Re: [thredds] command line access to restricted dataset when authentication is by LDAP

Emanuele,

ncdump, cdo are based on the netcdf-c library (I'm not sure about ferret). The netcdf-c library is possible that suffers from the same problem that wget when you are putting the authentication problem in the URL, it is ignored when the request is forwarded to the authentication URL. The netcdf-c library use the libcurl and it can be configured in a similar way like wget by a .dodsrc configuration file.

If the LDAP authentication is working with your browser it should be work also with client utilities, unless your configuration introduce another layer.

I could check what is happening from the client side, but the server is down. If you provide me with a temporal account, I could check what is the problem

Regards

Antonio

--
Antonio S. Cofiño
Grupo de Meteorología de Santander
Dep. de Matemática Aplicada y
        Ciencias de la Computación
Universidad de Cantabria
http://www.meteo.unican.es

El 03/07/2014 14:50, emanuele lombardi escribió:
Thanks to Antonio for his very quick response.
Unfortunately the problem is neither the %F40 nor the wget switch.

infact if I comment out the <Context> containing the <Realm JNDIRealm> in 
server.xml
then the MemoryRealm is used (standard tomcat_users.xml credentials) and the 
following commands work all fine:

ncdump -h 
'https://XXXX:YYYYY@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc'
cdo info  
'https://XXXX:YYYYY@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc'
ferret
use  "https://XXXX:YYYYY@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc";

Of course XXXX:YYYYY are the tomcat_users.xml credentials

But if I place again the following code into server.xml (thus setting LDAP 
authentication)

     <Context docBase="medcordexh" path="/medcordexh">
       <Realm className="org.apache.catalina.realm.JNDIRealm"
                connectionURL="ldap://xxx.xxx.xxx.xxx";
                connectionName="cn=yyy,dc=yyyy,dc=yyyy,dc=yy"
                connectionPassword="mysecret"
                roleBase="ou=Group,dc=yyyy,dc=yyyy,dc=yy"
                roleName="groupId"
                roleSearch="(memberUid={2})"
                userPattern="mail={0},ou=People,dc=yyyy,dc=yyyy,dc=yy"
                userRoleAttribute="mail"
                roleSubtree="true"
        />
       </Context>

then nor ferret use, nor ncdump, nor cdo work anymore (with the proper LDAP 
credential, of course), while on the browser all it works (with the same
LDAP credentials)!

I also noticed a strange behaviour on the browser:

a) using MemoryRealm (tomcat-users.xml credentials) username & password are not 
requested for browsing directories but only when (and if) the user
accesses netcfd files

b) using JNDIrealm (LDAP credentials) username & password are requested at the 
very first access to any directory or netcdf file. This means that the
TDS is not browsable to unregistered users.


Thanks again for any help,
Emanuele




  • 2014 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: