1
|
Metacat Authentication Mechanism
|
2
|
================================
|
3
|
Metacat supports either an internal password file authentication or the use of LDAP
|
4
|
as an external authentication mechanism. It does this by supplying two classes
|
5
|
(``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or
|
6
|
an external LDAP server. You may choose the authentication mechanism during initial configuration.
|
7
|
|
8
|
If neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
|
9
|
Metacat is written such that this Authentication provider is replaceable with
|
10
|
another class that implements the same interface (``AuthInterface``). As
|
11
|
an Administrator, you have the choice to provide an alternative implementation
|
12
|
of ``AuthInterface`` and then configuring ``metacat.properties`` to use that
|
13
|
class for authentication instead of LDAP or the internal password file.
|
14
|
|
15
|
File-Based Authentication
|
16
|
----------------------------------
|
17
|
This is the default authentication mechanism in Metacat. The password file
|
18
|
path can be specified during initial configuration. The Tomcat user should have
|
19
|
write/read permission to access the file. The password file follows this form:
|
20
|
|
21
|
::
|
22
|
|
23
|
<?xml version="1.0" encoding="UTF-8"?>
|
24
|
<subjects>
|
25
|
<users>
|
26
|
<user dn="uid=john,o=NCEAS,dc=ecoinformatics,dc=org">
|
27
|
<password>csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92</password>
|
28
|
<email>foo@foo.com</email>
|
29
|
<surName>Smith</surName>
|
30
|
<givenName>John</givenName>
|
31
|
<organization>NCEAS</organization>
|
32
|
<memberof>cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org</memberof>
|
33
|
</user>
|
34
|
<user dn="uid=brand,o=NCEAS,dc=ecoinformatics,dc=org">
|
35
|
<password>$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC</password>
|
36
|
</user>
|
37
|
</users>
|
38
|
<groups>
|
39
|
<group name="cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org">
|
40
|
<description>Developers at NCEAS</description>
|
41
|
</group>
|
42
|
</groups>
|
43
|
</subjects>
|
44
|
|
45
|
The format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.
|
46
|
|
47
|
The format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.
|
48
|
|
49
|
The password stored in the file is hashed using Bcrypt algorithm. If you have the "-i" in the
|
50
|
"useradd" or "usermod" commands when you run the command line utility (see the following section),
|
51
|
you will be prompted to input the password and the utility will hash the password and store it in
|
52
|
the file. You may also get the hash of a password from any online tool,
|
53
|
such as https://www.dailycred.com/blog/12/bcrypt-calculator (we don't have any guaranty on the security of those tools),
|
54
|
then use the "-h" to pass the hashed password to the file by the utility.
|
55
|
|
56
|
|
57
|
Utility for Password File Based Authentication
|
58
|
----------------------------------------------
|
59
|
You can edit the password file manually or use Metacat's command line utility
|
60
|
for managing users and groups. The utility is located in the deployed Metacat webapp::
|
61
|
|
62
|
$METACAT/WEB-INF/scripts/bash/authFileManager.sh.
|
63
|
|
64
|
You must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::
|
65
|
|
66
|
cd $METACAT/WEB-INF/scripts/bash/
|
67
|
|
68
|
In order to run the file, you must make the file executable::
|
69
|
|
70
|
chmod u+x authFileManager.sh
|
71
|
|
72
|
You run the command as the owner of the file::
|
73
|
|
74
|
./authFileManager.sh [options]
|
75
|
|
76
|
Usage of the utility:
|
77
|
|
78
|
./authFileManager.sh useradd -i -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]
|
79
|
|
80
|
./authFileManager.sh useradd -h <hashed-password> -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]
|
81
|
|
82
|
./authFileManager.sh groupadd -g <group-name> [-d <description>]
|
83
|
|
84
|
./authFileManager.sh usermod -password -dn <user-distinguish-name> -i
|
85
|
|
86
|
./authFileManager.sh usermod -password -dn <user-distinguish-name> -h <new-hashed-password>
|
87
|
|
88
|
./authFileManager.sh usermod -group -a -dn <user-distinguish-name> -g <added-group-name>
|
89
|
|
90
|
./authFileManager.sh usermod -group -r -dn <user-distinguish-name> -g <removed-group-name>
|
91
|
|
92
|
|
93
|
.. Note::
|
94
|
|
95
|
Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm.
|
96
|
The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.
|
97
|
|
98
|
The <user-distinguish-name> must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".
|
99
|
|
100
|
If an option value has spaces, the value should be enclosed in double quotes.
|
101
|
For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"
|
102
|
|
103
|
The "-d <description>" option in the "groupadd" command is optional;
|
104
|
"-g <groupname> -e <email-address> -s <surname> -f <given-name> -o <organizationName>" in the "useradd" command are optional as well.
|
105
|
|
106
|
LDAP-Based Authentication
|
107
|
----------------------------------
|
108
|
Before the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use
|
109
|
the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can
|
110
|
guarantee secure communication with their clients and the LDAP server.
|
111
|
If you are not on the list, you can contact us for more information or you may use the password file authentication
|
112
|
(for a small group of users) or set up your own LDAP server (for a big group of users).
|