CycleServer supports a pluggable authentication system. It ships with support for the following:
- Built-in authentication (passwords are stored locally)
- LDAP-based authentication
- Active Directory authentication
Each method for authenticating is represented internally by an Application.Authenticator record.
When a user logs in, CycleServer authenticates them against the authentication method associated with their user record (set in AuthenticatedUser.Authentication). If no such method is set, CycleServer finds all active authenticator records and gives each one the credentials in turn. If one returns success, the credentials are considered valid.
Authenticator records support the following standard attributes:
The authenticator record will also typically have custom attributes (eg, the LDAP server for an LDAP authenticator).
To use an authenticator with method XYZ, CycleServer looks for a plugin with Implements=Authenticator and AuthenticationMethod=XYZ. This plugin must implement the following method:
- authenticate(authenticator, user, credentials)
- Called to authenticate a set of credentials for the given user, using the given authenticator record.
Returns one of true, false, or null depending on whether the credentials are valid, are invalid, or this authenticator does not know about this user, respectively.
If the authenticator has Test=true, then this is just being used to test the credentials and is not a full login.
If this method throws an exception, it is treated as an error and the user cannot login.
If there is more than one plugin that matches for a given authenticator, the one with the lowest Order attribute is used and the others are ignored.
The following plugin would authenticate by making an HTTP request against another website and checking the status code:
from application import restclient def authenticate(authenticator, user, credentials): hostname = authenticator.getAsString("Hostname") c = restclient.connection("https://%s" % hostname, username=credentials.getAsString("Name"), password=credentials.getAsString("Password")) response = c.request_get("/test_credential") if response.status() == 200: return True elif response.status() == 401: return False else: raise RuntimeError("Could not authenticate successfully")
Then the record for this authenticator might be:
AdType = "Application.Authenticator" Name = "prod_website" Method = "web" Hostname = "prod.example.com"
Authenticating with cURL
Q: How do I authenticate against CycleServer when using the curl utility?
A: Use the -u username:passwd option to curl:
$ curl -u "username:passwd" 'http://CYCLE_SERVER/db'
Q: curl shows me an error when I try to use the https URL for CYCLE_SERVER:
curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html
A: If your cycle_server is using a self-signed certificate, you have to use the -k flag with curl to bypass SSL verification.:
$ curl -k -u "username:passwd" 'http://CYCLE_SERVER/db'