OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Multiple Authentication?

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Multiple Authentication?

Postby sean » Thu May 10, 2007 9:14 am

Hi,

We've successfully integrated OJS with our Active Directory via the LDAP plugin. We have one problem though, when it comes with users outside of the ADS. A person is able to register at the site, but then he/she is not able to login as the default authentication source is set to the AD. The journal manager has to manually change the authentication source to the OJS database for the user to be able to login. I would appreciate some advice about how to modify OJS so that if a user is not located on the ADS, then OJS would check the OJS database for authentication.

Regards,

Sean
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby asmecher » Fri May 11, 2007 9:14 am

Hi Sean,

Have you turned on the "Create Users" option in OJS's LDAP configuration? That would result in new entries being created for newly registered users. Then new registrants would be able to log in immediately.

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Postby sean » Tue May 15, 2007 9:04 am

No, I didn't turn that on because I don't want new users on OJS to be added to the remote authentication source. What is happening is that a user is able to register with the site, but not be able to login since the default authentication source is set to LDAP. However looking at the login function in the Validation class, it seems to try to authenticate against the OJS database only if the LDAP auth is not set.

Code: Select all
if (isset($auth)) {
         // Validate against remote authentication source
         $valid = $auth->authenticate($username, $password);
         if ($valid) {
            $oldEmail = $user->getEmail();
            $auth->doGetUserInfo($user);
            if ($user->getEmail() != $oldEmail) {
               // FIXME OJS requires email addresses to be unique; if changed email already exists, ignore
               if ($userDao->userExistsByEmail($user->getEmail())) {
                  $user->setEmail($oldEmail);
               }
            }
         }
         
      } else {
         // Validate against OJS user database
         $valid = ($user->getPassword() === Validation::encryptCredentials($username, $password));
      }

This means that a local user can't login until their auth source is manually set to the OJS database in their profile.
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby sean » Tue May 15, 2007 11:53 am

How exactly does OJS handle user authentication for logins? It seems to me that the signIn() function in the LoginHandler class gets call, which then passes the credentials to the login() function (among others) in the Validate class.

What would be the most elegant way to modify OJS to achieve the result that we want?

Regards,
Sean
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby asmecher » Fri May 18, 2007 1:01 pm

Hi Sean,

I'd suggest modifying the registration process so that at its conclusion it checks to see whether the default authorization plugin is satisfied with the credentials the user supplied. If not (i.e. if the user account doesn't exist in the LDAP database) the user's default authentication method should be changed.

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Postby sean » Thu May 24, 2007 12:59 pm

Thanks for the suggestion. That does seem like a good way to work around it. Thanks.
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby sean » Wed May 30, 2007 4:34 pm

Alec,

What's the auth_id for the local database? I've tried

Code: Select all
$user->setAuthId(0)
and
Code: Select all
$user->setAuthId(null)


In both instances the "Authentication Source" on the user profile is set to blank, just as with the local database, however the user still can't login. Is there something I'm missing?

Thanks
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby asmecher » Wed May 30, 2007 5:02 pm

Hi Sean,

An auth_id of 0 and null should be equivalent; either should indicate the local database. There should be no corresponding entry in the auth_sources table for the specified auth_id. Have you checked in the database itself to make sure that the user's auth_id is set properly?

Regards,
Alec Smecher
Public Knowledge Project Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Postby sean » Thu May 31, 2007 8:45 am

Alec,

Yes, in the database the users' auth_id has been set to 0 and the only entry in the auth_sources table has an auth_id of 2 for the ldap plugin. Any ideas as to why it's still not working?

Thanks,

Sean
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby asmecher » Thu May 31, 2007 8:51 am

Hi Sean,

Off the top of my head, it should work as is. Could you step through the "login" function in classes/security/Validation.inc.php to see where the login is being declined?

Regards,
Alec Smecher
Public Knowledge Project Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Postby sean » Thu May 31, 2007 8:52 am

I just noticed some strange behaviour. When the user registers he is not able to login with his password as mentioned above. However, when the admin changes the password of the user, the user is then able to login (via local database). Does this help?
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Postby asmecher » Thu May 31, 2007 9:08 am

Hi Sean,

Yes, that helps. Try the patch at http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=2893 -- this will be released as part of OJS 2.2.

Regards,
Alec Smecher
Public Knowledge Project Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Postby sean » Thu May 31, 2007 10:13 am

SUCCESS! Thanks Alec!
sean
 
Posts: 37
Joined: Thu Mar 15, 2007 3:25 pm

Re: Multiple Authentication?

Postby mwood » Thu Nov 01, 2007 10:08 am

Please, how did you manage to get ADS to talk with OJS? Here OJS requests a null bind, which ADS accepts but gives no access to any objects. Our ADS setup requires credentials for a usable bind. Yes, I've specified a valid Manager DN and Manager Password pair but they aren't used.

I tried enabling SASL to see if that would try a non-null bind. Then the login process returns a blank page and no LDAP transactions are seen. I'm not sure where it would get the principal's password anyway since there's no place on the form to specify one.

Even if the binding worked, the code then searches using a filter uid=whatever, and our ADS doesn't use uid at all. We'd need to filter by cn=whatever.
mwood
 
Posts: 20
Joined: Thu Nov 01, 2007 8:06 am
Location: Indianapolis, Indiana, US

Re: Multiple Authentication?

Postby njnosko » Thu Nov 29, 2012 1:36 pm

Hi Sean,
I know this post is pretty old by now but I have the same situation as you right now with our OJS setup. LDAP is our default auth method but we also have people who register who are not in our LDAP and we don't want them to be. For these people we want the registration process to set their auth method as the local OJS database. Would you mind sharing what you did to get this to work in your instance? What code did you write and what files did you modify? Thanks for any help you can provide. I'll try sending you a PM as well.

-Nick
njnosko
 
Posts: 4
Joined: Thu Nov 29, 2012 1:28 pm


Return to OJS Technical Support

Who is online

Users browsing this forum: Yahoo [Bot] and 4 guests

cron