Authentication

In this section you define the source against which the catlaog will authenticate users and passwords.

By default, users are authenticated against info held in the catalog database. When the catalog database is used as the authentication source, the user self-registration function can be enabled. A later section (see User Self-Registration) discusses user self-registration and the configuration options it requires.

You may choose to authenticate logins against either the catalog database tables or LDAP (the lightweight directory access protocol) or both. The next section describes how to authenticate against the different authentication providers:

In addition to either of these options, you may also configure other authentication sources. At present, Shibboleth is one additional authentication source that can be configured. Shibboleth is typically used for national access federations such as the Australian Access Federation. Configuring shibboleth authentication in the catalog to use such a federation would allow not only users from a local database or LDAP directory to use your installation, but any user from such a federation.

Authentication is using Spring Security framework and could support multiple authentication providers.

Authentication configuration is defined in WEB-INF/config-security.properties file. When making a change to that configuration file, the catalog need to be restarted to take parameters into account.

LDAP

Connection Settings

To enable LDAP support:

  1. add the LDAP base URL property in config-security.properties:

    # LDAP security properties
    ldap.base.provider.url=ldap://localhost:389
    ldap.base.dn=dc=fao,dc=org
    ldap.security.principal=cn=admin,dc=fao,dc=org
    ldap.security.credentials=ldap
    
    • ldap.base.provider.url: This tells the portal where the LDAP server is located. Make sure that the computer with the catalog can hit the computer with the LDAP server. Check to make sure that the appropriate ports are opened, etc.

    • ldap.base.dn=dc=fao,dc=org: this will usually look something like: “dc=organizationnamehere,dc=org”

    • ldap.security.principal & ldap.security.credentials: Define LDAP administrator user to use to bind to LDAP. If not define, an anonymous bind is made. Principal is the username and credentials property the password.

    • To verify that you have the correct settings, try to connect to the LDAP server using an LDAP browser application.

  2. define where to find users in LDAP structure for authentication:

    ldap.base.search.base=ou=people
    ldap.base.dn.pattern=uid={0},${ldap.base.search.base}
    #ldap.base.dn.pattern=mail={0},${ldap.base.search.base}
    
    • ldap.base.search.base: this is where the catalog will look for users (for authentication)

    • ldap.base.dn.pattern: this is the distinguished name for the user to bind with. {0} is replaced by the user name typed in the sign in screen.

  3. add the following import to config-security.xml:

    <import resource="config-security-ldap.xml"/>
    

Authorization Settings

When using LDAP, user information and privileges could be defined from the LDAP attributes.

User details

All user informations could be retrieved from the LDAP as defined in the config-security-overrides.properties. This property file defined for each user attribute in the catalog database which LDAP attributes match. If the attribute is empty or not defined, a default value could be defined. The configuration is the following:

# Map user information to LDAP attributes and default values
# ldapUserContextMapper.mapping[name]=ldap_attribute,default_value
ldapUserContextMapper.mapping[name]=cn,
ldapUserContextMapper.mapping[surname]=givenName,
ldapUserContextMapper.mapping[mail]=mail,data@myorganization.org
ldapUserContextMapper.mapping[organisation]=,myorganization
ldapUserContextMapper.mapping[kind]=,
ldapUserContextMapper.mapping[address]=,
ldapUserContextMapper.mapping[zip]=,
ldapUserContextMapper.mapping[state]=,
ldapUserContextMapper.mapping[city]=,
ldapUserContextMapper.mapping[country]=,

Privileges configuration

When using LDAP, user groups and user profiles could be set from LDAP information or not. To manage user privileges from the local database, set the ldap.privilege.import property in config-security.properties to false:

ldap.privilege.import=false

If LDAP information should be used to define user privileges, set it to true:

ldap.privilege.import=true

When importing privileges from LDAP, the catalog administrator could decide to create groups defined in the LDAP and not defined in local database. For this set the following property to true:

ldap.privilege.create.nonexisting.groups=false
Simple privileges configuration

In order to define which groups the user is member of and which profile is the user:

ldapUserContextMapper.mapping[privilege]=groups,sample
# If not set, the default profile is RegisteredUser
# Valid profiles are http://geonetwork-opensource.org/manuals/trunk/eng/developer/apidocs/geonetwork/org/fao/geonet/constants/Geonet.Profile.html
ldapUserContextMapper.mapping[profile]=privileges,RegisteredUser

Attributes configuration:

  • privilege attribute contains the group this user is member of. More than one group is allowed.

  • profile attribute contains the profile of the user

User valid profiles are:

  • Administrator

  • UserAdmin

  • Reviewer

  • Editor

  • RegisteredUser

  • Guest

Profile mapping configuration

If LDAP attribute containing profiles does not match the catalog profile list, a mapping could be defined in config-security-overrides.properties:

# Map LDAP custom profiles to catalog profiles. Not used if ldap.privilege.pattern is defined.
ldapUserContextMapper.profilMapping[Admin]=Administrator
ldapUserContextMapper.profilMapping[Editeur]=Reviewer
ldapUserContextMapper.profilMapping[Public]=RegisteredUser

For example, in the previous configuration, the attribute value Admin will be mapped to Administrator (which is a valid profile for the catalog).

Advanced privileges configuration

An attribute could define both the profile and the group for a user. To extract this information, a custom pattern could be defined to populate user privileges according to that attribute:

# In config-security-overrides.properties
ldapUserContextMapper.mapping[privilege]=cat_privileges,sample

# In config-security.properties
ldap.privilege.pattern=CAT_(.*)_(.*)
ldap.privilege.pattern.idx.group=1
ldap.privilege.pattern.idx.profil=2

The LDAP attribute can contains the following configuration to define the different type of users:

-- Define a catalog admin:
cat_privileges=CAT_ALL_Administrator

-- Define a reviewer for the group GRANULAT
cat_privileges=CAT_GRANULAT_Reviewer

-- Define a reviewer for the group GRANULAT and editor for MIMEL
cat_privileges=CAT_GRANULAT_Reviewer
cat_privileges=CAT_MIMEL_Editor

-- Define a reviewer for the group GRANULAT and editor for MIMEL and RegisteredUser for NATURA2000
cat_privileges=CAT_GRANULAT_Reviewer
cat_privileges=CAT_MIMEL_Reviewer
cat_privileges=CAT_NATURA2000_RegisterdUser

-- Only a registered user for GRANULAT
cat_privileges=CAT_GRANULAT_RegisteredUser

Synchronization

A synchronization task is taking care of removing LDAP user which may be deleted. For example:

  • T0: a user A sign in the catalog. A local user A is created in the user database

  • T1: A is deleted from the LDAP (A could not sign in in the catalog anymore)

  • T2: the synchronization task will check that all local LDAP users exist in LDAP:

    • if user is not owner of any records, it will be deleted

    • if user is owner of metadata records, warning message is avaialable on the catalog logging system. record’s owner should be changed to another user before the task could remove the user.

By default the task is runned once every day. Configuration could be changed in config-security.properties:

# Run LDAP sync every day at 23:30
ldap.sync.cron=0 30 23 * * ?

Debugging

If connection fails, try to increase logging for LDAP in log4j.cfg:

log4j.logger.geonetwork.ldap          = DEBUG
log4j.logger.org.springframework = DEBUG, console, jeeves
log4j.logger.org.springframework.* = DEBUG
log4j.logger.org.springframework.security.ldap = DEBUG

CAS

To enable CAS support:

  1. add the CAS base URL property in config-security.properties:

    cas.baseURL=https://localhost:8443/cas
    cas.ticket.validator.url=${cas.baseURL}
    cas.login.url=${cas.baseURL}/login
    cas.logout.url=${cas.baseURL}/logout?url=${geonetwork.https.url}/
    
  2. add the following import to config-security.xml:

    <import resource="config-security-cas.xml"/>
    <import resource="config-security-cas-ldap.xml"/>
    

Shibboleth authentication

When using either the GeoNetwork database or LDAP for authentication, you can also configure shibboleth to allow authentication against access federations.

../../_images/web-config-options-shibboleth.png

The Shibboleth configuration options

Shibboleth authentication requires interaction with Apache web server. In particular, the apache web server must be configured to require Shibboleth authentication to access the path entered in the configuration. The apache web server configuration will contain the details of the shibboleth server that works out where a user is located (sometimes called a ‘where are you from’ server).

The remainder of the shibboleth login configuration describes how shibboleth authentication attributes are mapped to GeoNetwork user database fields as once a user is authenticated against shibboleth, their details are copied to the local GeoNetwork database.

User Self-Registration

From Administration, system configuration, GeoNetwork has a self-registration function which allows a user to request a login which provides access to ‘registered-user’ functions. By default this capability is switched off. To configure this capability you must complete the following sections in the ‘System configuration’ menu:

  • configure the site name and organization name as these will be used in emails from this GeoNetwork site to newly registered users. An example of how to config these fields at the top of the system configuration form is:

../../_images/web-config-name-organization.png
  • configure feedback email address, SMTP host and SMTP port. The feedback email address will be sent an email when a new user registers and requests a profile other than ‘Registered User’. An example of how to config these fields in the system configuration form is:

../../_images/web-config-options-feedback.png
  • check the box, enable user self-registration in the Authentication section of the system configuration form as follows:

../../_images/web-config-authentication-self-registration-checked.png

When you save the system configuration form, return to the home page and log out as admin, your banner menu should now include two new options, ‘Forgot your password?’ and ‘Register’ (or their translations into your selected language) as follows:

../../_images/web-config-banner-with-self-registration.png

You should also configure the xml file that includes contact details to be displayed when an error occurs in the registration process. This file is localized - the english version is located in INSTALL_DIR/web/geonetwork/loc/en/xml/registration-sent.xml.

Finally, if you want to change the content of the email that contains registration details for new users, you should modify INSTALL_DIR/web/geonetwork/xsl/registration-pwd-email.xsl.