DS-1690 assign DSpace group based on LDAP attribute value

dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java

@@ -228,7 +228,7 @@ public class LDAPAuthentication
                 context.setCurrentUser(eperson);
 
                 // assign user to groups based on ldap dn
-                assignGroupsBasedOnLdapDn(dn, context);
+                assignGroups(dn, ldap.ldapGroup, context);
                 
                 log.info(LogManager
                     .getHeader(context, "authenticate", "type=ldap"));
@@ -275,7 +275,7 @@ public class LDAPAuthentication
                             context.setCurrentUser(eperson);
 
                             // assign user to groups based on ldap dn
-                            assignGroupsBasedOnLdapDn(dn, context);
+                            assignGroups(dn, ldap.ldapGroup, context);
 
                             return SUCCESS;
                         }
@@ -312,7 +312,7 @@ public class LDAPAuthentication
                                     context.setCurrentUser(eperson);
 
                                     // assign user to groups based on ldap dn
-                                    assignGroupsBasedOnLdapDn(dn, context);
+                                    assignGroups(dn, ldap.ldapGroup, context);
                                 }
                                 catch (AuthorizeException e)
                                 {
@@ -362,6 +362,7 @@ public class LDAPAuthentication
         protected String ldapGivenName = null;
         protected String ldapSurname = null;
         protected String ldapPhone = null;
+        protected String ldapGroup = null;
 
         /** LDAP settings */
         String ldap_provider_url = ConfigurationManager.getProperty("authentication-ldap", "provider_url");
@@ -373,6 +374,7 @@ public class LDAPAuthentication
         String ldap_givenname_field = ConfigurationManager.getProperty("authentication-ldap", "givenname_field");
         String ldap_surname_field = ConfigurationManager.getProperty("authentication-ldap", "surname_field");
         String ldap_phone_field = ConfigurationManager.getProperty("authentication-ldap", "phone_field");
+        String ldap_group_field = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap.attribute"); 
 
         SpeakerToLDAP(Logger thelog)
         {
@@ -448,7 +450,7 @@ public class LDAPAuthentication
                         }
 
                         String attlist[] = {ldap_email_field, ldap_givenname_field,
-                                            ldap_surname_field, ldap_phone_field};
+                                            ldap_surname_field, ldap_phone_field, ldap_group_field};
                         Attributes atts = sr.getAttributes();
                         Attribute att;
 
@@ -484,6 +486,14 @@ public class LDAPAuthentication
                             }
                         }
                 
+                        if (attlist[4] != null) {
+                            att = atts.get(attlist[4]);
+                            if (att != null) 
+                            {
+                                ldapGroup = (String) att.get();
+                            }
+                        }
+
                         if (answer.hasMoreElements()) {
                             // Oh dear - more than one match
                             // Ambiguous user, can't continue
@@ -614,20 +624,29 @@ public class LDAPAuthentication
      * Add authenticated users to the group defined in dspace.cfg by
      * the authentication-ldap.login.groupmap.* key.
      */
-    private void assignGroupsBasedOnLdapDn(String dn, Context context)
+    private void assignGroups(String dn, String group, Context context)
     {
         if (StringUtils.isNotBlank(dn)) 
         {
             System.out.println("dn:" + dn);
             int i = 1;
             String groupMap = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + i);
+            
+            boolean cmp;
+            
             while (groupMap != null)
             {
                 String t[] = groupMap.split(":");
                 String ldapSearchString = t[0];
                 String dspaceGroupName = t[1];
  
-                if (StringUtils.containsIgnoreCase(dn, ldapSearchString)) 
+                if (group == null) {
+                    cmp = StringUtils.containsIgnoreCase(dn, ldapSearchString + ",");
+                } else {
+                    cmp = StringUtils.equalsIgnoreCase(group, ldapSearchString);
+                }
+
+                if (cmp) 
                 {
                     // assign user to this group   
                     try

dspace/config/modules/authentication-ldap.cfg

@@ -146,3 +146,24 @@ autoregister = true
 # netid_email_domain as '@example.com' would set the email of the user
 # to be 'user@example.com
 #netid_email_domain = @example.com
+
+# Take the left part of the groupmap value (before the ":") and look it up
+# in user's full DN. If it's found, assign user to the DSpace group
+# specified by the right part of the groupmap value (after the ":").
+# One user may belong to multiple groups.
+#login.groupmap.1 = ou=ldap-dept1:dspace-group1
+#login.groupmap.2 = ou=ldap-dept2:dspave-groupA
+#login.groupmap.3 = ou=ldap-dept3:dspave-groupA
+
+# If this property is uncommented, it changes the meaning of the left part of
+# the groupmap value (before the ":") as follows.
+# The value of login.groupmap.attribute specifies the name of an LDAP attribute.
+# If user has this attribute, look up the value of this attribute in the left
+# part of the groupmap value (before the ":"). If it's found, assign user to
+# the DSpace group specified by the right part of the groupmap value (after
+# the ":").
+#login.groupmap.attribute = group
+#login.groupmap.1 = ldap-dept1:dspace-group1
+#login.groupmap.2 = ldap-dept2:dspave-groupA
+#login.groupmap.3 = ldap-dept3:dspave-groupA
+