Project

General

Profile

« Previous | Next » 

Revision 8573

Added by ben leinfelder over 10 years ago

Minor edits on the new AuthFile features.

View differences:

docs/user/metacat/source/authinterface.rst
3 3 
Metacat supports either an internal password file authentication or the use of LDAP
4 4 
as an external authentication mechanism.  It does this by supplying two classes
5 5 
(``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or
6 
an external LDAP server. You may choose the authentication mechanism during the configuration.
6 
an external LDAP server. You may choose the authentication mechanism during initial configuration.
7 7 

  		




  8
  
  
    
However, administrators have the choice of replacing the default classes with a different system for authentication because 


  		




  
  8
  
    
If neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.


  		




  9
  9
  
    
Metacat is written such that this Authentication provider is replaceable with 


  		




  10
  10
  
    
another class that implements the same interface (``AuthInterface``). As 


  		




  11
  11
  
    
an Administrator, you have the choice to provide an alternative implementation 


  		




  12
  12
  
    
of ``AuthInterface`` and then configuring ``metacat.properties`` to use that 


  		




  13
  13
  
    
class for authentication instead of LDAP or the internal password file.


  		




  14
  14
  
    

  		




  15
  
  
    
Password File Based Authentication


  		




  
  15
  
    
File-Based Authentication


  		




  16
  16
  
    
----------------------------------


  		




  17
  
  
    
This is the default authentication mechanism in Metacat release.  The password file


  		




  18
  
  
    
path can be specified during the configuration.  The Tomcat user should have the


  		




  19
  
  
    
write/read permission to access the file.  The password file looks like:


  		




  
  17
  
    
This is the default authentication mechanism in Metacat. The password file


  		




  
  18
  
    
path can be specified during initial configuration. The Tomcat user should have 


  		




  
  19
  
    
write/read permission to access the file. The password file follows this form:


  		




  20
  20
  
    

  		




  21
  21
  
    
::


  		




  22
  22
  
    

  		




  23
  
  
    
<?xml version="1.0" encoding="UTF-8"?>


  		




  24
  
  
    
<subjects>


  		




  25
  
  
    
<users>


  		




  26
  
  
    
<user dn="uid=john,o=NCEAS,dc=ecoinformatics,dc=org">


  		




  27
  
  
    
<password>csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92</password>


  		




  28
  
  
    
<email>foo@foo.com</email>


  		




  29
  
  
    
<surName>Smith</surName>


  		




  30
  
  
    
<givenName>John</givenName>


  		




  31
  
  
    
<organization>NCEAS</organization>


  		




  32
  
  
    
<memberof>cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org</memberof>


  		




  33
  
  
    
</user>


  		




  34
  
  
    
<user dn="uid=brand,o=NCEAS,dc=ecoinformatics,dc=org">


  		




  35
  
  
    
<password>$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC</password>


  		




  36
  
  
    
</user>


  		




  37
  
  
    
</users>


  		




  38
  
  
    
<groups>


  		




  39
  
  
    
<group name="cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org">


  		




  40
  
  
    
<description>Developers at NCEAS</description>


  		




  41
  
  
    
</group>


  		




  42
  
  
    
</groups>


  		




  43
  
  
    
</subjects> 


  		




  
  23
  
    
  <?xml version="1.0" encoding="UTF-8"?>


  		




  
  24
  
    
  <subjects>


  		




  
  25
  
    
  	<users>


  		




  
  26
  
    
		<user dn="uid=john,o=NCEAS,dc=ecoinformatics,dc=org">


  		




  
  27
  
    
			<password>csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92</password>


  		




  
  28
  
    
			<email>foo@foo.com</email>


  		




  
  29
  
    
			<surName>Smith</surName>


  		




  
  30
  
    
			<givenName>John</givenName>


  		




  
  31
  
    
			<organization>NCEAS</organization>


  		




  
  32
  
    
			<memberof>cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org</memberof>


  		




  
  33
  
    
		</user>


  		




  
  34
  
    
		<user dn="uid=brand,o=NCEAS,dc=ecoinformatics,dc=org">


  		




  
  35
  
    
			<password>$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC</password>


  		




  
  36
  
    
		</user>


  		




  
  37
  
    
	</users>


  		




  
  38
  
    
	<groups>


  		




  
  39
  
    
		<group name="cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org">


  		




  
  40
  
    
			<description>Developers at NCEAS</description>


  		




  
  41
  
    
		</group>


  		




  
  42
  
    
	</groups>


  		




  
  43
  
    
  </subjects> 


  		




  44
  44
  
    

  		




  45
  45
  
    
The format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.


  		




  46
  46
  
    

  		




  47
  47
  
    
The format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.


  		




  48
  48
  
    

  		




  49
  
  
    
The password stored in the file was hased by Bcrypt algorithm.  If you have the "-i" in the 


  		




  
  49
  
    
The password stored in the file is hashed using Bcrypt algorithm.  If you have the "-i" in the 


  		




  50
  50
  
    
"useradd" or "usermod" commands when you run the command line utility (see the following section), 


  		




  51
  51
  
    
you will be prompted to input the password and the utility will hash the password and store it in


  		




  52
  
  
    
the file. You may also get the hash of a password from any online tool, such as https://www.dailycred.com/blog/12/bcrypt-calculator (we


  		




  53
  
  
    
don't have any guaranty on the security of those tools), then use the "-h" to pass the hashed password to the file by the utility.


  		




  
  52
  
    
the file. You may also get the hash of a password from any online tool, 


  		




  
  53
  
    
such as https://www.dailycred.com/blog/12/bcrypt-calculator (we don't have any guaranty on the security of those tools), 


  		




  
  54
  
    
then use the "-h" to pass the hashed password to the file by the utility.


  		




  54
  55
  
    

  		




  55
  56
  
    

  		




  56
  57
  
    
Utility for Password File Based Authentication


  		




  57
  58
  
    
----------------------------------------------


  		




  58
  
  
    
You can edit the password file manually.  We also developed a command line utility 


  		




  59
  
  
    
to help the administrator to manage users and groups. The file locates at $METACAT/WEB-INF/scripts/bash/authFileManager.sh.


  		




  
  59
  
    
You can edit the password file manually or use Metacat's command line utility 


  		




  
  60
  
    
for managing users and groups. The utility is located in the deployed Metacat webapp::


  		




  60
  61
  
    

  		




  
  62
  
    
  $METACAT/WEB-INF/scripts/bash/authFileManager.sh.


  		




  
  63
  
    

  		




  61
  64
  
    
You must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::


  		




  62
  65
  
    

  		




  63
  66
  
    
  cd $METACAT/WEB-INF/scripts/bash/ 


  		




  ......




  72
  75
  
    

  		




  73
  76
  
    
Usage of the utility:


  		




  74
  77
  
    

  		




  75
  
  
    
./authFileManager.sh useradd -i -dn user-distinguish-name -g group-name -e email-address -s surname -f given-name -o organizationName 


  		




  
  78
  
    
./authFileManager.sh useradd -i -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>] 


  		




  76
  79
  
    

  		




  77
  
  
    
./authFileManager.sh useradd -h hashed-password -dn user-distinguish-name -g group-name -e email-address -s surname -f given-name -o organizationName 


  		




  
  80
  
    
./authFileManager.sh useradd -h <hashed-password> -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]


  		




  78
  81
  
    

  		




  79
  
  
    
./authFileManager.sh groupadd -g group-name -d description 


  		




  
  82
  
    
./authFileManager.sh groupadd -g <group-name> [-d <description>] 


  		




  80
  83
  
    

  		




  81
  
  
    
./authFileManager.sh usermod -password -dn user-distinguish-name -i 


  		




  
  84
  
    
./authFileManager.sh usermod -password -dn <user-distinguish-name> -i 


  		




  82
  85
  
    

  		




  83
  
  
    
./authFileManager.sh usermod -password -dn user-distinguish-name -h new-hashed-password 


  		




  
  86
  
    
./authFileManager.sh usermod -password -dn <user-distinguish-name> -h <new-hashed-password> 


  		




  84
  87
  
    

  		




  85
  
  
    
./authFileManager.sh usermod -group -a -dn user-distinguish-name -g added-group-name 


  		




  
  88
  
    
./authFileManager.sh usermod -group -a -dn <user-distinguish-name> -g <added-group-name> 


  		




  86
  89
  
    

  		




  87
  
  
    
./authFileManager.sh usermod -group -r -dn user-distinguish-name -g removed-group-name 


  		




  
  90
  
    
./authFileManager.sh usermod -group -r -dn <user-distinguish-name> -g <removed-group-name> 


  		




  88
  91
  
    

  		




  89
  92
  
    

  		




  90
  
  
    
Note:


  		




  91
  
  
    

  		




  92
  
  
    
1. Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm.


  		




  93
  
  
    
  The hash string usually has $ signs which messes the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.


  		




  94
  
  
    
2. The user-distinguish-name must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".


  		




  95
  
  
    
3. if a value of an option has spaces, the value should be enclosed by the double quotes.


  		




  
  93
  
    
.. Note:: 


  		




  
  94
  
    
  


  		




  
  95
  
    
  Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm. 


  		




  
  96
  
    
  The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.


  		




  
  97
  
    
  


  		




  
  98
  
    
  The <user-distinguish-name> must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".


  		




  
  99
  
    
  


  		




  
  100
  
    
  If an option value has spaces, the value should be enclosed in double quotes.


  		




  96
  101
  
    
  For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"


  		




  97
  
  
    
4. "-d description" in the "groupadd" command is optional; "-g groupname -e email-address -s surname -f given-name -o organizationName" in the "useradd" command are optional as well.


  		




  
  102
  
    
  


  		




  
  103
  
    
  The "-d <description>" option in the "groupadd" command is optional; 


  		




  
  104
  
    
  "-g <groupname> -e <email-address> -s <surname> -f <given-name> -o <organizationName>" in the "useradd" command are optional as well.


  		




  98
  105
  
    

  		




  99
  
  
    
LDAP Based Authentication


  		




  
  106
  
    
LDAP-Based Authentication


  		




  100
  107
  
    
----------------------------------


  		




  101
  
  
    
Before the Metacat 2.4.0 release, the LDAP was the default authentication mechanism. It 


  		




  102
  
  
    
used the NCEAS LDAP server by default.  However, the server will be only accessible by the


  		




  103
  
  
    
trusted partners. If you are not on the list, you may use either the password file authentication


  		




  104
  
  
    
(for a small group of users) or set up a LDAP server by yourself (for a big group of users).


  		




  
  108
  
    
Before the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use 


  		




  
  109
  
    
the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can 


  		




  
  110
  
    
guarantee secure communication with their clients and the LDAP server. 


  		




  
  111
  
    
If you are not on the list, you can contact us for more information or you may use the password file authentication


  		




  
  112
  
    
(for a small group of users) or set up your own LDAP server (for a big group of users).


  		












  

    
      docs/user/metacat/source/configuration.rst
    
  





  45
  45
  
    
algorithm to locate it. If Metacat cannot identify a backup directory, you will 


  		




  46
  46
  
    
see the Backup Directory Configuration screen.


  		




  47
  47
  
    

  		




  48
  
  
    
NOTE: If the metacat.properties file has many custom settings, it should be manually 


  		




  49
  
  
    
backed up before any Metacat upgrade as deploying a new Metacat war file will overwrite


  		




  50
  
  
    
the existing file.


  		




  
  48
  
    
.. Note:: 


  		




  
  49
  
    
  


  		




  
  50
  
    
  If the metacat.properties file has many custom settings, it should be manually 


  		




  
  51
  
    
  backed up before any Metacat upgrade as deploying a new Metacat war file will overwrite


  		




  
  52
  
    
  the existing file.


  		




  51
  53
  
    

  		




  52
  54
  
    
.. figure:: images/screenshots/image011.png


  		




  53
  55
  
    
   :align: center


  		




  ......




  62
  64
  
    
  


  		




  63
  65
  
    
  http://<your_context_url>/admin


  		




  64
  66
  
    

  		




  65
  
  
    
Metacat uses either an internal password file or LDAP as its primary authentication mechanism.


  		




  
  67
  
    
Metacat uses either an internal password file or LDAP as its authentication mechanism.


  		




  66
  68
  
    
You can choose the authentication mechanism by selecting either AuthFile or AuthLdap class.


  		




  67
  
  
    
We will only allow the trusted partners to access the NCEAS LDAP Server.


  		




  
  69
  
    
We will only allow trusted partners to access the NCEAS LDAP server to ensure the security of our user base.


  		




  68
  70
  
    
If you are not in the trusted partner list, you may choose the internal password file authentication 


  		




  69
  71
  
    
or set up your own LDAP server. You also can define your own authentication mechanism by creating a Java 


  		




  70
  72
  
    
class that implements ``AuthInterface``.


  		




  71
  73
  
    

  		




  72
  74
  
    
Required configuration values for the password file authentication are:


  		




  73
  
  
    
Authentication Class,  Metacat Administrators, Users Management URL and Password File Path.


  		




  74
  75
  
    

  		




  75
  
  
    
Required configuration values for LDAP authentication are: Authentication Class, 


  		




  76
  
  
    
Metacat Administrators, Users Management URL, Authentication URL, and Authentication Secure URL. 


  		




  
  76
  
    
  ::


  		




  
  77
  
    
   


  		




  
  78
  
    
    Authentication Class


  		




  
  79
  
    
    Metacat Administrators


  		




  
  80
  
    
    Users Management URL


  		




  
  81
  
    
    Password File Path.


  		




  77
  82
  
    

  		




  
  83
  
    
Required configuration values for LDAP authentication are:


  		




  
  84
  
    

  		




  
  85
  
    
  ::


  		




  
  86
  
    
   


  		




  
  87
  
    
    Authentication Class


  		




  
  88
  
    
    Metacat Administrators


  		




  
  89
  
    
    Users Management URL


  		




  
  90
  
    
    Authentication URL


  		




  
  91
  
    
    Authentication Secure URL. 


  		




  
  92
  
    

  		




  
  93
  
    

  		




  78
  94
  
    
Make sure that your user account information is entered into the Metacat 


  		




  79
  95
  
    
Administrators field (e.g., uid=daigle,o=nceas,dc=ecoinformatics,dc=org). You 


  		




  80
  
  
    
will not be allowed to continue with configuration if this is missing. 


  		




  
  96
  
    
will not be allowed to continue with configuration if this is missing. Multiple 


  		




  
  97
  
    
accounts can be entered, separated by the colon (:) character.


  		




  81
  98
  
    

  		




  82
  
  
    
NOTE: 


  		




  
  99
  
    
.. Note:: 


  		




  
  100
  
    
  


  		




  
  101
  
    
  To create an account on the password file, please see the section called :doc:`authinterface`.


  		




  
  102
  
    
  To create an LDAP account on the KNB LDAP server (specified as the default LDAP server), 


  		




  
  103
  
    
  go to https://identity.nceas.ucsb.edu and select the "create a new user account" link.


  		




  83
  104
  
    

  		




  84
  
  
    
1. To create an account on the password file, please see the section called :doc:`authinterface`. 


  		




  85
  
  
    

  		




  86
  
  
    
2. To create an LDAP account on the KNB LDAP server (specified as the default LDAP server), go to https://identity.nceas.ucsb.edu and select the "create a new user account" link.


  		




  87
  
  
    

  		




  88
  105
  
    
If you make changes to the authentication settings, you must restart Tomcat to 


  		




  89
  106
  
    
put them into effect.


  		




  90
  107
  
    

  		












Also available in:  Unified diff