OJS3 - LDAP plugin

Hi

I’m writing because I can’t get LDAP authentication to work in OJS3.

In my OJS3 installation the plugin shows as installed in website settings > plugins (I have pushed the plugin from ojs/plugins/auth/ldap at ojs-alpha-3_0 · pkp/ojs · GitHub).

I simply can’t find the setup menu for the plugin anywhere in the admin area. Neither in the demo at http://journals.sfu.ca/testdrive3/

Does anyone know how to handle this?

Thank you
Martin

Hi @podomart,

This plugin isn’t currently working in OJS3 and will need a major rewrite, unfortunately.

Regards,
Alec Smecher
Public Knowledge Project Team

Ok, good to know. Thank you for your quick response!

Hi @asmecher,
do you have any schedule for the LDAP plugin to be working in OJS3.

We have tried OJS3 and we like it, but without the possibility of migrate our LDAP validated users (in 2.4.8) we can’t migrate to OJS3.

Thank you so much.

Kind regards.
Jose Angel Navalón.
Universitat de Valencia (Spain)

@Jose_A_N, can you describe your use-case for the LDAP plugin? I think the 2.x plugin attempted to offer both remote LDAP management as well as remote authentication. That is, the old plugin allowed for OJS to be the source of user accounts, replicated to LDAP. I am interested in porting LDAP forward to 3.x as a authentication source, where the users would need to exist and be managed in external LDAP server. OJS would have read-only access. Does that match your need, or would you need OJS to be able write to the LDAP server?

Hi @ctgraham, I just need to read from LDAP directory, not to write.

In our 2.4.8 installation, we define an authentication plugin, with auth_sourde=n, and when we create a new user, we can assign as auth_id this n value for LDAP authentication, or another for local OJS authentication.

We have added the ldap auth plugin and I can see it’s authenticating, but I can’t see this choice option (between LDAP and local) in user creation or registration forms.

It’s possible to do this in OJS3?

Edit: I’ve seen that modifying lib/pkp/templates/common/userDetails.tpl template it could be possible modify the user creation form, If I add this option to assing the auth_id to LDAP value or another, I think it could be possible. I’m right?

Thank you.
Kind regards.

My plan with OJS3 is to extend the authentication to be pluggable and hierarchical. That is, an administrator could allow OJS users to link their accounts to LDAP, Shibboleth, ORCID, Google, etc., so that they could log in with their preferred authentication source.

To make this possible, I stumbled down the path of enabling plugins to operate on a “site” or “context-specific” basis, per configuration. This bunny trailed into addressing some inconsistencies in the way our controllers are implemented, so now I’m seeing both of these steps as prerequisites to doing authentication “right”.

Once completed, we’ll be able to do read-only LDAP authentication, along with other desired methods, but that is (at present) a ways off.

Thank you ctgraham,

meanwhile we’ll keep learning about OJS3 and trying it.

Kind regards.

Jose Angel.

Any update on the status of LDAP and authentication in OJS3.X

Sorry, no further update at this time.

Can you describe the specific feature and use case you are looking for with LDAP connectivity?

Hi, just to let you know we’re also interested in LDAP authentication in OJS3. In our case at least we only want authentication functionality - we wouldn’t want to touch ID management with a barge-pole. :slight_smile:

Essentially our use case is: our instance hosts a couple of OA journals, both managed by university staff and students; many authors/readers/etc are also staff and students. It would be a lot easier for them to login with their existing network username/password rather than to have to remember separate account details just for this platform. Some are not very technically savvy, and any little thing we can do to make it easier on them really helps.

Currently they have such separate accounts. My plan once LDAP was enabled was along the lines of:

  1. create a new account with their network username
  2. merge the old account into the new account
  3. hope this also merged permissions; otherwise to manually add these back in

I like the plan you describe further up, but I can see how that will take some time to nut out. Is there any chance of a bare-bones LDAP auth implementation as an interim measure, as it would be so useful? or is it actually simpler to do it in that full context?

Thanks very much!

1 Like

Hi @deborahfitchett,

Is LDAP the only option, or would something like OAuth or Shibboleth be helpful? My sense is that users mostly want single-sign-on and rarely just a shared user list (requiring separate logins using the same credentials); LDAP only addresses the shared user list, not the single-sign-on.

Regards,
Alec Smecher
Public Knowledge Project Team

We’re interest in LDAP too.

Our use case is around authentication/access for inter-institutional editorial teams.

Although not averse to OAuth or Shibboleth, but both presuppose individuals’ parent organizations being OAuth/Shib enabled.

Any chance of ORCID as the handshake provider?

Hi @pm3415,

Yes, ORCID uses an OAuth mechanism, so it would be possible.

Regards,
Alec Smecher
Public Knowledge Project Team

@asmecher We could theoretically use Shibboleth, and there are advantages to it as you note (though because we currently only use it for scattered resources, single-sign-on isn’t a huge draw). It just requires a bit more liaison with our ITS to set up, so given the choice between the two I generally go for LDAP; but if only Shibboleth was available then I’d use it.

I don’t have a good understanding of OAuth and don’t think we’re set up for it here.

Hi @asmecher and @ctgraham,

We’re interested in having LDAP authentication, user creation/replicate would also be a nice enhancement but authentication is the main feature.
Any update on status of the plugin?

Best Regards,
Vitor Fernandes

Hi @vfernandes,

LDAP doesn’t support single-sign-on – at best, it can support shared passwords. I’d suggest looking into Shibboleth, which is already supported by OJS, and can support true single-sign-on.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi
Is posible to configure ldap for read-only on ojs 3.1.1-4 and what are the steps to configure.

thnks

Hi everyone, I’m using 3.1.2 ojs and I’m interested in ldap authentication. In my case, it would only be for authentication, so that users can log in with their institutional account. Is there any progress in this plugin?

Regards,

I’ve hacked up the shibboleth plugin to make authorization with creation of users work with LDAP AD. GitHub - shemgp/ojs_ldap_plugin: LDAP Authorization Plugin for OJS