Hi Tim, thank you for that information, this explains perfectly, why I'm having trouble trying to write to a collection using IP authentication.
I have tried what you described (being assigned to the administrator group for one IP address after logging in, independently from the specific user rights) - but unfortunately that does not work either. That scenario would fit my needs (of course it would be more comfortable by IP authentication, but I understand that is a possible security hole). So I guess its really impossible to assign the Admin role to someone, whose login data is not assigned to the Admin group. I'll try solving that problem by investigating the LDAP-authentication a little bit more - all our users are authenticated via LDAP, if its possible to assign ADMIN rights to some LDAP authenticated members, it would be sufficient. Otherwise I'll describe my use case more detailed in your ticketing system. Thanks again for that information! Best - Oliver Am 07.07.2014 17:03, schrieb Tim Donohue: > Hi Oliver, > > I suspect there may be an assumption in the "IP Authentication" plugin > that you are using it for READ access rather than full ADMIN access. > > The reality here is that the "IP Authentication" plugin was built > primarily for one use case -- to allow unauthenticated users *READ* > access to restricted content, based on an IP range. For example, if > you use DSpace in a Library, you could provide users at a Library > computer full-access to materials, while requiring authentication at a > non-Library computer. > > We never really anticipated using IP Authentication for non-READ > access rights, as it could be considered a security hole. For example, > if someone gained access to your computer (which has ADMIN rights via > IP) or that IP was accidentally allocated to a different computer, > then someone else could suddenly have the ability to delete all the > content in your DSpace. > > So, ADMIN rights are much more tightly controlled and require some > form of password. > > That being said, I suspect the following *MAY* work: > (1) Setup IP Authentication on the ADMIN Group for a specific IP, e.g. > 127.0.0.1 > (2) Have each of your Admins create an Account with DSpace. But, do > NOT add them to the Administrator group. > (3) Have them LOGIN (with their acct & password) from the IP address > in #1 (e.g. 127.0.0.1). They should be automatically a member of the > Administrator group, as they are logged in from the IP address in > question. > > If this doesn't quite meet your needs, or work how you'd like it to, > then I'd recommend creating a new Feature Request ticket which > describes the use case(s) you need to meet. That way we can review how > IP Authentication currently works, and decide whether we can enhance > it to meet your use cases. Here's a link to our ticketing system: > > https://jira.duraspace.org/browse/DS/ > > Also feel free to ask any followup questions here, if I've misunderstood! > > - Tim > > On 7/4/2014 3:16 AM, Oliver Goldschmidt wrote: >> Hi, >> >> I have tested if IP auth is working for groups different to >> Administrator group. I think it doesn't. That was my test scenario: >> >> - I have created TESTGROUP without any members >> - I have created a collection TESTCOLLECTION, in which only TESTGROUP >> can publish >> - I have configured authentication-ip.cfg as follows: >> ip.TESTGROUP = 134.x.y.z >> - I restarted tomcat >> >> Now I would expect, coming from 134.x.y.z, to be authorized >> automatically to publish in TESTCOLLECTION. But I am not allowed to do >> that - I do not see a publish-here-button in TESTCOLLECTION. >> >> So I guess there is still something wrong either with my configuration >> or in general. >> >> Any ideas how to debug that? >> >> Best regards >> Oliver >> >> Am 04.07.2014 09:31, schrieb Oliver Goldschmidt: >>> James, >>> >>> thank you for your reply. >>> In dspace.log I can see that DSpace gets the correct IP address, but >>> it does not work. I can see my IP address in dspace.log: >>> 2014-07-04 09:27:14,809 INFO org.dspace.browse.BrowseEngine @ >>> anonymous:session_id=40D2B0A5B4C97XXXXXXXXXXXXXXXXXX:ip_addr=134.x.y.z:browse_mini: >>> >>> >>> So I guess DSpace has the correct IP address, but IP authentication is >>> still not working. I will try, if groups different to the >>> Administrator group are working to check if that is the problem. >>> >>> Best regards >>> Oliver >>> >>> Am 04.07.2014 00:03, schrieb James Creel: >>>> I’ve never tried putting folks in the Administrator group with this >>>> feature, but I don’t see why it would act differently, in which case >>>> you seem to be configuring it correctly. >>>> >>>> In the past, I have had problems when DSpace saw an IP address that >>>> was not what I thought it was. You can ascertain what IP address >>>> DSpace is seeing by looking in the control panel -> current activity >>>> or by looking at the dspace log. >>>> >>>> If you are behind a load balancer, etc, you also might try >>>> setting useProxies = true in the dspace.cfg and make sure your >>>> sysadmin is forwarding the original IPs. >>>> >>>> James Creel >>>> Senior Lead Software Applications Developer >>>> Texas A&M University Libraries Digital Initiatives >>>> [email protected] <mailto:[email protected]> >>>> >>>> >>>> >>>> >>>> >>>> On Jul 3, 2014, at 1134, Oliver Goldschmidt <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I have another problem. The IP authentication does not seem to work >>>>> on my DSpace. I have configured it and added it to the >>>>> Authentication modules in authentication.cfg. This worked and no >>>>> error messages about that. >>>>> But I do not see any effect. Not even a trace in dspace.log. I want >>>>> to some IP adresses to be recognized as Administrators. To do that I >>>>> have put this into ip-authentication.cfg: >>>>> ip.Administrator 134.x.y.z >>>>> >>>>> I have an Administrator group and thought, coming from IP 134.x.y.z >>>>> would now be considered as an Administrator. But its not. I have no >>>>> options to publish something, to delete collections and so on. >>>>> Everything looks exactly as if I did not log in. In dspace.log there >>>>> is no note about the IP Authentication module. If I click on >>>>> something requiring me to log in, I get the login window to choose >>>>> how to login (I have also configured LDAP authentication and >>>>> Password authentication, both works well). >>>>> >>>>> What am I missing? How can I make the IP auth module work properly? >>>>> >>>>> Best regards >>>>> Oliver >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> Open source business process management suite built on Java and >>>>> Eclipse >>>>> Turn processes into business applications with Bonita BPM Community >>>>> Edition >>>>> Quickly connect people, data, and systems into organized workflows >>>>> Winner of BOSSIE, CODIE, OW2 and Gartner awards >>>>> http://p.sf.net/sfu/Bonitasoft_______________________________________________ >>>>> >>>>> DSpace-tech mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/dspace-tech >>>>> List Etiquette: >>>>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette >>>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Open source business process management suite built on Java and Eclipse >>> Turn processes into business applications with Bonita BPM Community >>> Edition >>> Quickly connect people, data, and systems into organized workflows >>> Winner of BOSSIE, CODIE, OW2 and Gartner awards >>> http://p.sf.net/sfu/Bonitasoft >>> >>> >>> _______________________________________________ >>> DSpace-tech mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/dspace-tech >>> List >>> Etiquette:https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette >> >> >> >> ------------------------------------------------------------------------------ >> >> Open source business process management suite built on Java and Eclipse >> Turn processes into business applications with Bonita BPM Community >> Edition >> Quickly connect people, data, and systems into organized workflows >> Winner of BOSSIE, CODIE, OW2 and Gartner awards >> http://p.sf.net/sfu/Bonitasoft >> >> >> >> _______________________________________________ >> DSpace-tech mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/dspace-tech >> List Etiquette: >> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette >> ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
