Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.
Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.
-------- Original-Nachricht --------Betreff: Re: [thredds] check LDAP authorization if UserDatabase authorization fails
Datum: Fri, 13 Jun 2014 09:29:50 +0200
Von: Hans Ramthun <ramthun@xxxxxxx>
An: emanuele.lombardi@xxxxxxx
Hallo Emanuele,
we at DKRZ have setup an alias which is used for all possible ldap servers.
I restriced data to a project available in ldap:
1. in server.xml:
<!-- LDAP authentification -->
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://my_local_ldapa_server:636"
connectionName="cn=my_user,ou=Special Users,dc=adm"
connectionPassword="my_user_password"
userPattern="uid={0},ou=people,o=ldap,o=root"
roleBase="ou=group,o=ldap,o=root"
roleName="cn"
roleSearch="memberUid={1}"
/>
2. in projectCatalog.xml:
<datasetScan name="MY_NAME" ID="something"
path="dataEnhanced" location="/MY_PATH_TO_DATA"
harvest="true"
restrictAccess="my-project"
>
3. in ldap this is used as filter like: '(cn=my-project)'
I didn't try a second ldap in the server.xml (tomcat 7).
Thanks
Hans
Am 12.06.2014 15:26, schrieb emanuele lombardi:
Dear TDS-ers,
I use restrictedaccess catalogs and I need them to be available not only to
some tomcat users defined in tomcat-users.xml, but also to people
identified by a given LDAP server outside my organization (on which server I
have no control).
Is it possible for TDS to have two sources of authorization used in chain? I
mean if a user is not present in the UserDatabase he must be checked at
the LDAP server before denying access to him.
For me it would be OK if all LDAP authorized users map to a single tomcat user
(or to a couple of tomcat roles), in fact they all have the same rights
on my datasets.
I played around Realms and I added the following in server.xml :
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="cn=cnname,dc=myserver,dc=com"
connectionPassword="secret"
connectionURL="ldap://address:389";
alternateURL="ldap://address:389";
userPattern="mail={0},ou=people,dc=myserver,dc=com"/>
It doesn't return errors (but I presume it overrides Userdatabase
authentication, since no user in tomcat-users.xml works any more!) but how can I
associate LDAP users to my tomcat user? Or how can associate LDAP users to the
tomcat roles I need (one being restrictedDatasetUser) ?
The third question is: is it possible for thredds to have an authentication
independent from tomcat’s ?
Thank you very much for any help,
Ciao,
Emanuele Lombardi
Here some pieces of my installation:
========================================
Catalog.xml:
<datasetScan name="RITMARE"
ID="IDdatascan" path="MYPATH"
serviceName="all"
restrictAccess="accediRITMARE"
location="content/ritmare/">
========================================
tomcat-users.xml :
<role rolename="accediRITMARE"/>
<user username="ritmare" password="………"
roles="accediRITMARE,restrictedDatasetUser"/>
========================================
-- Hans Ramthun Tel.: +49 (0)40 460 094 - 112 Deutsches Klimarechenzentrum - DKRZ Abteilung Datenmanagement http://www.dkrz.de/ Bundesstr. 45a D-20146 Hamburg Germany „Only he who knows his destination finds the way.“ (Laozi)
thredds archives: