Hey Ashwin,
that's exactly the problem I have got.

I've tried changing my url to be ldap://dc1.csg.net:389/??sub (which should make the search go through the subtree)
but it seems the 
com.sun.jndi.ldap.LdapCtxFactory.InitialLdapContext(env) method ignores any scope parameter because it is trying to log into the ldap server(not lookup a user).
I can think of 2 ways of fixing this.
1) logging in using an admin user, searching for the required cn (user) and then trying to log in with that cn and the provided password.
this would allow us to search the entire sub tree for our user.
2)we could have a list of contexts (eg. OU=BMC Development,ou=BMC,DC=csg,DC=net; OU=BMC Production,ou=BMC,DC=csg,DC=net) where users are allowed to log in from, which is then looped through and then an attempt to log in is made. This would allow permissions to be set for particular contexts within the LDAP tree.
this would allow us to provide a list of LDAP contexts that are allowed to log-in using LDAP, but for large institutions like some of our customers, this could be a very large list.
I can engineer the second pretty simply, but the first is a little more work.
Any suggestions? Is anyone else looking at this or having the same problems? I find it unlikely that anyone else using the LDAP registration has all their users in the same context in LDAP.

-----Original Message-----
From: Ashwin Kutty [
Sent: 05 October 2005 02:48
To: John Rae
Subject: Re: [Dspace-tech] (no subject)

Change your search context to start from ou=BMC instead, but I am not
sure if the script will search through the tree to authenticate against
the right DN (it would be a good first step though).  A problem we are
struggling with right now and trying to fix the LDAP script in DSpace,
since we have random usernames rather than specific id's which should be
searched for by the application.

John Rae wrote:
> Hey All,
> I'm not overly familiar with LDAP and I'm having trouble configuring it.
> I am in the domain
> OU=BMC Development,ou=BMC,DC=csg,DC=net
> and so I have the settings:

> ldap.provider_url = ldap://dc1.csg.net:389/??base?(objectClass_=*)_
> ldap.id_field = cn
> ldap.object_context = OU=BMC Development,ou=BMC,DC=csg,DC=net
> ldap.search_context = OU=BMC Development,ou=BMC,DC=csg,DC=net
> ldap.email_field = mail
> ldap.surname_field = sn
> ldap.givenname_field = givenName
> ldap.phone_field = telephoneNumber
> I'm getting the ability to log in using my own account, but someone in the
> "ou=BMC Production,ou=BMC,DC=csg,DC=net" domain cannot.
> am I simply configuring this incorrectly?

> thanks
> John.
> This email has been scanned by Postini.
> For more information please visit

"The difference between genius and stupidity is that genius has its
limits."  - Albert Einstein

Senior Systems Administrator
Dalhousie University Libraries
(902) 494-2694
This email has been scanned by Postini.
For more information please visit http://www.postini.com