ÄïûO������ådocutils.nodesîådocumentîìî)Åî}î(å	rawsourceîå�îåchildrenî]îh�åsectionîìî)Åî}î(hhh]î(h�åtitleîìî)Åî}î(hå Metacat Authentication Mechanismîh]îh�åTextîìîå Metacat Authentication MechanismîÖîÅî}î(hhåparentîhh
håsourceîNålineîNubaå
attributesî}î(åidsî]îåclassesî]îånamesî]îådupnamesî]îåbackrefsî]îuåtagnameîhhhh
hhå_/var/lib/jenkins/jobs/metacat_beta/workspace/metacat/docs/user/metacat/source/authinterface.rstîhKubh�å	paragraphîìî)Åî}î(hXZ
��Metacat supports either an internal password file authentication or the use of LDAP
as an external authentication mechanism.  It does this by supplying two classes
(``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or
an external LDAP server. You may choose the authentication mechanism during initial configuration.îh]î(hå•Metacat supports either an internal password file authentication or the use of LDAP
as an external authentication mechanism.  It does this by supplying two classes
(îÖîÅî}î(hå•Metacat supports either an internal password file authentication or the use of LDAP
as an external authentication mechanism.  It does this by supplying two classes
(îhh-h
hhNhNubh�åliteralîìî)Åî}î(hå``AuthFile``îh]îhåAuthFileîÖîÅî}î(hhhh8ubah}î(h]îh!]îh#]îh%]îh']îuh)h6hh-ubhå or îÖîÅî}î(hå or îhh-h
hhNhNubh7)Åî}î(hå``AuthLDAP``îh]îhåAuthLDAPîÖîÅî}î(hhhhKubah}î(h]îh!]îh#]îh%]îh']îuh)h6hh-ubhåô) that implement authentication via a password file or
an external LDAP server. You may choose the authentication mechanism during initial configuration.îÖîÅî}î(håô) that implement authentication via a password file or
an external LDAP server. You may choose the authentication mechanism during initial configuration.îhh-h
hhNhNubeh}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKhhh
hubh,)Åî}î(hXÁ
��If neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
Metacat is written such that this Authentication provider is replaceable with
another class that implements the same interface (``AuthInterface``). As
an Administrator, you have the choice to provide an alternative implementation
of ``AuthInterface`` and then configuring ``metacat.properties`` to use that
class for authentication instead of LDAP or the internal password file.îh]î(håÌIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
Metacat is written such that this Authentication provider is replaceable with
another class that implements the same interface (îÖîÅî}î(håÌIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
Metacat is written such that this Authentication provider is replaceable with
another class that implements the same interface (îhhdh
hhNhNubh7)Åî}î(hå``AuthInterface``îh]îhå
AuthInterfaceîÖîÅî}î(hhhhmubah}î(h]îh!]îh#]îh%]îh']îuh)h6hhdubhåX). As
an Administrator, you have the choice to provide an alternative implementation
of îÖîÅî}î(håX). As
an Administrator, you have the choice to provide an alternative implementation
of îhhdh
hhNhNubh7)Åî}î(hå``AuthInterface``îh]îhå
AuthInterfaceîÖîÅî}î(hhhhÄubah}î(h]îh!]îh#]îh%]îh']îuh)h6hhdubhå and then configuring îÖîÅî}î(hå and then configuring îhhdh
hhNhNubh7)Åî}î(hå``metacat.properties``îh]îhåmetacat.propertiesîÖîÅî}î(hhhhìubah}î(h]îh!]îh#]îh%]îh']îuh)h6hhdubhåT to use that
class for authentication instead of LDAP or the internal password file.îÖîÅî}î(håT to use that
class for authentication instead of LDAP or the internal password file.îhhdh
hhNhNubeh}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKhhh
hubh
)Åî}î(hhh]î(h)Åî}î(håFile-Based Authenticationîh]îhåFile-Based AuthenticationîÖîÅî}î(hh±hhØh
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)hhh¨h
hhh*hKubh,)Åî}î(håÈThis is the default authentication mechanism in Metacat. The password file
path can be specified during initial configuration. The Tomcat user should have
write/read permission to access the file. The password file follows this form:îh]îhåÈThis is the default authentication mechanism in Metacat. The password file
path can be specified during initial configuration. The Tomcat user should have
write/read permission to access the file. The password file follows this form:îÖîÅî}î(hhøhhΩh
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKhh¨h
hubh�å
literal_blockîìî)Åî}î(hX¬��<?xml version="1.0" encoding="UTF-8"?>
<subjects>
      <users>
              <user dn="uid=john,o=NCEAS,dc=ecoinformatics,dc=org">
                      <password>csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92</password>
                      <email>foo@foo.com</email>
                      <surName>Smith</surName>
                      <givenName>John</givenName>
                      <organization>NCEAS</organization>
                      <memberof>cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org</memberof>
              </user>
              <user dn="uid=brand,o=NCEAS,dc=ecoinformatics,dc=org">
                      <password>$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC</password>
              </user>
      </users>
      <groups>
              <group name="cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org">
                      <description>Developers at NCEAS</description>
              </group>
      </groups>
</subjects>îh]îhX¬��<?xml version="1.0" encoding="UTF-8"?>
<subjects>
      <users>
              <user dn="uid=john,o=NCEAS,dc=ecoinformatics,dc=org">
                      <password>csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92</password>
                      <email>foo@foo.com</email>
                      <surName>Smith</surName>
                      <givenName>John</givenName>
                      <organization>NCEAS</organization>
                      <memberof>cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org</memberof>
              </user>
              <user dn="uid=brand,o=NCEAS,dc=ecoinformatics,dc=org">
                      <password>$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC</password>
              </user>
      </users>
      <groups>
              <group name="cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org">
                      <description>Developers at NCEAS</description>
              </group>
      </groups>
</subjects>îÖîÅî}î(hhhhÕubah}î(h]îh!]îh#]îh%]îh']îå	xml:spaceîåpreserveîuh)hÀhKhh¨h
hhh*ubh,)Åî}î(håNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.îh]îhåNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.îÖîÅî}î(hhflhh›h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hK-hh¨h
hubh,)Åî}î(håZThe format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.îh]îhåZThe format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.îÖîÅî}î(hhÌhhÎh
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hK/hh¨h
hubh,)Åî}î(hX.��The password stored in the file is hashed using Bcrypt algorithm.  If you have the "-i" in the
"useradd" or "usermod" commands when you run the command line utility (see the following section),
you will be prompted to input the password and the utility will hash the password and store it in
the file. You may also get the hash of a password from any online tool,
such as https://www.dailycred.com/blog/12/bcrypt-calculator (we don't have any guaranty on the security of those tools),
then use the "-h" to pass the hashed password to the file by the utility.îh]î(hXÄ
��The password stored in the file is hashed using Bcrypt algorithm.  If you have the ‚Äú-i‚Äù in the
“useradd” or “usermod” commands when you run the command line utility (see the following section),
you will be prompted to input the password and the utility will hash the password and store it in
the file. You may also get the hash of a password from any online tool,
such as îÖîÅî}î(hXt
��The password stored in the file is hashed using Bcrypt algorithm.  If you have the "-i" in the
"useradd" or "usermod" commands when you run the command line utility (see the following section),
you will be prompted to input the password and the utility will hash the password and store it in
the file. You may also get the hash of a password from any online tool,
such as îhh˘h
hhNhNubh�å	referenceîìî)Åî}î(hå3https://www.dailycred.com/blog/12/bcrypt-calculatorîh]îhå3https://www.dailycred.com/blog/12/bcrypt-calculatorîÖîÅî}î(hhhj
��ubah}î(h]îh!]îh#]îh%]îh']îårefuriîj
��uh)j
��hh˘ubhåç (we don‚Äôt have any guaranty on the security of those tools),
then use the ‚Äú-h‚Äù to pass the hashed password to the file by the utility.îÖîÅî}î(håá (we don't have any guaranty on the security of those tools),
then use the "-h" to pass the hashed password to the file by the utility.îhh˘h
hhNhNubeh}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hK1hh¨h
hubeh}î(h]îåfile-based-authenticationîah!]îh#]îåfile-based authenticationîah%]îh']îuh)h	hhh
hhh*hKubh
)Åî}î(hhh]î(h)Åî}î(hå.Utility for Password File Based Authenticationîh]îhå.Utility for Password File Based AuthenticationîÖîÅî}î(hj+
��hj)
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)hhj&
��h
hhh*hK:ubh,)Åî}î(hå§You can edit the password file manually or use Metacat's command line utility
for managing users and groups. The utility is located in the deployed Metacat webapp::îh]îhå•You can edit the password file manually or use Metacat‚Äôs command line utility
for managing users and groups. The utility is located in the deployed Metacat webapp:îÖîÅî}î(hå£You can edit the password file manually or use Metacat's command line utility
for managing users and groups. The utility is located in the deployed Metacat webapp:îhj7
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hK;hj&
��h
hubhÃ)Åî}î(hå1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.îh]îhå1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.îÖîÅî}î(hhhjF
��ubah}î(h]îh!]îh#]îh%]îh']îh€h‹uh)hÀhK>hj&
��h
hhh*ubh,)Åî}î(håOYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::îh]îhåNYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file:îÖîÅî}î(håNYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file:îhjT
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hK@hj&
��h
hubhÃ)Åî}î(hå!cd $METACAT/WEB-INF/scripts/bash/îh]îhå!cd $METACAT/WEB-INF/scripts/bash/îÖîÅî}î(hhhjc
��ubah}î(h]îh!]îh#]îh%]îh']îh€h‹uh)hÀhKBhj&
��h
hhh*ubh,)Åî}î(hå=In order to run the file, you must make the file executable::îh]îhå<In order to run the file, you must make the file executable:îÖîÅî}î(hå<In order to run the file, you must make the file executable:îhjq
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKDhj&
��h
hubhÃ)Åî}î(håchmod u+x authFileManager.shîh]îhåchmod u+x authFileManager.shîÖîÅî}î(hhhjÄ
��ubah}î(h]îh!]îh#]îh%]îh']îh€h‹uh)hÀhKFhj&
��h
hhh*ubh,)Åî}î(hå.You run the command as the owner of the file::îh]îhå-You run the command as the owner of the file:îÖîÅî}î(hå-You run the command as the owner of the file:îhjé
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKHhj&
��h
hubhÃ)Åî}î(hå./authFileManager.sh  [options]îh]îhå./authFileManager.sh  [options]îÖîÅî}î(hhhjù
��ubah}î(h]îh!]îh#]îh%]îh']îh€h‹uh)hÀhKJhj&
��h
hhh*ubh,)Åî}î(håUsage of the utility:îh]îhåUsage of the utility:îÖîÅî}î(hj≠
��hj´
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKLhj&
��h
hubh,)Åî}î(håì./authFileManager.sh useradd -i -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]îh]îhåì./authFileManager.sh useradd -i -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]îÖîÅî}î(hjª
��hjπ
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKNhj&
��h
hubh,)Åî}î(hå•./authFileManager.sh useradd -h <hashed-password> -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]îh]îhå•./authFileManager.sh useradd -h <hashed-password> -dn <user-distinguish-name> [-g <group-name> -e <email-address> -s <surname> -f <given-name> -o <organizationName>]îÖîÅî}î(hj…
��hj«
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKPhj&
��h
hubh,)Åî}î(hå@./authFileManager.sh groupadd -g <group-name> [-d <description>]îh]îhå@./authFileManager.sh groupadd -g <group-name> [-d <description>]îÖîÅî}î(hj◊
��hj’
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKRhj&
��h
hubh,)Åî}î(håE./authFileManager.sh usermod -password -dn <user-distinguish-name> -iîh]îhåE./authFileManager.sh usermod -password -dn <user-distinguish-name> -iîÖîÅî}î(hjÂ
��hj„
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKThj&
��h
hubh,)Åî}î(hå[./authFileManager.sh usermod -password -dn <user-distinguish-name> -h <new-hashed-password>îh]îhå[./authFileManager.sh usermod -password -dn <user-distinguish-name> -h <new-hashed-password>îÖîÅî}î(hjÛ
��hjÒ
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKVhj&
��h
hubh,)Åî}î(håX./authFileManager.sh usermod -group -a -dn <user-distinguish-name> -g <added-group-name>îh]îhåX./authFileManager.sh usermod -group -a -dn <user-distinguish-name> -g <added-group-name>îÖîÅî}î(hj
��hjˇ
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKXhj&
��h
hubh,)Åî}î(håZ./authFileManager.sh usermod -group -r -dn <user-distinguish-name> -g <removed-group-name>îh]îhåZ./authFileManager.sh usermod -group -r -dn <user-distinguish-name> -g <removed-group-name>îÖîÅî}î(hj��hj
��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKZhj&
��h
hubh�ånoteîìî)Åî}î(hXn��Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm.
The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.

The <user-distinguish-name> must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".

If an option value has spaces, the value should be enclosed in double quotes.
For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"

The "-d <description>" option in the "groupadd" command is optional;
"-g <groupname> -e <email-address> -s <surname> -f <given-name> -o <organizationName>" in the "useradd" command are optional as well.îh]î(h,)Åî}î(hX0
��Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm.
The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.îh]îhX4
��Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the ‚Äú-h‚Äù should be generated by a Bcrypt algorithm.
The hash string usually contains $ signs which can interfere with the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.îÖîÅî}î(hj#��hj!��ubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hK_hj��ubh,)Åî}î(hå≠The <user-distinguish-name> must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".îh]îhåµThe <user-distinguish-name> must look like ‚Äúuid=john,o=something,dc=something,dc=something‚Äù and the group-name must look like ‚Äúcn=dev,o=something,dc=something,dc=something‚Äù.îÖîÅî}î(hj1��hj/��ubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKbhj��ubh,)Åî}î(hå¡If an option value has spaces, the value should be enclosed in double quotes.
For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"îh]îhå≈If an option value has spaces, the value should be enclosed in double quotes.
For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d ‚ÄúDevelopers at NCEAS‚ÄùîÖîÅî}î(hj?��hj=��ubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKdhj��ubh,)Åî}î(hå The "-d <description>" option in the "groupadd" command is optional;
"-g <groupname> -e <email-address> -s <surname> -f <given-name> -o <organizationName>" in the "useradd" command are optional as well.îh]îhå⁄The ‚Äú-d <description>‚Äù option in the ‚Äúgroupadd‚Äù command is optional;
‚Äú-g <groupname> -e <email-address> -s <surname> -f <given-name> -o <organizationName>‚Äù in the ‚Äúuseradd‚Äù command are optional as well.îÖîÅî}î(hjM��hjK��ubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKghj��ubeh}î(h]îh!]îh#]îh%]îh']îuh)j��hj&
��h
hhh*hNubeh}î(h]îå.utility-for-password-file-based-authenticationîah!]îh#]îå.utility for password file based authenticationîah%]îh']îuh)h	hhh
hhh*hK:ubh
)Åî}î(hhh]î(h)Åî}î(håLDAP-Based Authenticationîh]îhåLDAP-Based AuthenticationîÖîÅî}î(hjl��hjj��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)hhjg��h
hhh*hKkubh,)Åî}î(hX‡
��Before the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use
the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can
guarantee secure communication with their clients and the LDAP server.
If you are not on the list, you can contact us for more information or you may use the password file authentication
(for a small group of users) or set up your own LDAP server (for a big group of users).îh]îhX‡
��Before the Metacat 2.4.0 release, LDAP was the default authentication mechanism and was configured to use
the NCEAS LDAP server. We are now restricting access to the server to only trusted partners who can
guarantee secure communication with their clients and the LDAP server.
If you are not on the list, you can contact us for more information or you may use the password file authentication
(for a small group of users) or set up your own LDAP server (for a big group of users).îÖîÅî}î(hjz��hjx��h
hhNhNubah}î(h]îh!]îh#]îh%]îh']îuh)h+hh*hKlhjg��h
hubeh}î(h]îåldap-based-authenticationîah!]îh#]îåldap-based authenticationîah%]îh']îuh)h	hhh
hhh*hKkubeh}î(h]îå metacat-authentication-mechanismîah!]îh#]îå metacat authentication mechanismîah%]îh']îuh)h	hhh
hhh*hKubah}î(h]îh!]îh#]îh%]îh']îåsourceîh*uh)h
åcurrent_sourceîNåcurrent_lineîNåsettingsîådocutils.frontendîåValuesîìî)Åî}î(hNå	generatorîNå	datestampîNåsource_linkîNå
source_urlîNå
toc_backlinksîåentryîåfootnote_backlinksîK
å
sectnum_xformîK
åstrip_commentsîNåstrip_elements_with_classesîNå
strip_classesîNåreport_levelîKå
halt_levelîKåexit_status_levelîKådebugîNåwarning_streamîNå	tracebackîàåinput_encodingîå	utf-8-sigîåinput_encoding_error_handlerîåstrictîåoutput_encodingîåutf-8îåoutput_encoding_error_handlerîjπ��åerror_encodingîåUTF-8îåerror_encoding_error_handlerîåbackslashreplaceîå
language_codeîåenîårecord_dependenciesîNåconfigîNå	id_prefixîhåauto_id_prefixîåidîå
dump_settingsîNådump_internalsîNådump_transformsîNådump_pseudo_xmlîNåexpose_internalsîNåstrict_visitorîNå_disable_configîNå_sourceîh*å_destinationîNå
_config_filesî]îåpep_referencesîNåpep_base_urlîå https://www.python.org/dev/peps/îåpep_file_url_templateîåpep-%04dîårfc_referencesîNårfc_base_urlîåhttps://tools.ietf.org/html/îå	tab_widthîKåtrim_footnote_reference_spaceîâåfile_insertion_enabledîàåraw_enabledîK
åsyntax_highlightîålongîåsmart_quotesîàåsmartquotes_localesîNåcharacter_level_inline_markupîâådoctitle_xformîâå
docinfo_xformîK
åsectsubtitle_xformîâåembed_stylesheetîâåcloak_email_addressesîàåenvîNågettext_compactîàubåreporterîNåindirect_targetsî]îåsubstitution_defsî}îåsubstitution_namesî}îårefnamesî}îårefidsî}îånameidsî}î(jì��jê��j#
��j 
��jd��ja��jã��jà��uå	nametypesî}î(jì��Nj#
��Njd��Njã��Nuh}î(jê��hj 
��h¨ja��j&
��jà��jg��uå
footnote_refsî}îå
citation_refsî}îå
autofootnotesî]îåautofootnote_refsî]îåsymbol_footnotesî]îåsymbol_footnote_refsî]îå	footnotesî]îå	citationsî]îåautofootnote_startîK
åsymbol_footnote_startîK�åid_startîK
åparse_messagesî]îåtransform_messagesî]îåtransformerîNå
decorationîNh
hub.