Skip to content
Browse files

fix the special case of anonymous LDAP search

Hierarchical LDAP originally assumed that when search.user is not
set, anonymous search is performed. We now assume that if it's
not set, simple LDAP authentication is performed. That retains
configuration backward comaptibility for the two most common cases.
The special case of anonymous search now requires search.anonymous
to be set to true, which means old installations using this setup
will have to add this config property.
  • Loading branch information...
1 parent 3c45c1b commit 8c4341357b3f8c409389dd875f70914a2bf05003 @helix84 helix84 committed Sep 14, 2012
View
5 dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
@@ -185,14 +185,15 @@ public int authenticate(Context context,
SpeakerToLDAP ldap = new SpeakerToLDAP(log);
// Get the DN of the user
+ boolean anonymousSearch = ConfigurationManager.getBooleanProperty("authentication-ldap", "search.anonymous");
String adminUser = ConfigurationManager.getProperty("authentication-ldap", "search.user");
String adminPassword = ConfigurationManager.getProperty("authentication-ldap", "search.password");
String objectContext = ConfigurationManager.getProperty("authentication-ldap", "object_context");
String idField = ConfigurationManager.getProperty("authentication-ldap", "id_field");
String dn = "";
- // If adminUser is blank, then we can't search so assume the DN
- if (StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword))
+ // If adminUser is blank and anonymous search is not allowed, then we can't search so construct the DN instead of searching it
+ if ((StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword)) && !anonymousSearch)
{
dn = idField + "=" + netid + "," + objectContext;
}
View
24 dspace/config/modules/authentication-ldap.cfg
@@ -111,16 +111,18 @@ autoregister = true
##### Hierarchical LDAP Settings #####
# If your users are spread out across a hierarchical tree on your
-# LDAP server, you will need to specify the username and password of
-# a user who is allowed to search the tree to find the full DN of
+# LDAP server, you will need to search the tree to find the full DN of
# the user who is logging in.
#
-# You can optionally specify the search scope. If anonymous access is not
-# enabled on your LDAP server, you will need to specify the full DN and
-# password of a user that is allowed to bind in order to search for the
-# users.
-
-# This is the search scope value for the LDAP search during
+# * If anonymous search is allowed on your LDAP server, you will need to set
+# search.anonymous = true
+# * If not, you will need to specify the full DN and password of a
+# user that is allowed to bind in order to search for the users.
+# * If neither search.anonymous is true, nor search.user is specified,
+# LDAP will not do the hierarchical search for a DN and will assume
+# a flat directory structure.
+
+# This is the optional search scope value for the LDAP search during
# autoregistering. This will depend on your LDAP server setup.
# This value must be one of the following integers corresponding
# to the following values:
@@ -129,9 +131,11 @@ autoregister = true
# subtree scope : 2
#search_scope = 2
+# If true, the initial bind will be performed anonymously.
+#search.anonymous = false
+
# The full DN and password of a user allowed to connect to the LDAP server
-# and search for the DN of the user trying to log in. If these are not specified,
-# the initial bind will be performed anonymously.
+# and search for the DN of the user trying to log in.
#search.user = cn=admin,ou=people,o=myu.edu
#search.password = password

0 comments on commit 8c43413

Please sign in to comment.
Something went wrong with that request. Please try again.