Created
September 28, 2023 05:49
-
-
Save alanorth/466f3f1065564b757a4a0af11c048f30 to your computer and use it in GitHub Desktop.
DSpace 7 authentication-ldap.cfg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #---------------------------------------------------------------# | |
| #------------LDAP AUTHENTICATION CONFIGURATIONS-----------------# | |
| #---------------------------------------------------------------# | |
| # Configuration properties used by the LDAP Authentication # | |
| # plugin, when it is enabled. # | |
| #---------------------------------------------------------------# | |
| # | |
| # If LDAP is enabled, then new users will be able to register | |
| # by entering their username and password without being sent the | |
| # registration token. If users do not have a username and password, | |
| # then they can still register and login with just their email address | |
| # the same way they do now. | |
| # | |
| # For providing any special privileges to LDAP users, | |
| # you will still need to extend the SiteAuthenticator class to | |
| # automatically put people who have a netid into a special | |
| # group. You might also want to give certain email addresses | |
| # special privileges. Refer to the DSpace documentation for more | |
| # information about how to do this. | |
| # | |
| # It may be necessary to obtain the values of these settings from the | |
| # LDAP server administrators as LDAP configuration will vary from server | |
| # to server. | |
| # This setting will enable or disable LDAP authentication in DSpace. | |
| # With the setting off, users will be required to register and login with | |
| # their email address. With this setting on, users will be able to login | |
| # and register with their LDAP user ids and passwords. | |
| authentication-ldap.enable = true | |
| ##### LDAP AutoRegister Settings ##### | |
| # This will turn LDAP autoregistration on or off. With this | |
| # on, a new EPerson object will be created for any user who | |
| # successfully authenticates against the LDAP server when they | |
| # first login. With this setting off, the user | |
| # must first register to get an EPerson object by | |
| # entering their ldap username and password and filling out | |
| # the forms. | |
| authentication-ldap.autoregister = true | |
| # This is the url to the institution's ldap server. The "o=myu.edu" | |
| # part may or may not be required depending on the LDAP server setup, | |
| # but make sure to include the slash after domain name. | |
| # A server may also require the ldaps:// protocol. | |
| # Note: Prepend commas with a backslash to escape them | |
| #authentication-ldap.provider_url = ldap://ldap.myu.edu/ou=faculties\,o=myu.edu | |
| # This is the unique identifier field in the LDAP directory | |
| # where the username is stored. | |
| authentication-ldap.id_field = sAMAccountName | |
| # This is the object context used when authenticating the | |
| # user. It is appended to the id_field and username. | |
| # For example uid=username,ou=people,ou=faculties,o=myu.edu. This must match | |
| # the LDAP server configuration. | |
| # Note: Prepend commas with a backslash to escape them | |
| #authentication-ldap.object_context = ou=students\,ou=faculties\,o=myu.edu | |
| # This is the search context used when looking up a user's | |
| # LDAP object to retrieve their data for autoregistering. | |
| # With autoregister turned on, when a user authenticates | |
| # without an EPerson object, a search on the LDAP directory to | |
| # get their name and email address is initiated so that DSpace | |
| # can create a EPerson object for them. So after we have authenticated against | |
| # uid=username,ou=people,o=byu.edu we now search in ou=people | |
| # for filtering on [uid=username]. Often the | |
| # search_context is the same as the object_context | |
| # parameter. But again this depends on each individual LDAP server | |
| # configuration. | |
| # Note: Prepend commas with a backslash to escape them | |
| authentication-ldap.search_context = dc=cgiarad\,dc=org | |
| # This is the LDAP object field where the user's email address | |
| # is stored. "mail" is the default and the most common for | |
| # LDAP servers. If the mail field is not found the username | |
| # will be used as the email address when creating the eperson | |
| # object. | |
| authentication-ldap.email_field = mail | |
| # This is the LDAP object field where the user's last name is | |
| # stored. "sn" is the default and is the most common for LDAP | |
| # servers. If the field is not found the field will be left | |
| # blank in the new eperson object. | |
| authentication-ldap.surname_field = sn | |
| # This is the LDAP object field where the user's given names | |
| # are stored. This may not be used or set in all LDAP instances. | |
| # If the field is not found the field will be left blank in the | |
| # new eperson object. | |
| authentication-ldap.givenname_field = givenName | |
| # This is the field where the user's phone number is stored in | |
| # the LDAP directory. If the field is not found the field | |
| # will be left blank in the new eperson object. | |
| authentication-ldap.phone_field = telephoneNumber | |
| ##### LDAP users group ##### | |
| # If required, a group name can be given here, and all users who log in | |
| # to LDAP will automatically become members of this group. This is useful | |
| # if you want a group made up of all internal authenticated users. | |
| authentication-ldap.login.specialgroup = CGIAR_LDAP_USERS | |
| ##### Hierarchical LDAP Settings ##### | |
| # If your users are spread out across a hierarchical tree on your | |
| # LDAP server, you will need to search the tree to find the full DN of | |
| # the user who is logging in. | |
| # | |
| # * If anonymous search is allowed on your LDAP server, you will need to set | |
| # search.anonymous = true | |
| # * If not, you will need to specify the full DN and password of a | |
| # user that is allowed to bind in order to search for the users. | |
| # * If neither search.anonymous is true, nor search.user is specified, | |
| # LDAP will not do the hierarchical search for a DN and will assume | |
| # a flat directory structure. | |
| # This is the optional search scope value for the LDAP search during | |
| # autoregistering. This will depend on your LDAP server setup. | |
| # This value must be one of the following integers corresponding | |
| # to the following values: | |
| # object scope : 0 | |
| # one level scope : 1 | |
| # subtree scope : 2 | |
| authentication-ldap.search_scope = 2 | |
| # If true, the initial bind will be performed anonymously. | |
| #authentication-ldap.search.anonymous = false | |
| # The full DN and password of a user allowed to connect to the LDAP server | |
| # and search for the DN of the user trying to log in. | |
| # Note: Prepend commas with a backslash to escape them | |
| #authentication-ldap.search.user = cn=admin\,ou=faculties\,ou=people\,o=myu.edu | |
| #authentication-ldap.search.password = password | |
| # If your LDAP server does not hold an email address for a user, you can use | |
| # the following field to specify your email domain. This value is appended | |
| # to the netid in order to make an email address. E.g. a netid of 'user' and | |
| # netid_email_domain as '@example.com' would set the email of the user | |
| # to be 'user@example.com | |
| #authentication-ldap.netid_email_domain = @example.com | |
| # Take the left part of the groupmap value (before the ":") and look it up | |
| # in user's full DN. If it's found, assign user to the DSpace group | |
| # specified by the right part of the groupmap value (after the ":"). | |
| # One user may belong to multiple groups. | |
| #authentication-ldap.login.groupmap.1 = OU=ILRIHUB:ILRI_LDAP_USERS | |
| #authentication-ldap.login.groupmap.3 = ou=ldap-dept3:dspace-groupA | |
| # If this property is uncommented, it changes the meaning of the left part of | |
| # the groupmap value (before the ":") as follows. | |
| # The value of login.groupmap.attribute specifies the name of an LDAP attribute. | |
| # If user has this attribute, look up the value of this attribute in the left | |
| # part of the groupmap value (before the ":"). If it's found, assign user to | |
| # the DSpace group specified by the right part of the groupmap value (after | |
| # the ":"). | |
| #authentication-ldap.login.groupmap.attribute = group | |
| #authentication-ldap.login.groupmap.1 = ldap-dept1:dspace-group1 | |
| #authentication-ldap.login.groupmap.2 = ldap-dept2:dspace-groupA | |
| #authentication-ldap.login.groupmap.3 = ldap-dept3:dspace-groupA | |
| # Enables support for StartTLS (default is false). If this flag is true be sure provider_url looks like: | |
| # ldap://ldap.myu.edu:389 | |
| #authentication-ldap.starttls=true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment