[thredds] command line access to restricted dataset when authentication is by LDAP

To: thredds@xxxxxxxxxxxxxxxx
Subject: [thredds] command line access to restricted dataset when authentication is by LDAP
From: emanuele lombardi <emanuele.lombardi@xxxxxxx>
Date: Thu, 3 Jul 2014 12:24:32 +0200
THREDDS 4.3.21 and TOMCAT  7.0.54

I setup my TDS to use a romote LDAP server for verifing users credentials to 
allow people access restricted datasets.
It works properly when using a web browser but it doesn't work accessing the 
same dataset from command line (ncdump, cdo or ferret) passing LDAP 
credential in the URL.

Since I strongly need to allow dodsC service to command line LDAP autentichated 
users, 
can you help me please?

If you are still reading and you can spend your time with the problem, here are 
the details, followed by the related catalina.out messages.

First of all I must say that I verified that using standard tomcat-users.xml 
authentication (insted of LDAP) there are no problems and all works fine 
(from web browser and from command line).


To setup my LDAP authorized TDS I first renamed my thredds webapp to 
"medcordexh",
then I changed all things to be changed (catalog.xml, web.xml and 
tds.properties) 
then I added server.xml the following code within <Host> and </Host> 

     <Context docBase="medcordexh" path="/medcordexh">
        <Realm className="org.apache.catalina.realm.JNDIRealm" 
               connectionURL="ldap://xxx.xxx.xxx.xxx";
               connectionName="cn=yyy,dc=yyyy,dc=yyyy,dc=yy"
               connectionPassword="mysecret"
               roleBase="ou=Group,dc=yyyy,dc=yyyy,dc=yy"
               roleName="groupId"
               roleSearch="(memberUid={2})"
               userPattern="mail={0},ou=People,dc=yyyy,dc=yyyy,dc=yy"
               userRoleAttribute="mail"
               roleSubtree="true"
               />
      </Context>

In this way the users authentication is made by the LDAP server.

My catalog.xml I restricted the dataset access with
     restrictAccess="hymexCore"
where HymexCore is the groupId (defined in LDAP server) to which I want to 
allow access.
  

Once tomcat is restarted I can succesfully access my datasets using the browser 
(in which case LDAP authentication works) but not by command line. To 
simplify we'll try to see the ascii representation of a test.nc file 


If I point my browser to 
https://utmea.enea.it:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?
then I'm requested the LDAP credentials and they are succesfully used to let me 
see the web page 


But if I use the same LDAP credentials in the next command
 wget 
'https://XXXXXXXXX:XXXXX@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?'
I get the foowing erro messages:

--2014-07-03 11:45:54--  
https://emanuele.lombardi%F40enea.it:*password*@utmea.enea.it:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?
Resolving utmea.enea.it... 192.107.77.41
Connecting to utmea.enea.it|192.107.77.41|:8290... connected.
WARNING: cannot verify utmea.enea.it's certificate, issued by 
`/C=it/ST=ITALY/L=ROMA/O=ENEA/OU=UTMEA/CN=utmea.enea.it':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore 
[following]
--2014-07-03 11:45:54--  
https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore
Reusing existing connection to utmea.enea.it:8290.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.



Here follow the catalina.log of both the above examples: 

============================================================================================================================00
catalina.log of succesfull browser access:

Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii 
--> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii 
--> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii 
--> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii 
--> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   No applicable constraint located
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase hasRole
FINE: Username emanuele.lombardi@xxxxxxx has role hymexCore



============================================================================================================================00
catalina.log of unsuccesfull wget command 
wget --no-check-certificate 
'https://emanuele.lombardi%f40enea.it:XXXXXX@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?'

Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   No applicable constraint located
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET /restrictedAccess/hymexCore 
--> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /restrictedAccess/hymexCore --> true
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET /restrictedAccess/hymexCore 
--> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' 
against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /restrictedAccess/hymexCore --> true
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access 
datasets]' against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
hasUserDataPermission
FINE:   User data constraint already satisfied
Follow-Ups:
- Re: [thredds] command line access to restricted dataset when authentication is by LDAP
  - From: "Antonio S. Cofiño"
- Re: [thredds] command line access to restricted dataset when authentication is by LDAP
  - From: "Antonio S. Cofiño"
2014 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: