Stuart: Thank you. Yes, we do use IP authentication, VPN and ezProxy for our other web services. But wouldn't I still be forced to define each item in the Apache Config file that I want locked down? For instance if I wanted to lock down an item to Cornell, only, I would guess that I have to put in the statement:
<Location /handle/1813/12345> Options Indexes FollowSymLinks ExecCGI AllowOverride All order allow,deny allow from 128.236.87.xxx </Location> in the Apache config. Or am I missing something? I will have to look at the Shibboleth authentication in DSpace. As a person who has been using DSpace since 1.0, it is hard to keep up with all the enhancements! ;-) Thanks for the suggestions! George Kozak Digital Library Specialist Division of Library Information Technologies (DLIT) 501 Olin Library Cornell University Ithaca, NY 14853 607-255-8924 -----Original Message----- From: Stuart Lewis [mailto:[email protected]] Sent: Thursday, March 11, 2010 3:44 PM To: George Stanley Kozak Cc: [email protected] Subject: Re: [Dspace-tech] Authentication and Authorizations Hi George, Two thoughts come to mind: - Can you use IP authentication for on-campus users, and do you have a VPN or ezProzy for off-campus access? - CUWebAuth could probably be integrated OK, and could be done so in a similar way to Shibboleth is with DSpace. You run Tomcat behind apache, let apache do the authentication when you visit e.g. /dspace/cuwebauth-login and then create a cuwebauth authentication class to get the user details from apache (set in environment variables) to tell DSpace who is logged in. Thanks, Stuart Lewis IT Innovations Analyst and Developer Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: 64 9 373-7599 x81928 http://www.library.auckland.ac.nz/ On 12/03/2010, at 9:19 AM, George Stanley Kozak wrote: > Hi... > Here at Cornell University, we are trying to figure out the best way to > handle authentication in DSpace. > > Right now I am using DSpace's native authentication system for the majority > of collections, but I have been asked to limit access on some collections to > the Cornell Community. In those cases, I have been forced to use a locally > developed software package called CUWebAuth (which is Kerberos based) because > I am not allowed by our Security people to use LDAP except through the > CUWEbAuth application. CUWebAuth runs on Apache, uses permits and is > directory-based, so I can lock items down by defining them in an Apache > Config file (each item declared separately using "<Location > /handle/xxx/xxx>"). You can imagine this is pretty cumbersome. > > I am curious if anyone in the DSpace Community has had a similar situation of > limiting access to collections and/or items to a large group of individuals > and how they may have done this. > > Thank you. > > George Kozak > Digital Library Specialist > Division of Library Information Technologies (DLIT) > 501 Olin Library > Cornell University > Ithaca, NY 14853 > 607-255-8924 > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > DSpace-tech mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/dspace-tech ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
