We hope you'll join us for our 4/23 webinar on using data tables to apply reference ranges and AE codes in OC4. For more information and to register, visit https://register.gotowebinar.com/register/2882170018956684555

Authentication against Windows Domain - Questions

Hi,

I’m attempting to configure OpenClinica to authenticate users against my Windows Domain, but leave the roles/authorization as-is within OpenClinica. Authentication is the only thing I would like to have happen through the domain.

So far, I’m doing this against Active Directory via LDAP. Here are the steps I’ve performed so far (running Tomcat 5.5 on Windows XP):

1 – I added a realm for ldap authentication to my C:\tomcat5\conf\server.xml file
2 – I edited C:\tomcat5\server\webapps\manager\WEB-INF\web.xml to allow a certain windows user group to access the tomcat manager (not really specific to OpenClinica, I just wanted to list all steps in case this had an effect on anything else)
3 – Edited C:\tomcat5\webapps\OpenClinica\WEB-INF\web.xml to add an auth-constraint/role-name section for a windows user group that contains my users.
4 – Edited C:\tomcat5\conf\Catalina\localhost\OpenClinica.xml and commented out the postgres jdbc realm.

This seems to be basically working, but there are a few small quirks.

Whenever users logs in to OpenClinica, it seems that OpenClinica still thinks it is managing their passwords. There is a persistent message in the side panel that says: “Welcome to OpenClinica, Eric Wyles. Your current password is set by system. For greater security, please change your password in your User Profile.“ If the user goes to the Profile screen, it is confusing because they are prompted to enter their old password and enter a new password. It seems to be validating the old password against the password in the OpenClinica database which is not the same password they are using to log in. And, even if they were able to successfully change it here, it wouldn’t really do anything because it would not change their Windows Domain password. It is just generally confusing.

Any advice on how to handle this? I’m fairly new to configuration the tomcat security realms and even newer to OpenClinica specifically, so if there are any parts of my process that could be done in a better way please let me know.

The ideal end result I’m looking for is a configuration where the users can log on to OpenClinica with their Windows id and password, and once they are logged in I would prefer for them to not ever see any references to passwords in the OpenClinica screens.

This is version 2.2 of OpenClinica.
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Comments

  • Tom HickersonTom Hickerson Posts: 449
    Hi Eric,

    In OpenClinica's properties directory, there is a file called datainfo.properties that should contain the necessary attributes you can change to make passwords 'invisible' to users.

    The tenth property in the file, change_passwd_required, can be set to 0; this will remove the notice you get below. The third property in the file, passwd_expiration_time, can be set for a large number, say 9999, so that users are not prompted to change their password over time (the number is the number of days).

    Hope this helps, let us know if you have further questions - Tom
  • ewylesewyles Posts: 19
    Thanks, Tom.

    I’ll give it a shot.
    Sent: Wednesday, May 21, 2008 11:35 AM
    To: [email protected]
    Subject: RE: [Developers] Authentication against Windows Domain - Questions

    Hi Eric,

    In OpenClinica's properties directory, there is a file called datainfo.properties that should contain the necessary attributes you can change to make passwords 'invisible' to users.

    The tenth property in the file, change_passwd_required, can be set to 0; this will remove the notice you get below. The third property in the file, passwd_expiration_time, can be set for a large number, say 9999, so that users are not prompted to change their password over time (the number is the number of days).

    Hope this helps, let us know if you have further questions - Tom
    Sent: Tue 5/20/2008 12:50 AM
    To: [email protected]
    Subject: [Developers] Authentication against Windows Domain - Questions
    Hi,

    I’m attempting to configure OpenClinica to authenticate users against my Windows Domain, but leave the roles/authorization as-is within OpenClinica. Authentication is the only thing I would like to have happen through the domain.

    So far, I’m doing this against Active Directory via LDAP. Here are the steps I’ve performed so far (running Tomcat 5.5 on Windows XP):

    1 – I added a realm for ldap authentication to my C:\tomcat5\conf\server.xml file
    2 – I edited C:\tomcat5\server\webapps\manager\WEB-INF\web.xml to allow a certain windows user group to access the tomcat manager (not really specific to OpenClinica, I just wanted to list all steps in case this had an effect on anything else)
    3 – Edited C:\tomcat5\webapps\OpenClinica\WEB-INF\web.xml to add an auth-constraint/role-name section for a windows user group that contains my users.
    4 – Edited C:\tomcat5\conf\Catalina\localhost\OpenClinica.xml and commented out the postgres jdbc realm.

    This seems to be basically working, but there are a few small quirks.

    Whenever users logs in to OpenClinica, it seems that OpenClinica still thinks it is managing their passwords. There is a persistent message in the side panel that says: “Welcome to OpenClinica, Eric Wyles. Your current password is set by system. For greater security, please change your password in your User Profile.“ If the user goes to the Profile screen, it is confusing because they are prompted to enter their old password and enter a new password. It seems to be validating the old password against the password in the OpenClinica database which is not the same password they are using to log in. And, even if they were able to successfully change it here, it wouldn’t really do anything because it would not change their Windows Domain password. It is just generally confusing.

    Any advice on how to handle this? I’m fairly new to configuration the tomcat security realms and even newer to OpenClinica specifically, so if there are any parts of my process that could be done in a better way please let me know.

    The ideal end result I’m looking for is a configuration where the users can log on to OpenClinica with their Windows id and password, and once they are logged in I would prefer for them to not ever see any references to passwords in the OpenClinica screens.

    This is version 2.2 of OpenClinica.
    Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
    Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
  • ewylesewyles Posts: 19
    Hey Tom,

    I think we might be talking about 2 different things. I did check my configuration and change_passwd_required is already set to 0. I wanted to clarify that the software isn’t actually requiring users to change their password. It is just putting a little nag note over on the side panel of the main menu, suggesting that they change their password and providing a link to the user profile.

    Once they go to the user profile, they won’t know the password that OpenClinica thinks is their password (their actual passwords are in ldap) so that will be confusing as well.

    I’m considering adding a configuration option that would completely hide any visible evidence of passwords, but I’m not sure if this is the right approach.
    Sent: Wednesday, May 21, 2008 11:35 AM
    To: [email protected]
    Subject: RE: [Developers] Authentication against Windows Domain - Questions

    Hi Eric,

    In OpenClinica's properties directory, there is a file called datainfo.properties that should contain the necessary attributes you can change to make passwords 'invisible' to users.

    The tenth property in the file, change_passwd_required, can be set to 0; this will remove the notice you get below. The third property in the file, passwd_expiration_time, can be set for a large number, say 9999, so that users are not prompted to change their password over time (the number is the number of days).

    Hope this helps, let us know if you have further questions - Tom
    Sent: Tue 5/20/2008 12:50 AM
    To: [email protected]
    Subject: [Developers] Authentication against Windows Domain - Questions
    Hi,

    I’m attempting to configure OpenClinica to authenticate users against my Windows Domain, but leave the roles/authorization as-is within OpenClinica. Authentication is the only thing I would like to have happen through the domain.

    So far, I’m doing this against Active Directory via LDAP. Here are the steps I’ve performed so far (running Tomcat 5.5 on Windows XP):

    1 – I added a realm for ldap authentication to my C:\tomcat5\conf\server.xml file
    2 – I edited C:\tomcat5\server\webapps\manager\WEB-INF\web.xml to allow a certain windows user group to access the tomcat manager (not really specific to OpenClinica, I just wanted to list all steps in case this had an effect on anything else)
    3 – Edited C:\tomcat5\webapps\OpenClinica\WEB-INF\web.xml to add an auth-constraint/role-name section for a windows user group that contains my users.
    4 – Edited C:\tomcat5\conf\Catalina\localhost\OpenClinica.xml and commented out the postgres jdbc realm.

    This seems to be basically working, but there are a few small quirks.

    Whenever users logs in to OpenClinica, it seems that OpenClinica still thinks it is managing their passwords. There is a persistent message in the side panel that says: “Welcome to OpenClinica, Eric Wyles. Your current password is set by system. For greater security, please change your password in your User Profile.“ If the user goes to the Profile screen, it is confusing because they are prompted to enter their old password and enter a new password. It seems to be validating the old password against the password in the OpenClinica database which is not the same password they are using to log in. And, even if they were able to successfully change it here, it wouldn’t really do anything because it would not change their Windows Domain password. It is just generally confusing.

    Any advice on how to handle this? I’m fairly new to configuration the tomcat security realms and even newer to OpenClinica specifically, so if there are any parts of my process that could be done in a better way please let me know.

    The ideal end result I’m looking for is a configuration where the users can log on to OpenClinica with their Windows id and password, and once they are logged in I would prefer for them to not ever see any references to passwords in the OpenClinica screens.

    This is version 2.2 of OpenClinica.
    Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
    Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
This discussion has been closed.