Stuart: THANK YOU! I don't know why I didn't notice this before!!! AS I said, the system has changed so much since I first installed in 2003, I have a hard time keeping up with all of the enhancements. This may very well work for us!
George Kozak Digital Library Specialist Division of Library Information Technologies (DLIT) 501 Olin Library Cornell University Ithaca, NY 14853 607-255-8924 -----Original Message----- From: Stuart Lewis [mailto:[email protected]] Sent: Friday, March 12, 2010 1:46 PM To: George Stanley Kozak Cc: [email protected] Subject: RE: [Dspace-tech] Authentication and Authorizations Hi George, DSpace has its own IP authentication system. You can specify acceptable IP ranges in dspace.cfg, and map these to a group name. Then, if you have IPAuthentication as part of your authentication chain it will automatically join any matching users to that special group. You can then use that group in your authorizations - e.g. assign READ permissions to that group for the items / collections / communities that you wish to protect. So you may still have to manage it manually, but you can do so without going outside of DSpace. There are further in-depth details in the DSpace manual, and some useful information in the relevant dspace.cfg section. Thanks, Stuart Lewis IT Innovations Analyst and Developer Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: 64 9 373-7599 x81928 http://www.library.auckland.ac.nz/ ________________________________________ From: George Stanley Kozak [[email protected]] Sent: Saturday, 13 March 2010 4:50 a.m. To: Stuart Lewis Cc: [email protected] Subject: RE: [Dspace-tech] Authentication and Authorizations Stuart: Thank you. Yes, we do use IP authentication, VPN and ezProxy for our other web services. But wouldn't I still be forced to define each item in the Apache Config file that I want locked down? For instance if I wanted to lock down an item to Cornell, only, I would guess that I have to put in the statement: <Location /handle/1813/12345> Options Indexes FollowSymLinks ExecCGI AllowOverride All order allow,deny allow from 128.236.87.xxx </Location> in the Apache config. Or am I missing something? I will have to look at the Shibboleth authentication in DSpace. As a person who has been using DSpace since 1.0, it is hard to keep up with all the enhancements! ;-) Thanks for the suggestions! George Kozak Digital Library Specialist Division of Library Information Technologies (DLIT) 501 Olin Library Cornell University Ithaca, NY 14853 607-255-8924 -----Original Message----- From: Stuart Lewis [mailto:[email protected]] Sent: Thursday, March 11, 2010 3:44 PM To: George Stanley Kozak Cc: [email protected] Subject: Re: [Dspace-tech] Authentication and Authorizations Hi George, Two thoughts come to mind: - Can you use IP authentication for on-campus users, and do you have a VPN or ezProzy for off-campus access? - CUWebAuth could probably be integrated OK, and could be done so in a similar way to Shibboleth is with DSpace. You run Tomcat behind apache, let apache do the authentication when you visit e.g. /dspace/cuwebauth-login and then create a cuwebauth authentication class to get the user details from apache (set in environment variables) to tell DSpace who is logged in. Thanks, Stuart Lewis IT Innovations Analyst and Developer Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: 64 9 373-7599 x81928 http://www.library.auckland.ac.nz/ On 12/03/2010, at 9:19 AM, George Stanley Kozak wrote: > Hi... > Here at Cornell University, we are trying to figure out the best way to > handle authentication in DSpace. > > Right now I am using DSpace's native authentication system for the majority > of collections, but I have been asked to limit access on some collections to > the Cornell Community. In those cases, I have been forced to use a locally > developed software package called CUWebAuth (which is Kerberos based) because > I am not allowed by our Security people to use LDAP except through the > CUWEbAuth application. CUWebAuth runs on Apache, uses permits and is > directory-based, so I can lock items down by defining them in an Apache > Config file (each item declared separately using "<Location > /handle/xxx/xxx>"). You can imagine this is pretty cumbersome. > > I am curious if anyone in the DSpace Community has had a similar situation of > limiting access to collections and/or items to a large group of individuals > and how they may have done this. > > Thank you. > > George Kozak > Digital Library Specialist > Division of Library Information Technologies (DLIT) > 501 Olin Library > Cornell University > Ithaca, NY 14853 > 607-255-8924 > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > DSpace-tech mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/dspace-tech ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
