Odocutils.nodesdocument)}( rawsourcechildren]hsection)}(hhh](htitle)}(h Metacat Authentication Mechanismh]hText Metacat Authentication Mechanism}(hhparenthhhsourceNlineNuba attributes}(ids]classes]names]dupnames]backrefs]utagnamehhh hhh_/var/lib/jenkins/jobs/metacat_beta/workspace/metacat/docs/user/metacat/source/authinterface.rsthKubh paragraph)}(hXZMetacat supports either an internal password file authentication or the use of LDAP as an external authentication mechanism. It does this by supplying two classes (``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or an external LDAP server. You may choose the authentication mechanism during initial configuration.h](hMetacat supports either an internal password file authentication or the use of LDAP as an external authentication mechanism. It does this by supplying two classes (}(hMetacat supports either an internal password file authentication or the use of LDAP as an external authentication mechanism. It does this by supplying two classes (hh-hhhNhNubhliteral)}(h ``AuthFile``h]hAuthFile}(hhhh8ubah}(h]h!]h#]h%]h']uh)h6hh-ubh or }(h or hh-hhhNhNubh7)}(h ``AuthLDAP``h]hAuthLDAP}(hhhhKubah}(h]h!]h#]h%]h']uh)h6hh-ubh) that implement authentication via a password file or an external LDAP server. You may choose the authentication mechanism during initial configuration.}(h) that implement authentication via a password file or an external LDAP server. You may choose the authentication mechanism during initial configuration.hh-hhhNhNubeh}(h]h!]h#]h%]h']uh)h+hh*hKhh hhubh,)}(hXIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built. Metacat is written such that this Authentication provider is replaceable with another class that implements the same interface (``AuthInterface``). As an Administrator, you have the choice to provide an alternative implementation of ``AuthInterface`` and then configuring ``metacat.properties`` to use that class for authentication instead of LDAP or the internal password file.h](hIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built. Metacat is written such that this Authentication provider is replaceable with another class that implements the same interface (}(hIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built. Metacat is written such that this Authentication provider is replaceable with another class that implements the same interface (hhdhhhNhNubh7)}(h``AuthInterface``h]h AuthInterface}(hhhhmubah}(h]h!]h#]h%]h']uh)h6hhdubhX). As an Administrator, you have the choice to provide an alternative implementation of }(hX). As an Administrator, you have the choice to provide an alternative implementation of hhdhhhNhNubh7)}(h``AuthInterface``h]h AuthInterface}(hhhhubah}(h]h!]h#]h%]h']uh)h6hhdubh and then configuring }(h and then configuring hhdhhhNhNubh7)}(h``metacat.properties``h]hmetacat.properties}(hhhhubah}(h]h!]h#]h%]h']uh)h6hhdubhT to use that class for authentication instead of LDAP or the internal password file.}(hT to use that class for authentication instead of LDAP or the internal password file.hhdhhhNhNubeh}(h]h!]h#]h%]h']uh)h+hh*hKhh hhubh )}(hhh](h)}(hFile-Based Authenticationh]hFile-Based Authentication}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)hhhhhhh*hKubh,)}(hThis is the default authentication mechanism in Metacat. The password file path can be specified during initial configuration. The Tomcat user should have write/read permission to access the file. The password file follows this form:h]hThis is the default authentication mechanism in Metacat. The password file path can be specified during initial configuration. The Tomcat user should have write/read permission to access the file. The password file follows this form:}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKhhhhubh literal_block)}(hX csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92 foo@foo.com Smith John NCEAS cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org $2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC Developers at NCEAS h]hX csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92 foo@foo.com Smith John NCEAS cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org $2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC Developers at NCEAS }(hhhhubah}(h]h!]h#]h%]h'] xml:spacepreserveuh)hhKhhhhhh*ubh,)}(hNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.h]hNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK-hhhhubh,)}(hZThe format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.h]hZThe format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK/hhhhubh,)}(hX.The password stored in the file is hashed using Bcrypt algorithm. If you have the "-i" in the "useradd" or "usermod" commands when you run the command line utility (see the following section), you will be prompted to input the password and the utility will hash the password and store it in the file. You may also get the hash of a password from any online tool, such as https://www.dailycred.com/blog/12/bcrypt-calculator (we don't have any guaranty on the security of those tools), then use the "-h" to pass the hashed password to the file by the utility.h](hXThe password stored in the file is hashed using Bcrypt algorithm. If you have the “-i” in the “useradd” or “usermod” commands when you run the command line utility (see the following section), you will be prompted to input the password and the utility will hash the password and store it in the file. You may also get the hash of a password from any online tool, such as }(hXtThe password stored in the file is hashed using Bcrypt algorithm. If you have the "-i" in the "useradd" or "usermod" commands when you run the command line utility (see the following section), you will be prompted to input the password and the utility will hash the password and store it in the file. You may also get the hash of a password from any online tool, such as hhhhhNhNubh reference)}(h3https://www.dailycred.com/blog/12/bcrypt-calculatorh]h3https://www.dailycred.com/blog/12/bcrypt-calculator}(hhhjubah}(h]h!]h#]h%]h']refurijuh)jhhubh (we don’t have any guaranty on the security of those tools), then use the “-h” to pass the hashed password to the file by the utility.}(h (we don't have any guaranty on the security of those tools), then use the "-h" to pass the hashed password to the file by the utility.hhhhhNhNubeh}(h]h!]h#]h%]h']uh)h+hh*hK1hhhhubeh}(h]file-based-authenticationah!]h#]file-based authenticationah%]h']uh)h hh hhhh*hKubh )}(hhh](h)}(h.Utility for Password File Based Authenticationh]h.Utility for Password File Based Authentication}(hj+hj)hhhNhNubah}(h]h!]h#]h%]h']uh)hhj&hhhh*hK:ubh,)}(hYou can edit the password file manually or use Metacat's command line utility for managing users and groups. The utility is located in the deployed Metacat webapp::h]hYou can edit the password file manually or use Metacat’s command line utility for managing users and groups. The utility is located in the deployed Metacat webapp:}(hYou can edit the password file manually or use Metacat's command line utility for managing users and groups. The utility is located in the deployed Metacat webapp:hj7hhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK;hj&hhubh)}(h1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.h]h1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.}(hhhjFubah}(h]h!]h#]h%]h']hhuh)hhK>hj&hhhh*ubh,)}(hOYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::h]hNYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file:}(hNYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file:hjThhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK@hj&hhubh)}(h!cd $METACAT/WEB-INF/scripts/bash/h]h!cd $METACAT/WEB-INF/scripts/bash/}(hhhjcubah}(h]h!]h#]h%]h']hhuh)hhKBhj&hhhh*ubh,)}(h=In order to run the file, you must make the file executable::h]h [-g -e -s -f -o ]h]h./authFileManager.sh useradd -i -dn [-g -e -s -f -o ]}(hjhjhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKNhj&hhubh,)}(h./authFileManager.sh useradd -h -dn [-g -e -s -f -o ]h]h./authFileManager.sh useradd -h -dn [-g -e -s -f -o ]}(hjhjhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKPhj&hhubh,)}(h@./authFileManager.sh groupadd -g [-d ]h]h@./authFileManager.sh groupadd -g [-d ]}(hjhjhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKRhj&hhubh,)}(hE./authFileManager.sh usermod -password -dn -ih]hE./authFileManager.sh usermod -password -dn -i}(hjhjhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKThj&hhubh,)}(h[./authFileManager.sh usermod -password -dn -h h]h[./authFileManager.sh usermod -password -dn -h }(hjhjhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKVhj&hhubh,)}(hX./authFileManager.sh usermod -group -a -dn -g h]hX./authFileManager.sh usermod -group -a -dn -g }(hjhjhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKXhj&hhubh,)}(hZ./authFileManager.sh usermod -group -r -dn -g h]hZ./authFileManager.sh usermod -group -r -dn -g }(hjhj hhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKZhj&hhubhnote)}(hXnMetacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm. The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string. The must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something". If an option value has spaces, the value should be enclosed in double quotes. For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS" The "-d " option in the "groupadd" command is optional; "-g -e -s -f -o " in the "useradd" command are optional as well.h](h,)}(hX0Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm. The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.h]hX4Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the “-h” should be generated by a Bcrypt algorithm. The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.}(hj#hj!ubah}(h]h!]h#]h%]h']uh)h+hh*hK_hjubh,)}(hThe must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".h]hThe must look like “uid=john,o=something,dc=something,dc=something” and the group-name must look like “cn=dev,o=something,dc=something,dc=something”.}(hj1hj/ubah}(h]h!]h#]h%]h']uh)h+hh*hKbhjubh,)}(hIf an option value has spaces, the value should be enclosed in double quotes. For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"h]hIf an option value has spaces, the value should be enclosed in double quotes. For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d “Developers at NCEAS”}(hj?hj=ubah}(h]h!]h#]h%]h']uh)h+hh*hKdhjubh,)}(hThe "-d " option in the "groupadd" command is optional; "-g -e -s -f -o " in the "useradd" command are optional as well.h]hThe “-d ” option in the “groupadd” command is optional; “-g -e -s -f -o ” in the “useradd” command are optional as well.}(hjMhjKubah}(h]h!]h#]h%]h']uh)h+hh*hKghjubeh}(h]h!]h#]h%]h']uh)jhj&hhhh*hNubeh}(h].utility-for-password-file-based-authenticationah!]h#].utility for password file based authenticationah%]h']uh)h hh hhhh*hK:ubh )}(hhh](h)}(hLDAP-Based Authenticationh]hLDAP-Based Authentication}(hjlhjjhhhNhNubah}(h]h!]h#]h%]h']uh)hhjghhhh*hKkubh,)}(hXBefore the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can guarantee secure communication with their clients and the LDAP server. If you are not on the list, you can contact us for more information or you may use the password file authentication (for a small group of users) or set up your own LDAP server (for a big group of users).h]hXBefore the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can guarantee secure communication with their clients and the LDAP server. If you are not on the list, you can contact us for more information or you may use the password file authentication (for a small group of users) or set up your own LDAP server (for a big group of users).}(hjzhjxhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKlhjghhubeh}(h]ldap-based-authenticationah!]h#]ldap-based authenticationah%]h']uh)h hh hhhh*hKkubeh}(h] metacat-authentication-mechanismah!]h#] metacat authentication mechanismah%]h']uh)h hhhhhh*hKubah}(h]h!]h#]h%]h']sourceh*uh)hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerjerror_encodingUTF-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh* _destinationN _config_files]pep_referencesN pep_base_url https://www.python.org/dev/peps/pep_file_url_templatepep-%04drfc_referencesN rfc_base_urlhttps://tools.ietf.org/html/ tab_widthKtrim_footnote_reference_spacefile_insertion_enabled raw_enabledKsyntax_highlightlong smart_quotessmartquotes_localesNcharacter_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xformembed_stylesheetcloak_email_addressesenvNgettext_compactubreporterNindirect_targets]substitution_defs}substitution_names}refnames}refids}nameids}(jjj#j jdjajju nametypes}(jNj#NjdNjNuh}(jh j hjaj&jjgu footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startKid_startKparse_messages]transform_messages] transformerN decorationNhhub.