Re: [thredds] command line access to restricted dataset when authentication is by LDAP

To: <thredds@xxxxxxxxxxxxxxxx>
Subject: Re: [thredds] command line access to restricted dataset when authentication is by LDAP
From: "Antonio S. Cofiño" <antonio.cofino@xxxxxxxxx>
Date: Sat, 5 Jul 2014 11:34:05 +0200

Emanuele,

ncdump, cdo are based on the netcdf-c library (I'm not sure aboutferret). The netcdf-c library is possible that suffers from the sameproblem that wget when you are putting the authentication problem inthe URL, it is ignored when the request is forwarded to theauthentication URL. The netcdf-c library use the libcurl and it can beconfigured in a similar way like wget by a .dodsrc configuration file.

If the LDAP authentication is working with your browser it should bework also with client utilities, unless your configuration introduceanother layer.

I could check what is happening from the client side, but the server isdown. If you provide me with a temporal account, I could check what isthe problem


Regards

Antonio

--
Antonio S. Cofiño
Grupo de Meteorología de Santander
Dep. de Matemática Aplicada y
        Ciencias de la Computación
Universidad de Cantabria
http://www.meteo.unican.es

El 03/07/2014 14:50, emanuele lombardi escribió:

Thanks to Antonio for his very quick response.
Unfortunately the problem is neither the %F40 nor the wget switch.

infact if I comment out the <Context> containing the <Realm JNDIRealm> in 
server.xml
then the MemoryRealm is used (standard tomcat_users.xml credentials) and the 
following commands work all fine:

ncdump -h 
'https://XXXX:YYYYY@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc'
cdo info  
'https://XXXX:YYYYY@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc'
ferret
use  "https://XXXX:YYYYY@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc";

Of course XXXX:YYYYY are the tomcat_users.xml credentials

But if I place again the following code into server.xml (thus setting LDAP 
authentication)

     <Context docBase="medcordexh" path="/medcordexh">
       <Realm className="org.apache.catalina.realm.JNDIRealm"
                connectionURL="ldap://xxx.xxx.xxx.xxx";
                connectionName="cn=yyy,dc=yyyy,dc=yyyy,dc=yy"
                connectionPassword="mysecret"
                roleBase="ou=Group,dc=yyyy,dc=yyyy,dc=yy"
                roleName="groupId"
                roleSearch="(memberUid={2})"
                userPattern="mail={0},ou=People,dc=yyyy,dc=yyyy,dc=yy"
                userRoleAttribute="mail"
                roleSubtree="true"
        />
       </Context>

then nor ferret use, nor ncdump, nor cdo work anymore (with the proper LDAP 
credential, of course), while on the browser all it works (with the same
LDAP credentials)!

I also noticed a strange behaviour on the browser:

a) using MemoryRealm (tomcat-users.xml credentials) username & password are not 
requested for browsing directories but only when (and if) the user
accesses netcfd files

b) using JNDIrealm (LDAP credentials) username & password are requested at the 
very first access to any directory or netcdf file. This means that the
TDS is not browsable to unregistered users.


Thanks again for any help,
Emanuele

References:
- Re: [thredds] command line access to restricted dataset when authentication is by LDAP
  - From: emanuele lombardi

2014 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: