OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Could not set up OJS to use LDAP plugin

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Could not set up OJS to use LDAP plugin

Postby scachett » Wed Jul 26, 2006 6:49 am

Hi all,

I've been trying to set up OJS to use the LDAP plugin that ships with the package, but without success so far. Unfortunately, I couldn't find much documentation regarding the subject, so I was wondering whether anyone who has done it before could help me out.

What I did to set it up was this:

1) Went to section Home>User>Site Administration>Authentication Sources
2) Selected LDAP on the combobox on the bottom of the page and clicked the "Create" button
3) Entered the appropriate LDAP settings for my server
4) Marked all checkboxes re. registration behaviour and choose CLEARTEXT for pwd encryption
5) Clicked SAVE
6) Selected the newly created LDAP authentication plugin record as the default one and clicked save

Then I logged out and tried to log in as one of the users from my LDAP server but I couldn't log in.

I tried to trace the code to check whether the plugin was enabled (with echo calls on strategic places in the code). As far as I can tell, OJS doesn't seem to be calling any code on the plugin when I try to log in.

When I try to login as a user on the local database, then I can get in.

I was wondering whether anyone could help me troubleshoot my OJS/LDAP setup. I'm running OJS 2.1.0-1 with MySQL 4.1 and PHP 4.3 on a Windows XP Pro box (test environment). I can easily test this setup on a RedHat EL 4 box (with about the same versions of MySQL and PHP) if that makes any difference (incidentally, that configuration is more similar to my production environment).

Any help is greatly appreciated.

Regards,

Ricardo
scachett
 
Posts: 5
Joined: Tue Jun 27, 2006 9:11 am

Postby asmecher » Thu Jul 27, 2006 11:06 am

Hi Ricardo,

OJS supports LDAP for password authentication and profile synchronization, but users must have accounts in OJS in order to log in via LDAP, since OJS stores a large amount of relational records that refer to user accounts. In order to use LDAP for authentication (and profile information, if desired), you'll have to create accounts for users and set each account's authentication method to LDAP. OJS currently supports creating accounts in the LDAP database when users register, but it doesn't at the moment support creating an OJS user account from an LDAP record. The LDAP plugin hasn't received much attention yet, but we're hoping to improve support in the near future with your feedback.

Regards,
Alec Smecher
Open Journal Systems Team
asmecher
 
Posts: 8570
Joined: Wed Aug 10, 2005 12:56 pm

Postby scachett » Mon Aug 14, 2006 6:25 am

Hi Alec,

Thanks very much for your reply and for providing additional instructions on how to authenticate users from an LDAP directory. After reading your explanation I was able to set OJS to authenticate against my LDAP directory without any problems.

asmecher wrote:OJS supports LDAP for password authentication and profile synchronization, but users must have accounts in OJS in order to log in via LDAP, since OJS stores a large amount of relational records that refer to user accounts.


I understand very well this very sensible design decision.

asmecher wrote:In order to use LDAP for authentication (and profile information, if desired), you'll have to create accounts for users and set each account's authentication method to LDAP. OJS currently supports creating accounts in the LDAP database when users register, but it doesn't at the moment support creating an OJS user account from an LDAP record.


My goal was to implement a single registration database for multiple, disparate systems that make up the web system I am developing. I wanted to provide a single place for my users to register and later edit their profiles. I would also like to let them use a single set of credentials to access the various subsystems they have available, such as Typo3 Content Management System, TWiki, Subversion, WebDAV and some others.

The LDAP plugin came in really handy for me, but as you may have expected, I needed to come up with my own way of creating the user accounts in OJS so that they can be later authenticated via LDAP.

What I did was to code a web application that has direct access to the user account information OJS database.

Although this solves my problem, it may not be a good general solution for others trying to use OJS with LDAP.

I believe that to make the LDAP support in OJS complete, there needs to be a way for external applications to:

1) Create new user accounts (one at a time). There should be a way to link those accounts to journals, and of enrolling users. This feature would require OJS to describe to the calling application which journals are available.

2) Update profile details when users change them in the central registration application.

It would also be nice to have a button that the OJS administrator could push to synchronize the OJS user database to the external (LDAP) source.

It would also be nice to have a way to block or redirect the links to Registration forms on OJS once you select a new authentication source for the system.

Note that there are several implications to be considered when implementing these features:

* general security implications and authentication of the external application;
* issue of deleting existing users, etc.

Note that these requirements reflect my needs regarding LDAP authentication, and may not be general enough to fullfil the needs of others.

Anyways, I hope this information is of any help to you.

Keep up the great work.

Regards,
Ricardo
scachett
 
Posts: 5
Joined: Tue Jun 27, 2006 9:11 am

Postby asmecher » Mon Aug 14, 2006 8:20 am

Hi Ricardo,

Thanks for the feedback -- we'll be considering this.

Regards,
Alec Smecher
Open Journal Systems Team
asmecher
 
Posts: 8570
Joined: Wed Aug 10, 2005 12:56 pm

Postby mo.menezes » Fri Oct 27, 2006 2:17 pm

Hi,

I just installed OJS and found the same problem with LDAP.
After reading the previous posts, I came up with the following "wannabe solution":
Once the administrator setup LDAP as the authentication source, then OJS system should create all user profile on-the-fly at the first successful login.
This would enable the utilisation of a existing LDAP user base without further administration effort.
Is this feasible?
For now I will try implement a solution like Ricardo did. Ricardo, would you mind to share your solution in more detail? Maybe in PM?

Thanks,

Mario
Sao Paulo/BR
mo.menezes
 
Posts: 1
Joined: Fri Oct 27, 2006 2:03 pm


Return to OJS Technical Support

Who is online

Users browsing this forum: Yahoo [Bot] and 3 guests