Child pages
  • Administrator's Guide - Authentication - 5.0.7

This space has moved to IU's Confluence.
It is located at https://uisapp2.iu.edu/confluence-prd/display/iulV3/

Skip to end of metadata
Go to start of metadata

Administrator's Guide - Authentication

Contents

Overview

Authentication to connect to Variations can be done in a number of ways. Client connections are made by sending the username and password (DES encrypted) gathered from the user to Variations in order to do a proxy login using one of the supported protocols. Administrator and cron connections done on the server can use a special login that does not prompt for a password.

Supported Authentication Protocols

Server Configuration

Configuring authentication schemes, requires only a few lines in dmlserver.xml. Each scheme consists of a protocol, realm, and configuration. Each supported scheme has an AuthenticationScheme tag that must have a protocol attribute and optionally can have a reportedhostname attribute. Protocol attributes can be set to pop, imap, cas, krb, or pam. The reportedhostname attribute is a string that will replace the realm to form the Variations username (username@realm). The optional label attribute should be a human readable string that will be passed to clients to aid users in selecting between available realms for a given protocol.

Each protocol has specific attributes that can be set. If the protocol is pop or imap, the port and useSSL attributes can be set. For cas, loginurl is a url prefix string that can be appended to to form a valid CAS login url. Kerberos login requires the jaas login context configuration to be set. This login context must be declared in jaas.config with the appropriate JAAS login module for your site.

Example Authentication Configuration in dmlserver.xml
<AuthenticationSchemes>
    <AuthenticationScheme protocol="pop" 
                          label="IU" 
                          port="110" 
                          useSSL="false">
        var3rhs.dhcp.indiana.edu
    </AuthenticationScheme>
    <AuthenticationScheme protocol="pop" 
                          label="DLP" 
                          port="110" 
                          useSSL="false">
        taiko.dlib.indiana.edu
    </AuthenticationScheme>
    <AuthenticationScheme protocol="imap" 
                          reportedhostname ="iu.edu" 
                          port="993" 
                          useSSL="true">
        imap.iu.edu
    </AuthenticationScheme>
    <AuthenticationScheme protocol="cas" 
                          loginurl="https://cas.iu.edu/cas/login?cassvc=DMLP">
        iu.edu
    </AuthenticationScheme>
    <AuthenticationScheme protocol="krb" 
                          reportedhostname="iu.edu" 
                          loginContext="VariationsKerberosContextPasswordAuth">
        ads.iu.edu
    </AuthenticationScheme>
    <AuthenticationScheme protocol="pam">
        iu.edu
    </AuthenticationScheme>
</AuthenticationSchemes>

Additional configuration will need to be done in jaas.config and krb5.conf for Kerberos authentication.

Client Configuration

The client must only set the dml.login.protocol property in their dml.conf. Client connections can bypass authentication if their session is still active and a cookie is present on the client's machine. For this functionality, the dml.login.useCookie property must be set to try in their dml.conf.

Example Authentication Configuration in dml.conf
dml.login.useCookie=true
dml.login.protocol=cas
  • No labels