Cannot set up ldap plugin to work

coldsummer · January 23, 2017, 4:21pm

Hi there,

After follow the instruction on how to setup authentication source to setup ldap. I cannot see how to change from local database to ldap when login into OJS 2.4.8.1.

Can you guide me how to setup ldap plugin to work?

Thank you very much,

Molin

ctgraham · January 23, 2017, 6:31pm

I haven’t actually used the LDAP plugin, but it looks like he authentication source is defined per user. Once enabled, the Journal Manager can edit the profile of an individual user and change the authentication source to the LDAP instance.

coldsummer · January 23, 2017, 6:36pm

Hi,

Thank you for your reply. Do i need to register user to be able to login with ldap account (username, password)?
Can i login with ldap user without any pre-registration?

Molin

coldsummer · January 23, 2017, 6:43pm

Here my login screen. I didn’t have any option that let me choose to login with ldap account:

ctgraham · January 23, 2017, 6:45pm

The username will be checked for which authentication source is used, then the username and password will be handed off to that source. Thus, there is no prompt at this screen as to what the authentication source is.

I don’t see anywhere in the LDAP plugin code that would provide a registration method directly against LDAP. (C.f. ojs/LDAPAuthPlugin.inc.php at ojs-dev-2_4 · pkp/ojs · GitHub and ojs/AuthPlugin.inc.php at ojs-dev-2_4 · pkp/ojs · GitHub)

coldsummer · January 23, 2017, 6:54pm

So for you, all account need to be registered first in OJS systeme by using ldap as source before it can be used to login?
Plus, after one ldap account is use to login, does ojs create local account in its database?

ctgraham · January 23, 2017, 7:09pm

OJS will maintain a local user profile for each user, regardless of the authentication source.

It is possible that this line supports new registrations directly against an alternate authentication source, such as LDAP:

github.com

pkp/ojs/blob/ojs-dev-2_4/classes/user/form/RegistrationForm.inc.php#L92


					if ($this->reCaptchaEnabled) {
						import('lib.pkp.lib.recaptcha.recaptchalib');
						if (Config::getVar('captcha', 'recaptcha_enforce_hostname')) {
							$host = Request::getServerHost();
						} else { 
							$host = '';
						}
						$reCaptchaVersion = intval(Config::getVar('captcha', 'recaptcha_version', RECAPTCHA_VERSION_LEGACY));
						$this->addCheck(new FormValidatorReCaptcha($this, 'recaptcha_challenge_field', ($reCaptchaVersion === RECAPTCHA_VERSION_LEGACY ? 'recaptcha_response_field' : 'g-recaptcha-response'), Request::getRemoteAddr(), 'common.captchaField.badCaptcha', $host));
					} else {
						$this->addCheck(new FormValidatorCaptcha($this, 'captcha', 'captchaId', 'common.captchaField.badCaptcha'));
					}
				}

				$authDao =& DAORegistry::getDAO('AuthSourceDAO');
				$this->defaultAuth =& $authDao->getDefaultPlugin();
				if (isset($this->defaultAuth)) {
					$this->addCheck(new FormValidatorCustom($this, 'username', 'required', 'user.register.form.usernameExists', create_function('$username,$form,$auth', 'return (!$auth->userExists($username) || $auth->authenticate($username, $form->getData(\'password\')));'), array(&$this, $this->defaultAuth)));
				}
			}
		}

If you set your LDAP source to be the “default authentication” source, can you register a new user by filling out the Registration Form, using the existing LDAP username and Password where you would normally fill in a new username and password?

coldsummer · January 23, 2017, 7:15pm

Yes, i can register a new user with the existing ldap username and password but i cannot login using those informations.

ctgraham · January 23, 2017, 7:21pm

After self-registering the user, as a Journal Manager, review the user’s profile. Is the authentication source being set correctly?

coldsummer · January 23, 2017, 7:25pm

Yes. The authentication source being set correctly. It’s LDAP as i try to setup ldap authentication.
But i cannot login and always get message : Invalid username or password. Please try again.

Do we have to register user in advance or we can login with ldap user without any registration?

ctgraham · January 23, 2017, 7:30pm

My reading of the code is that you must register the user in advance.

If an LDAP datasource is selected as the default authentication source, and if the username and password you enter within the registration form matches what is used in LDAP, it looks like the registration is intended to link the user against that default LDAP datasource.

coldsummer · January 23, 2017, 7:35pm

Hmm, I don’t really understand the mecanism of the system. If we still need to registrer manually the user why do we need ldap. Plus, we don’t know the password of everybody.

Sorry i am not good at code reading so it’s really hard for me to understand.
Other system like Moodle, it create user in its database after user authicated via ldap or SSO.

I thought it is the same thing for OJS.

ctgraham · January 23, 2017, 8:06pm

I agree with you regarding the way it “ought” to work - authentication via LDAP or other distributed authentication ought to imply registration, creating the local user record.

I have several feature requests on my todo list related to this:
https://github.com/pkp/pkp-lib/issues/1963

My intent is (once I get time to dig into these) to have a consistent authentication architecture which should work this way for LDAP, OpenID, OAuth, Shibboleth, etc. Right now this is targeted for the 3.x line, but I also have vested interest in backporting to 2.4.x.

That said, if you want to register users on their behalf, I think you can create their accounts with disposable passwords, and when you change their authentication source, the LDAP password will be required. If you want users to self-register, you just need to direct them to the registration page instead of the login page, communicating that they still need to use their existing username and password, even though it looks like they are registering for a new account.

coldsummer · January 23, 2017, 8:14pm

Thank you Graham ! It’s very kind of you to get sometime to reply to my question.

Will try to set ldap plugin to work by pre-registering user account as you said.
Anyways, have you already set it up to work? I mean login with ldap user account.

Thank,

ctgraham · January 23, 2017, 8:18pm

I have not used the LDAP plugin personally. I tried setting it up on one of my test instances just now, but was missing the php_ldap libraries, so I didn’t go further than that at this time.