I’m attempting to configure OpenClinica to authenticate users against my Windows Domain, but leave the roles/authorization as-is within OpenClinica. Authentication is the only thing I would like to have happen through the domain.
So far, I’m doing this against Active Directory via LDAP. Here are the steps I’ve performed so far (running Tomcat 5.5 on Windows XP):
1 – I added a realm for ldap authentication to my C:\tomcat5\conf\server.xml file
2 – I edited C:\tomcat5\server\webapps\manager\WEB-INF\web.xml to allow a certain windows user group to access the tomcat manager (not really specific to OpenClinica, I just wanted to list all steps in case this had an effect on anything else)
3 – Edited C:\tomcat5\webapps\OpenClinica\WEB-INF\web.xml to add an auth-constraint/role-name section for a windows user group that contains my users.
4 – Edited C:\tomcat5\conf\Catalina\localhost\OpenClinica.xml and commented out the postgres jdbc realm.
This seems to be basically working, but there are a few small quirks.
Whenever users logs in to OpenClinica, it seems that OpenClinica still thinks it is managing their passwords. There is a persistent message in the side panel that says: “Welcome to OpenClinica, Eric Wyles. Your current password is set by system. For greater security, please change your password in your User Profile.“ If the user goes to the Profile screen, it is confusing because they are prompted to enter their old password and enter a new password. It seems to be validating the old password against the password in the OpenClinica database which is not the same password they are using to log in. And, even if they were able to successfully change it here, it wouldn’t really do anything because it would not change their Windows Domain password. It is just generally confusing.
Any advice on how to handle this? I’m fairly new to configuration the tomcat security realms and even newer to OpenClinica specifically, so if there are any parts of my process that could be done in a better way please let me know.
The ideal end result I’m looking for is a configuration where the users can log on to OpenClinica with their Windows id and password, and once they are logged in I would prefer for them to not ever see any references to passwords in the OpenClinica screens.
This is version 2.2 of OpenClinica.
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.