Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

fix the special case of anonymous LDAP search

Hierarchical LDAP originally assumed that when search.user is not
set, anonymous search is performed. We now assume that if it's
not set, simple LDAP authentication is performed. That retains
configuration backward comaptibility for the two most common cases.
The special case of anonymous search now requires search.anonymous
to be set to true, which means old installations using this setup
will have to add this config property.
  • Loading branch information...
commit 8c4341357b3f8c409389dd875f70914a2bf05003 1 parent 3c45c1b
@helix84 helix84 authored
View
5 dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
@@ -185,14 +185,15 @@ public int authenticate(Context context,
SpeakerToLDAP ldap = new SpeakerToLDAP(log);
// Get the DN of the user
+ boolean anonymousSearch = ConfigurationManager.getBooleanProperty("authentication-ldap", "search.anonymous");
String adminUser = ConfigurationManager.getProperty("authentication-ldap", "search.user");
String adminPassword = ConfigurationManager.getProperty("authentication-ldap", "search.password");
String objectContext = ConfigurationManager.getProperty("authentication-ldap", "object_context");
String idField = ConfigurationManager.getProperty("authentication-ldap", "id_field");
String dn = "";
- // If adminUser is blank, then we can't search so assume the DN
- if (StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword))
+ // If adminUser is blank and anonymous search is not allowed, then we can't search so construct the DN instead of searching it
+ if ((StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword)) && !anonymousSearch)
{
dn = idField + "=" + netid + "," + objectContext;
}
View
24 dspace/config/modules/authentication-ldap.cfg
@@ -111,16 +111,18 @@ autoregister = true
##### Hierarchical LDAP Settings #####
# If your users are spread out across a hierarchical tree on your
-# LDAP server, you will need to specify the username and password of
-# a user who is allowed to search the tree to find the full DN of
+# LDAP server, you will need to search the tree to find the full DN of
# the user who is logging in.
#
-# You can optionally specify the search scope. If anonymous access is not
-# enabled on your LDAP server, you will need to specify the full DN and
-# password of a user that is allowed to bind in order to search for the
-# users.
-
-# This is the search scope value for the LDAP search during
+# * If anonymous search is allowed on your LDAP server, you will need to set
+# search.anonymous = true
+# * If not, you will need to specify the full DN and password of a
+# user that is allowed to bind in order to search for the users.
+# * If neither search.anonymous is true, nor search.user is specified,
+# LDAP will not do the hierarchical search for a DN and will assume
+# a flat directory structure.
+
+# This is the optional search scope value for the LDAP search during
# autoregistering. This will depend on your LDAP server setup.
# This value must be one of the following integers corresponding
# to the following values:
@@ -129,9 +131,11 @@ autoregister = true
# subtree scope : 2
#search_scope = 2
+# If true, the initial bind will be performed anonymously.
+#search.anonymous = false
+
# The full DN and password of a user allowed to connect to the LDAP server
-# and search for the DN of the user trying to log in. If these are not specified,
-# the initial bind will be performed anonymously.
+# and search for the DN of the user trying to log in.
#search.user = cn=admin,ou=people,o=myu.edu
#search.password = password
Please sign in to comment.
Something went wrong with that request. Please try again.