test with DSpace right now, pending the procurement of a service provider, and being able to show what’s possible here is a massive help. So I guess this also counts as a report back on someone else using it and finding it useful
The reason I am commenting, though, is to inquire about any possibilities of using multiple LDAP servers. My organization is globally distributed and has yet to consolidate all of its LDAP servers (they may not even be trying). If we are limited to one LDAP server, we could only serve a portion of the intended user base. Are you aware of any real efforts on this front? Do you happen to know of any of the registered service providers who may have addressed this?
Thank you VERY much for keeping this service online. I was able to build and test out a working LDAP solution in PHP using your service.
Tip for PHP developers: Be sure to enable the LDAP v3 option before doing ldap_bind() or you’ll get a Protocol Error.
Hi Aaron,
This would not take too much effort for a service provider to provide (if they claim it is, look for another service provider!). There are two easy modifications that could be made – the first is to chain multiple instances of (renamed) LDAP authentication classes together, each with a different set of configuration settings. The smarter alternative would be to put a for-loop around the LDAP checking code, which again looks up the details of each LDAP server in the configuration file – rather than having one set of LDAP server details in the config file, have multiple.
Thanks,
Stuart
Hi Stuart,
Many thanks for the server – it’s *really* helped in some LDAP development I’ve been doing in VB.Net
dG
Hi Stuart,
First of all thanks so much for providing LDAP server. I was trying to use this LDAP server with CentOS6 and found that newer OS only supports ldaps://… or TLS for LDAP authentication.
It would be great help if you can configure authentication for this server.
thanks in advance!
Hi Stuart Lewis & Paulo Matos
I am trying to bind dspace to ldap. I successfully bind my dspace with the test ldap server created by you (stuart). However, i am unable to connect it to my local ldap.
Our local ldap requires annonymous binding. Can you please guide me how do i sort out this problem. I am using Dspace 1.6. Our local ldap comprises of 6-level of hierarchy.
Hi Amjad,
Take a look at the following DSpace wiki page:
https://wiki.duraspace.org/display/DSDOC18/Authentication+Plugins#AuthenticationPlugins-EnablingHierarchicalLDAPAuthentication
Hopefully this will help.
Thanks,
Stuart
Hi Stuart,
I am using Dspace1.6. And the link you sent is dspace 1.8
just tell me how to set the object and search context
Thanks,
Amjad
Hi,
I’ve started work on a project for a client, and I’ve had to use LDAP with Moodle. This helped me put together an Alpha for testing, so many thanks!
Cheers
Rick
Reading between the lines, is TLS not supported?
Sorry, no. I’d either have to use a self signed certificate (which a lot of LDAP clients wouldn’t like talking to because of a lack of trust), or have to pay for a commercial trusted certificate.
Stuart,
Thanks for the server. Made my life a lot easier.
Hi Stuart,
I tried to connect to this server as below using JNDI
Can you please help where I may be going wrong. Many thanks.
// set the LDAP authentication method
String auth_method = “simple”;
// set the LDAP client Version
String ldap_version = “3″;
// This is our LDAP Server’s IP
String ldap_host = “ldap.testathon.net”;
// This is our LDAP Server’s Port
String ldap_port = “389″;
// This is our access ID
String ldap_dn = “CN=stuart,OU=users,DC=testathon,DC=net”;
// This is our access PW
String ldap_pw = “stuart”;
// This is our base DN
String base_dn = “OU=users,DC=testathon,DC=net”;
DirContext ctx = null;
Hashtable env = new Hashtable();
// Here we store the returned LDAP object data
String dn = “”;
// This will hold the returned attribute list
Attributes attrs;
env.put(Context.INITIAL_CONTEXT_FACTORY,”com.sun.jndi.ldap.LdapCtxFactory”);
env.put(Context.PROVIDER_URL,”ldap://” + ldap_host + “:” + ldap_port);
env.put(Context.SECURITY_AUTHENTICATION, auth_method);
env.put(Context.SECURITY_PRINCIPAL, ldap_dn);
env.put(Context.SECURITY_CREDENTIALS, ldap_pw);
env.put(“java.naming.ldap.version”, ldap_version);
try{
System.out.println(“Connecting to host ” + ldap_host + ” at port ” + ldap_port + “…”);
System.out.println();
ctx = new InitialDirContext(env);
System.out.println(“LDAP authentication successful!”);
It throws exception for unknownhost
Connecting to host ldap.testathon.net at port 389…
LDAP connection failed!
javax.naming.CommunicationException: ldap.testathon.net:389 [Root exception is java.net.UnknownHostException: ldap.testathon.net]
at com.sun.jndi.ldap.Connection.(Unknown Source)
at com.sun.jndi.ldap.LdapClient.(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.(Unknown Source)
at javax.naming.directory.InitialDirContext.(Unknown Source)
at LDAP_Test.LDAPConnect.main(LDAPConnect.java:52)
Caused by: java.net.UnknownHostException: ldap.testathon.net
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.(Unknown Source)
at java.net.Socket.(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
… 15 more
Hi Rushabh,
javax.naming.CommunicationException: ldap.testathon.net:389 [Root exception is java.net.UnknownHostException: ldap.testathon.net]
This suggests that your machine cannot resolve the IP address of ldap.testathon.net. What happens if you try to resolve this manually?
Do you have an outbound firewall that might be refusing to connect to port 389?
(Try telnetting to that host, port 389 and see if you can connect).
Thanks a bunch Stuart.
Indeed there was a firewall issue. I bypassed and it worked.
Thanks again,