fix the special case of anonymous LDAP search

Hierarchical LDAP originally assumed that when search.user is not
set, anonymous search is performed. We now assume that if it's
not set, simple LDAP authentication is performed. That retains
configuration backward comaptibility for the two most common cases.
The special case of anonymous search now requires search.anonymous
to be set to true, which means old installations using this setup
will have to add this config property.

dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java

@@ -185,14 +185,15 @@ public class LDAPAuthentication
         SpeakerToLDAP ldap = new SpeakerToLDAP(log);
 
 		// Get the DN of the user
+		boolean anonymousSearch = ConfigurationManager.getBooleanProperty("authentication-ldap", "search.anonymous");
 		String adminUser = ConfigurationManager.getProperty("authentication-ldap", "search.user");
 		String adminPassword = ConfigurationManager.getProperty("authentication-ldap", "search.password");
 		String objectContext = ConfigurationManager.getProperty("authentication-ldap", "object_context");
 		String idField = ConfigurationManager.getProperty("authentication-ldap", "id_field");
 		String dn = "";
 
-		// If adminUser is blank, then we can't search so assume the DN
-		if (StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword))
+		// If adminUser is blank and anonymous search is not allowed, then we can't search so construct the DN instead of searching it
+		if ((StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword)) && !anonymousSearch)
 		{
 			dn = idField + "=" + netid + "," + objectContext;
 		}

dspace/config/modules/authentication-ldap.cfg

@@ -111,16 +111,18 @@ autoregister = true
 ##### Hierarchical LDAP Settings #####
 
 # If your users are spread out across a hierarchical tree on your
-# LDAP server, you will need to specify the username and password of
-# a user who is allowed to search the tree to find the full DN of
+# LDAP server, you will need to search the tree to find the full DN of
 # the user who is logging in.
 #
-# You can optionally specify the search scope. If anonymous access is not
-# enabled on your LDAP server, you will need to specify the full DN and
-# password of a user that is allowed to bind in order to search for the
-# users.
+# * If anonymous search is allowed on your LDAP server, you will need to set
+#   search.anonymous = true
+# * If not, you will need to specify the full DN and password of a 
+#   user that is allowed to bind in order to search for the users.
+# * If neither search.anonymous is true, nor search.user is specified,
+#   LDAP will not do the hierarchical search for a DN and will assume
+#   a flat directory structure.
 
-# This is the search scope value for the LDAP search during
+# This is the optional search scope value for the LDAP search during
 # autoregistering. This will depend on your LDAP server setup.
 # This value must be one of the following integers corresponding
 # to the following values:
@@ -129,9 +131,11 @@ autoregister = true
 # subtree scope : 2
 #search_scope = 2
 
+# If true, the initial bind will be performed anonymously.
+#search.anonymous = false
+
 # The full DN and password of a user allowed to connect to the LDAP server
-# and search for the DN of the user trying to log in. If these are not specified,
-# the initial bind will be performed anonymously.
+# and search for the DN of the user trying to log in.
 #search.user = cn=admin,ou=people,o=myu.edu
 #search.password = password