EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07408
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] Inquiry on ePrints AD Authentication
- To: <eprints-tech@ecs.soton.ac.uk>
- Subject: [EP-tech] Inquiry on ePrints AD Authentication
- From: YEAT YEE LEE <leeyy@tarc.edu.my>
- Date: Wed, 15 Aug 2018 14:59:25 +0800
Hi,
I would like to link eprints system to Microsoft AD for authentication. I have referred to a few websites, and configured as advise, but it is not working, with no error message.
Following is a script for eprints-AD connection testing. I tried and it is working. I can get the result.
******************************
#!/usr/bin/perl -w
# EPrints Services LDAP test script
use Net::LDAP;
use Net::LDAP::Constant;
use strict;
my ($user_sent) = $ARGV[0];
# Params
my $ldap_host = "ldaps://MailScanner warning: numerical links are often malicious: 192.168.5.11"; # Active Directory server on example.org domain
my $bind_dn = "cn=Tarc Admin;cn=users,DC=tarc,DC=edu,DC=local"; # one or more 'ou's may need to be set
my $bind_pword = "PASSWORD";
my $base = "DC=tarc,DC=edu,DC=local"; # Likely the same domain as the AD server itself
# Connect to server
my $ldap = Net::LDAP->new( $ldap_host, version => 3, port => 636 ); # Version and port may need changing
die "LDAP connect error: $@\n" unless defined $ldap;
# Try to bind
my $mesg;
if( $bind_dn eq "" && $bind_pword eq "" )
{
$mesg = $ldap->bind; # anonymous bind
}
else
{
$mesg = $ldap->bind( $bind_dn, password => $bind_pword );
}
die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();
# Search for an account and get all available attributes (by not setting attrs)
$mesg = $ldap->search (
base => $base,
scope => "sub",
filter => "sAMAccountName=$user_sent", # Most likely cn, uid or sAMAccountName
sizelimit => 1,
);
if( $mesg->code() )
{
print STDERR "LDAP search error: ".$mesg->error."\n";
exit;
}
my $entr = $mesg->pop_entry;
unless( defined $entr )
{
print STDERR "LDAP no search results returned\n";
exit 1;
}
# See what attributes are set for this user
print $entr->dump;
$ldap->unbind;
******************************
I have configured the following authentication script (got from https://wiki.eprints.org/w/LDAP), it always show "Incorrect username or password." although the AD login and password is correct.
******************************
=pod
# Please see http://wiki.eprints.org/w/User_login.pl
# $c->{check_user_password} = sub {
# my( $repo, $username, $password ) = @_;
#
# ... check whether $password is ok
#
# return $ok ? $username : undef;
#};
$c->{check_user_password} = sub {
my( $session, $username, $password ) = @_;
# Kerberos authentication for "user", "editor" and "admin" types (roles)
use Net::LDAP; # IO::Socket::SSL also required
use Authen::Krb5::Simple;
use Authen::SASL;
# LDAP tunables
my $ldap_host = "ldaps://MailScanner warning: numerical links are often malicious: 192.168.5.11";
my $base = "OU=TARUC,DC=tarc,DC=edu,DC=local";
my $proxy_user ="ad_read";
my $dn = "CN=$proxy_user,$base";
# Kerberos tunables
my $krb_host = "192.168.5.11";
my $krb = Authen::Krb5::Simple->new(realm => $krb_host);
unless ( $krb )
{
print STDERR "Kerberos error: $@\n";
return 0;
}
my $ldap = Net::LDAP->new ( $ldap_host );
unless( $ldap )
{
print STDERR "LDAP error: $@\n";
return 0;
}
my $sasl = Authen::SASL->new(
mechanism => 'GSSAPI',
callback => { user => 'ad_read' }
) or die "$@";
my $mesg = $ldap->bind(sasl => $sasl);
if( $mesg->code() )
{
print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
return 0;
}
# Distinguished name (and attribues needed later on) for this user
my $result = $ldap->search (
base => "$base",
filter => "(&(sAMAccountName=$username))",
attrs => ['1.1', 'uid', 'sn', 'givenname', 'mail', 'department', 'title'],
sizelimit=>1
);
my $entr = $result->pop_entry;
unless( defined $entr )
{
# Allow local EPrints authentication for admins (accounts not found in LDAP)
my $user = EPrints::DataObj::User::user_with_username( $session, $username );
return 0 unless $user;
my $user_type = $user->get_type;
if( $user_type eq "admin" )
{
# internal authentication for "admin" type
return $session->get_database->valid_login( $username, $password );
}
return 0;
}
# Check password
if( !$krb->authenticate( $username, $password ) )
{
print STDERR "$username authentication failed: ", $krb->errstr(), "\n";
return 0;
}
# Does account already exist?
my $user = EPrints::DataObj::User::user_with_username( $session, $username );
if( !defined $user )
{
# New account
$user = EPrints::DataObj::User::create( $session, "user" );
$user->set_value( "username", $username );
}
# Set metadata
my $name = {};
$name->{family} = $entr->get_value( "sn" );
$name->{given} = $entr->get_value( "givenName" );
$name->{honourific} = $entr->get_value( "title");
$user->set_value( "name", $name );
$user->set_value( "username", $username );
$user->set_value( "email", $entr->get_value( "mail" ) );
$user->set_value( "dept", $entr->get_value("department") );
$user->commit();
$ldap->unbind if $ldap;
return 1;
}
=cut
# Maximum time (in seconds) before a user must log in again
# $c->{user_session_timeout} = undef;
# Time (in seconds) to allow between user actions before logging them out
# $c->{user_inactivity_timeout} = 86400 * 7;
# Set the cookie expiry time
# $c->{user_cookie_timeout} = undef; # e.g. "+3d" for 3 days
******************************
Please advise where went wrong. FYI, I do not familiar with Perl.
Thank you very much for your help.
Regards,
Lee Yeat Yee
CIT Centre
Tunku Abdul Rahman University College
Tel: 03-41450123 ext 3511
Fax: 03-41438980
- Follow-Ups:
- [EP-tech] Inquiry on ePrints AD Authentication
- From: YEAT YEE LEE <leeyy@tarc.edu.my>
- [EP-tech] Inquiry on ePrints AD Authentication
- References:
- [EP-tech] Inquiry on ePrints AD Authentication
- From: YEAT YEE LEE <leeyy@tarc.edu.my>
- [EP-tech] Inquiry on ePrints AD Authentication
- Prev by Date: [EP-tech] Using DOI lookup during import from ORCID in EPrints
- Next by Date: [EP-tech] Multiple Uploaded Files in One Directory
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):