diff --git a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java index 43e305452c..04e54394a7 100644 --- a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java +++ b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java @@ -228,7 +228,7 @@ public class LDAPAuthentication context.setCurrentUser(eperson); // assign user to groups based on ldap dn - assignGroupsBasedOnLdapDn(dn, context); + assignGroups(dn, ldap.ldapGroup, context); log.info(LogManager .getHeader(context, "authenticate", "type=ldap")); @@ -275,7 +275,7 @@ public class LDAPAuthentication context.setCurrentUser(eperson); // assign user to groups based on ldap dn - assignGroupsBasedOnLdapDn(dn, context); + assignGroups(dn, ldap.ldapGroup, context); return SUCCESS; } @@ -312,7 +312,7 @@ public class LDAPAuthentication context.setCurrentUser(eperson); // assign user to groups based on ldap dn - assignGroupsBasedOnLdapDn(dn, context); + assignGroups(dn, ldap.ldapGroup, context); } catch (AuthorizeException e) { @@ -362,6 +362,7 @@ public class LDAPAuthentication protected String ldapGivenName = null; protected String ldapSurname = null; protected String ldapPhone = null; + protected String ldapGroup = null; /** LDAP settings */ String ldap_provider_url = ConfigurationManager.getProperty("authentication-ldap", "provider_url"); @@ -373,6 +374,7 @@ public class LDAPAuthentication String ldap_givenname_field = ConfigurationManager.getProperty("authentication-ldap", "givenname_field"); String ldap_surname_field = ConfigurationManager.getProperty("authentication-ldap", "surname_field"); String ldap_phone_field = ConfigurationManager.getProperty("authentication-ldap", "phone_field"); + String ldap_group_field = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap.attribute"); SpeakerToLDAP(Logger thelog) { @@ -448,7 +450,7 @@ public class LDAPAuthentication } String attlist[] = {ldap_email_field, ldap_givenname_field, - ldap_surname_field, ldap_phone_field}; + ldap_surname_field, ldap_phone_field, ldap_group_field}; Attributes atts = sr.getAttributes(); Attribute att; @@ -483,6 +485,14 @@ public class LDAPAuthentication ldapPhone = (String) att.get(); } } + + if (attlist[4] != null) { + att = atts.get(attlist[4]); + if (att != null) + { + ldapGroup = (String) att.get(); + } + } if (answer.hasMoreElements()) { // Oh dear - more than one match @@ -614,20 +624,29 @@ public class LDAPAuthentication * Add authenticated users to the group defined in dspace.cfg by * the authentication-ldap.login.groupmap.* key. */ - private void assignGroupsBasedOnLdapDn(String dn, Context context) + private void assignGroups(String dn, String group, Context context) { if (StringUtils.isNotBlank(dn)) { System.out.println("dn:" + dn); int i = 1; String groupMap = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + i); + + boolean cmp; + while (groupMap != null) { String t[] = groupMap.split(":"); String ldapSearchString = t[0]; String dspaceGroupName = t[1]; + + if (group == null) { + cmp = StringUtils.containsIgnoreCase(dn, ldapSearchString + ","); + } else { + cmp = StringUtils.equalsIgnoreCase(group, ldapSearchString); + } - if (StringUtils.containsIgnoreCase(dn, ldapSearchString)) + if (cmp) { // assign user to this group try diff --git a/dspace/config/modules/authentication-ldap.cfg b/dspace/config/modules/authentication-ldap.cfg index b5a2b4cddb..749a11625c 100644 --- a/dspace/config/modules/authentication-ldap.cfg +++ b/dspace/config/modules/authentication-ldap.cfg @@ -146,3 +146,24 @@ autoregister = true # netid_email_domain as '@example.com' would set the email of the user # to be 'user@example.com #netid_email_domain = @example.com + +# Take the left part of the groupmap value (before the ":") and look it up +# in user's full DN. If it's found, assign user to the DSpace group +# specified by the right part of the groupmap value (after the ":"). +# One user may belong to multiple groups. +#login.groupmap.1 = ou=ldap-dept1:dspace-group1 +#login.groupmap.2 = ou=ldap-dept2:dspave-groupA +#login.groupmap.3 = ou=ldap-dept3:dspave-groupA + +# If this property is uncommented, it changes the meaning of the left part of +# the groupmap value (before the ":") as follows. +# The value of login.groupmap.attribute specifies the name of an LDAP attribute. +# If user has this attribute, look up the value of this attribute in the left +# part of the groupmap value (before the ":"). If it's found, assign user to +# the DSpace group specified by the right part of the groupmap value (after +# the ":"). +#login.groupmap.attribute = group +#login.groupmap.1 = ldap-dept1:dspace-group1 +#login.groupmap.2 = ldap-dept2:dspave-groupA +#login.groupmap.3 = ldap-dept3:dspave-groupA +