PKP Support

[sean]

Hi,

We've successfully integrated OJS with our Active Directory via the LDAP plugin. We have one problem though, when it comes with users outside of the ADS. A person is able to register at the site, but then he/she is not able to login as the default authentication source is set to the AD. The journal manager has to manually change the authentication source to the OJS database for the user to be able to login. I would appreciate some advice about how to modify OJS so that if a user is not located on the ADS, then OJS would check the OJS database for authentication.

Regards,

Sean

[asmecher]

Hi Sean,

Have you turned on the "Create Users" option in OJS's LDAP configuration? That would result in new entries being created for newly registered users. Then new registrants would be able to log in immediately.

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/

[sean]

No, I didn't turn that on because I don't want new users on OJS to be added to the remote authentication source. What is happening is that a user is able to register with the site, but not be able to login since the default authentication source is set to LDAP. However looking at the login function in the Validation class, it seems to try to authenticate against the OJS database only if the LDAP auth is not set.

Code: Select all

if (isset($auth)) {
         // Validate against remote authentication source
         $valid = $auth->authenticate($username, $password);
         if ($valid) {
            $oldEmail = $user->getEmail();
            $auth->doGetUserInfo($user);
            if ($user->getEmail() != $oldEmail) {
               // FIXME OJS requires email addresses to be unique; if changed email already exists, ignore
               if ($userDao->userExistsByEmail($user->getEmail())) {
                  $user->setEmail($oldEmail);
               }
            }
         }
         
      } else {
         // Validate against OJS user database
         $valid = ($user->getPassword() === Validation::encryptCredentials($username, $password));
      }


This means that a local user can't login until their auth source is manually set to the OJS database in their profile.

[sean]

How exactly does OJS handle user authentication for logins? It seems to me that the signIn() function in the LoginHandler class gets call, which then passes the credentials to the login() function (among others) in the Validate class.

What would be the most elegant way to modify OJS to achieve the result that we want?

Regards,
Sean

[asmecher]

Hi Sean,

I'd suggest modifying the registration process so that at its conclusion it checks to see whether the default authorization plugin is satisfied with the credentials the user supplied. If not (i.e. if the user account doesn't exist in the LDAP database) the user's default authentication method should be changed.

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/

[sean]

Thanks for the suggestion. That does seem like a good way to work around it. Thanks.

[sean]

Alec,

What's the auth_id for the local database? I've tried

Code: Select all

$user->setAuthId(0)

and

Code: Select all

$user->setAuthId(null)

In both instances the "Authentication Source" on the user profile is set to blank, just as with the local database, however the user still can't login. Is there something I'm missing?

Thanks

[asmecher]

Hi Sean,

An auth_id of 0 and null should be equivalent; either should indicate the local database. There should be no corresponding entry in the auth_sources table for the specified auth_id. Have you checked in the database itself to make sure that the user's auth_id is set properly?

Regards,
Alec Smecher
Public Knowledge Project Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/

[sean]

Alec,

Yes, in the database the users' auth_id has been set to 0 and the only entry in the auth_sources table has an auth_id of 2 for the ldap plugin. Any ideas as to why it's still not working?

Thanks,

Sean

[asmecher]

Hi Sean,

Off the top of my head, it should work as is. Could you step through the "login" function in classes/security/Validation.inc.php to see where the login is being declined?

Regards,
Alec Smecher
Public Knowledge Project Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/

[sean]

I just noticed some strange behaviour. When the user registers he is not able to login with his password as mentioned above. However, when the admin changes the password of the user, the user is then able to login (via local database). Does this help?

[asmecher]

Hi Sean,

Yes, that helps. Try the patch at http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=2893 -- this will be released as part of OJS 2.2.

Regards,
Alec Smecher
Public Knowledge Project Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/

[sean]

SUCCESS! Thanks Alec!

[mwood]

Please, how did you manage to get ADS to talk with OJS? Here OJS requests a null bind, which ADS accepts but gives no access to any objects. Our ADS setup requires credentials for a usable bind. Yes, I've specified a valid Manager DN and Manager Password pair but they aren't used.

I tried enabling SASL to see if that would try a non-null bind. Then the login process returns a blank page and no LDAP transactions are seen. I'm not sure where it would get the principal's password anyway since there's no place on the form to specify one.

Even if the binding worked, the code then searches using a filter uid=whatever, and our ADS doesn't use uid at all. We'd need to filter by cn=whatever.

[njnosko]

Hi Sean,
I know this post is pretty old by now but I have the same situation as you right now with our OJS setup. LDAP is our default auth method but we also have people who register who are not in our LDAP and we don't want them to be. For these people we want the registration process to set their auth method as the local OJS database. Would you mind sharing what you did to get this to work in your instance? What code did you write and what files did you modify? Thanks for any help you can provide. I'll try sending you a PM as well.

-Nick