Dear TDS-ers,
I use restrictedaccess catalogs and I need them to be available not only to
some tomcat users defined in tomcat-users.xml, but also to people
identified by a given LDAP server outside my organization (on which server I
have no control).
Is it possible for TDS to have two sources of authorization used in chain? I
mean if a user is not present in the UserDatabase he must be checked at
the LDAP server before denying access to him.
For me it would be OK if all LDAP authorized users map to a single tomcat user
(or to a couple of tomcat roles), in fact they all have the same rights
on my datasets.
I played around Realms and I added the following in server.xml :
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="cn=cnname,dc=myserver,dc=com"
connectionPassword="secret"
connectionURL="ldap://address:389";
alternateURL="ldap://address:389";
userPattern="mail={0},ou=people,dc=myserver,dc=com"/>
It doesn't return errors (but I presume it overrides Userdatabase
authentication, since no user in tomcat-users.xml works any more!) but how can
I
associate LDAP users to my tomcat user? Or how can associate LDAP users to the
tomcat roles I need (one being restrictedDatasetUser) ?
The third question is: is it possible for thredds to have an authentication
independent from tomcat’s ?
Thank you very much for any help,
Ciao,
Emanuele Lombardi
Here some pieces of my installation:
========================================
Catalog.xml:
<datasetScan name="RITMARE"
ID="IDdatascan" path="MYPATH"
serviceName="all"
restrictAccess="accediRITMARE"
location="content/ritmare/">
========================================
tomcat-users.xml :
<role rolename="accediRITMARE"/>
<user username="ritmare" password="………"
roles="accediRITMARE,restrictedDatasetUser"/>
========================================
--
Emanuele Lombardi
ENEA Casaccia
I-00123 Roma (RM)
tel. +39 0630483366
http://utmea.enea.it/people/lombardi
