€cdocutils.nodes document q)q}q(U nametypesq}q(Xldap-based authenticationqNX.utility for password file based authenticationqNX metacat authentication mechanismqNXfile-based authenticationq NuUsubstitution_defsq }q Uparse_messagesq ]q Ucurrent_sourceqNU decorationqNUautofootnote_startqKUnameidsq}q(hUldap-based-authenticationqhU.utility-for-password-file-based-authenticationqhU metacat-authentication-mechanismqh Ufile-based-authenticationquUchildrenq]qcdocutils.nodes section q)q}q(U rawsourceqUUparentqhUsourceqXg/var/lib/jenkins/jobs/Metacat_stable/workspace/METACAT_2_8_4/docs/user/metacat/source/authinterface.rstqUtagnameq Usectionq!U attributesq"}q#(Udupnamesq$]Uclassesq%]Ubackrefsq&]Uidsq']q(haUnamesq)]q*hauUlineq+KUdocumentq,hh]q-(cdocutils.nodes title q.)q/}q0(hX Metacat Authentication Mechanismq1hhhhh Utitleq2h"}q3(h$]h%]h&]h']h)]uh+Kh,hh]q4cdocutils.nodes Text q5X Metacat Authentication Mechanismq6…q7}q8(hh1hh/ubaubcdocutils.nodes paragraph q9)q:}q;(hXZMetacat supports either an internal password file authentication or the use of LDAP as an external authentication mechanism. It does this by supplying two classes (``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or an external LDAP server. You may choose the authentication mechanism during initial configuration.hhhhh U paragraphq(h5X¥Metacat supports either an internal password file authentication or the use of LDAP as an external authentication mechanism. It does this by supplying two classes (q?…q@}qA(hX¥Metacat supports either an internal password file authentication or the use of LDAP as an external authentication mechanism. It does this by supplying two classes (hh:ubcdocutils.nodes literal qB)qC}qD(hX ``AuthFile``h"}qE(h$]h%]h&]h']h)]uhh:h]qFh5XAuthFileqG…qH}qI(hUhhCubah UliteralqJubh5X or qK…qL}qM(hX or hh:ubhB)qN}qO(hX ``AuthLDAP``h"}qP(h$]h%]h&]h']h)]uhh:h]qQh5XAuthLDAPqR…qS}qT(hUhhNubah hJubh5X™) that implement authentication via a password file or an external LDAP server. You may choose the authentication mechanism during initial configuration.qU…qV}qW(hX™) that implement authentication via a password file or an external LDAP server. You may choose the authentication mechanism during initial configuration.hh:ubeubh9)qX}qY(hXçIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built. Metacat is written such that this Authentication provider is replaceable with another class that implements the same interface (``AuthInterface``). As an Administrator, you have the choice to provide an alternative implementation of ``AuthInterface`` and then configuring ``metacat.properties`` to use that class for authentication instead of LDAP or the internal password file.hhhhh h csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92 foo@foo.com Smith John NCEAS cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org $2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC Developers at NCEAS hh}hhh U literal_blockq–h"}q—(U xml:spaceq˜Upreserveq™h']h&]h$]h%]h)]uh+Kh,hh]qšh5X csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92 foo@foo.com Smith John NCEAS cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org $2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC Developers at NCEAS q›…qœ}q(hUhh”ubaubh9)qž}qŸ(hXNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.q hh}hhh hh,hh]qÚh5X1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.qÛ…qÜ}qÝ(hUhh×ubaubh9)qÞ}qß(hXOYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::qàhhÂhhh h [-g -e -s -f -o ]rhhÂhhh h [-g -e -s -f -o ]r…r}r(hjhjubaubh9)r}r(hX¥./authFileManager.sh useradd -h -dn [-g -e -s -f -o ]rhhÂhhh h -dn [-g -e -s -f -o ]r …r!}r"(hjhjubaubh9)r#}r$(hX@./authFileManager.sh groupadd -g [-d ]r%hhÂhhh h [-d ]r(…r)}r*(hj%hj#ubaubh9)r+}r,(hXE./authFileManager.sh usermod -password -dn -ir-hhÂhhh h -ir0…r1}r2(hj-hj+ubaubh9)r3}r4(hX[./authFileManager.sh usermod -password -dn -h r5hhÂhhh h -h r8…r9}r:(hj5hj3ubaubh9)r;}r<(hXX./authFileManager.sh usermod -group -a -dn -g r=hhÂhhh h(h$]h%]h&]h']h)]uh+KXh,hh]r?h5XX./authFileManager.sh usermod -group -a -dn -g r@…rA}rB(hj=hj;ubaubh9)rC}rD(hXZ./authFileManager.sh usermod -group -r -dn -g rEhhÂhhh h -g rH…rI}rJ(hjEhjCubaubcdocutils.nodes note rK)rL}rM(hXnMetacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm. The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string. The must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something". If an option value has spaces, the value should be enclosed in double quotes. For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS" The "-d " option in the "groupadd" command is optional; "-g -e -s -f -o " in the "useradd" command are optional as well.hhÂhhh UnoterNh"}rO(h$]h%]h&]h']h)]uh+Nh,hh]rP(h9)rQ}rR(hX0Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm. The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.rShjLhhh h must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".r[hjLhhh h must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".r^…r_}r`(hj[hjYubaubh9)ra}rb(hXÁIf an option value has spaces, the value should be enclosed in double quotes. For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"rchjLhhh h" option in the "groupadd" command is optional; "-g -e -s -f -o " in the "useradd" command are optional as well.rkhjLhhh h" option in the "groupadd" command is optional; "-g -e -s -f -o " in the "useradd" command are optional as well.rn…ro}rp(hjkhjiubaubeubeubh)rq}rr(hUhhhhh h!h"}rs(h$]h%]h&]h']rthah)]ruhauh+Kkh,hh]rv(h.)rw}rx(hXLDAP-Based Authenticationryhjqhhh h2h"}rz(h$]h%]h&]h']h)]uh+Kkh,hh]r{h5XLDAP-Based Authenticationr|…r}}r~(hjyhjwubaubh9)r}r€(hXàBefore the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can guarantee secure communication with their clients and the LDAP server. If you are not on the list, you can contact us for more information or you may use the password file authentication (for a small group of users) or set up your own LDAP server (for a big group of users).rhjqhhh h