[thredds] check LDAP authorization if UserDatabase authorization fails

Dear TDS-ers,

I use restrictedaccess catalogs and I need them to be available not only to 
some tomcat users defined in  tomcat-users.xml, but also to people 
identified by a given LDAP server outside my organization (on which server I 
have no control). 

Is it possible for TDS to have two sources of authorization used in chain?  I 
mean if a user is not present in the UserDatabase he must be checked at 
the LDAP server before denying access to him.

For me it would be OK if all LDAP authorized users map to a single tomcat user 
(or to a couple of tomcat roles), in fact they all have the same rights 
on my datasets. 

I played around Realms and I added the following in server.xml :

<Realm   className="org.apache.catalina.realm.JNDIRealm"
    connectionName="cn=cnname,dc=myserver,dc=com"
    connectionPassword="secret"
    connectionURL="ldap://address:389";
    alternateURL="ldap://address:389";
    userPattern="mail={0},ou=people,dc=myserver,dc=com"/>

It doesn't return errors (but I presume it overrides Userdatabase 
authentication, since no user in tomcat-users.xml works any more!) but how can 
I 
associate LDAP users to my tomcat user? Or how can associate LDAP users to the 
tomcat roles I need (one being restrictedDatasetUser) ?


The third question is: is it possible for thredds to have an authentication 
independent from tomcat’s ?

Thank you very much for any help,
Ciao,
Emanuele Lombardi



Here some pieces  of my installation:

========================================
Catalog.xml: 
<datasetScan name="RITMARE"
  ID="IDdatascan" path="MYPATH"
  serviceName="all"  
  restrictAccess="accediRITMARE"
  location="content/ritmare/">

========================================
tomcat-users.xml :
<role rolename="accediRITMARE"/> 
<user username="ritmare" password="………" 
roles="accediRITMARE,restrictedDatasetUser"/>

========================================



-- 
Emanuele Lombardi
ENEA Casaccia
I-00123 Roma (RM)
tel. +39 0630483366
http://utmea.enea.it/people/lombardi



  • 2014 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: